MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1bd5a14d886e71aa5855ce74c84aa7cefa1f782e32cd2140c3a10d91084105d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1bd5a14d886e71aa5855ce74c84aa7cefa1f782e32cd2140c3a10d91084105d
SHA3-384 hash: 870c509e43e03b7e490b62ae79e938054a6fde49f05280395fc2e8ba9d3462fd5661a213d9184b09e6c9db26721a69e5
SHA1 hash: 43e05ffc3411da9e97b7258d12b7aba0dcedae4c
MD5 hash: 0ad8d4cffac5f713a2ef3b2c72a84e29
humanhash: maine-maryland-delta-chicken
File name:0ad8d4cffac5f713a2ef3b2c72a84e29
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:7'192'832 bytes
First seen:2023-03-20 20:54:54 UTC
Last seen:2023-03-20 23:27:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 85a54fad2bd6b77afdc3a0e3e1364550 (1 x LaplasClipper, 1 x Stealc)
ssdeep 196608:HUNWu+zM+o+OVv8ZTN4OPF4pzR1X7/kBV5DEp:0gOiZT1F4/1/si
Threatray 124 similar samples on MalwareBazaar
TLSH T17576BE267762284FE073F83B1BEED93CBA0205766B875913551AFE31265BF101E6D80A
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 06aed8bee2e8a4e1 (3 x RustyStealer, 2 x RedLineStealer, 1 x LaplasClipper)
Reporter zbetcheckin
Tags:32 exe LaplasClipper

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ad8d4cffac5f713a2ef3b2c72a84e29
Verdict:
Malicious activity
Analysis date:
2023-03-20 20:56:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a43c3209-98fc-4a46-83cf-2f4fcc4693ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376006/
Detection(s):
SecuriteInfo.com.Program.Unwanted.5405.30205.9103.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Sending a custom TCP request
Setting a single autorun event
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74321/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
anti-debug anti-vm greyware hacktool overlay packed
Link:
https://www.filescan.io/uploads/6418c827f8dd0701d53c0572/reports/e93faadc-d23f-4445-b45b-619fc9d0564d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d1bd5a14d886e71aa5855ce74c84aa7cefa1f782e32cd2140c3a10d91084105d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Titan Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/238f1775-c6e1-4b2b-8097-21324cd7af88
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1198073
Signature
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830974 Sample: iaG7h9ZOBG.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 76 28 Snort IDS alert for network traffic 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Laplas Clipper 2->32 7 iaG7h9ZOBG.exe 1 4 2->7         started        process3 file4 22 C:\ProgramData\...\camatadalibe.exe, PE32 7->22 dropped 34 Self deletion via cmd or bat file 7->34 11 cmd.exe 1 7->11         started        14 camatadalibe.exe 7->14         started        signatures5 process6 dnsIp7 36 Uses ping.exe to sleep 11->36 38 Uses ping.exe to check the status of other devices and networks 11->38 17 PING.EXE 1 11->17         started        20 conhost.exe 11->20         started        26 searchseedphase.online 188.114.96.3, 49698, 80 CLOUDFLARENETUS European Union 14->26 signatures8 process9 dnsIp10 24 127.0.0.1 unknown unknown 17->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1bd5a14d886e71aa5855ce74c84aa7cefa1f782e32cd2140c3a10d91084105d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-20 20:55:09 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2g6vufgyq3trvjmflttuzbfkptx2d54c4mwnefamhiinseeecboq._file
Verdict:
malicious
Similar samples:
34ec272be14b0de074ccaa9a4b2996e6e92579f94905ed20f3370d39e41fd2a3
LaplasClipper
505d85e3f2cc036bd585825a9bf3fd03a90a849d76dc29e842a1b3725d0b86ce
LaplasClipper
514a2757ba402d57f1e0d14a1d86f1109039f77f770d20a8c5f24294525610ff
LaplasClipper
5612db46770203b25b790effd1b40b2bc9bd758aadc2f870f4858d90296264f8
LaplasClipper
8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e
LaplasClipper
aa0efd425ea2c4c1d8ab3e78d6b52c8be35173672df7811842f946a3283ad128
LaplasClipper
d994d8264d8511cb16ce67ed790a7896d0dbbe44d36eaffb43643ff34f3dc177
LaplasClipper
+ 114 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230320-zqfjnsfd46/
Behaviour
GoLang User-Agent
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
7e6e8c593d1dba4017f4041b311be4fc092803e9c3d3705572d5b6e8278f538d
MD5 hash:
4948ebed062540c12ab58c252e9ce692
SHA1 hash:
533b09168979f2457c2bf952d99a89f475157cf1
Link:
https://www.unpac.me/results/d45eb3d8-40b7-418b-b2ab-6fe783ad88d5/
SH256 hash:
d1bd5a14d886e71aa5855ce74c84aa7cefa1f782e32cd2140c3a10d91084105d
MD5 hash:
0ad8d4cffac5f713a2ef3b2c72a84e29
SHA1 hash:
43e05ffc3411da9e97b7258d12b7aba0dcedae4c
Link:
https://www.unpac.me/results/d45eb3d8-40b7-418b-b2ab-6fe783ad88d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1bd5a14d886/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1bd5a14d886e71aa5855ce74c84aa7cefa1f782e32cd2140c3a10d91084105d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe d1bd5a14d886e71aa5855ce74c84aa7cefa1f782e32cd2140c3a10d91084105d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/376006/
  
URLhaus
https://urlhaus.abuse.ch/url/2578947/

Comments


Avatar
zbet commented on 2023-03-20 20:54:58 UTC

url : hxxp://167.235.240.0/dhwnml/rw001ext.exe