MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe
SHA3-384 hash:	3a2ef4f37d804cb6c402045707f81b1041987a9fe373c5f91bbb6b8871bbacf4db15d61cf6fa9adfbeb8c3c74df434b3
SHA1 hash:	77496ff6750cf909819252efdb7b98d23cc8214a
MD5 hash:	aff37d3422db5147b57960870ceadcc1
humanhash:	london-moon-winner-spaghetti
File name:	aff37d3422db5147b57960870ceadcc1.exe
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	1'917'440 bytes
First seen:	2022-12-29 00:25:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7b9daca6da068f54ad4e1900288e8efd (6 x Smoke Loader, 4 x RedLineStealer, 2 x Amadey)
ssdeep	49152:L+EKzITrGsu+vgcpPsJrbYZw0yo38W5bTv+N:CzInGsu+PpkwZh3/baN
Threatray	58 similar samples on MalwareBazaar
TLSH	T1699523006675FDE7C6C604700A1BDBD5232FBA956A9B43F677142D6F3C7A010BA231AB
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9a9acedecee6eae6 (99 x Smoke Loader, 31 x RedLineStealer, 28 x Tofsee)
Reporter	abuse_ch
Tags:	exe LaplasClipper

abuse_ch

LaplasClipper C2:
http://clipper.guru/bot/regex?key=5fb5351c52b181d55eb6d5f7239f6b7577942bb761874317b13996c71ab36c04

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aff37d3422db5147b57960870ceadcc1.exe

Verdict:

Malicious activity

Analysis date:

2022-12-29 00:26:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ab80050b-5665-4f27-be3f-62f5ac5315b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL-18.UNOFFICIAL

Win.Packed.Generic-9981212-0

Win.Packed.Pwsx-9981213-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm azorult clipbanker greyware packed virus

Link:

https://www.filescan.io/uploads/63acde9bbf1064ac5b2cff20/reports/c603cc9c-3bea-49c8-92dc-6b65a36cdc0c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec0a7c29-fda3-489a-95ec-28c9731fd6a7

Result

Threat name:

Laplas Clipper

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1142399

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Laplas Clipper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe/

Threat name:

Win32.Infostealer.ClipBanker

Status:

Malicious

First seen:

2022-12-26 11:55:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 39 (79.49%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3rabkvcthe4pgpamntzwerxe7qq5y2d5fu7ssjn7vh35mkrml67a._file

Verdict:

malicious

LaplasClipper

322787eaae64efff2b1a5fc2e8d7f4b9b1ad44fb075cf082ade1b2a7c5ded76e

LaplasClipper

5e445100682a5982df3301b2631e3be0d503df870175d50cf0faa3e374e742fd

LaplasClipper

77546e4fdc3323633d7ab065dd65e48869799e715015d760424fa43af1c4b3c4

LaplasClipper

7bb10303027c42b4893bc186be547fbd8f0d59a8a8171703c8ad88680831785f

LaplasClipper

be607f4670ec8ae8808e6c46603344dcd3d0e58c7e2c7644cf6a360e60f92ce7

LaplasClipper

d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379

LaplasClipper

d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e

LaplasClipper

f313bf5d9b50d94ccfe4d22a0d1561e9d2b8cb525752ce15aaa7b53ca1d05f04

LaplasClipper

f3c6211ad76333c2c34cf3fb7f028b199edab8330894026c95ebcd1cdec9f2a9

LaplasClipper

+ 48 additional samples on MalwareBazaar

Result

Malware family:

laplas

Score:

10/10

Tags:

family:laplas stealer

Link:

https://tria.ge/reports/221229-aq7kqaca69/

Behaviour

Creates scheduled task(s)

GoLang User-Agent

Suspicious use of WriteProcessMemory

Executes dropped EXE

Laplas Clipper

Malware Config

C2 Extraction:

clipper.guru

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b9276e62-2489-49ac-b927-d47b53274cd5

Unpacked files

SH256 hash:

a4f2eb72cbf2855b15e92f737efd87bda64480a2389058945ef5c2a49c5fc376

MD5 hash:

c8e070aa61178be12877733881e6f77b

SHA1 hash:

48572174c05967b6d36320369c84e239c75c236d

Detections:

LaplasClipperGoLang

Link:

https://www.unpac.me/results/c9d24035-8bd9-4b9d-ac9e-73c30362f874/

SH256 hash:

dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe

MD5 hash:

aff37d3422db5147b57960870ceadcc1

SHA1 hash:

77496ff6750cf909819252efdb7b98d23cc8214a

Link:

https://www.unpac.me/results/c9d24035-8bd9-4b9d-ac9e-73c30362f874/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	go_binary Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_laplas_clipper_9c96 Create hunting rule
Author:	Johannes Bader
Description:	detects unpacked Laplas Clipper

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample