MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d
SHA3-384 hash:	8c7bcf92a567b08b113b395c0d0083184a0b325541e5a6ee4dc756f4ceaf0cee0fac536cc00a0934217e93e0e0a95d76
SHA1 hash:	3678c97cc3d8bec04670494fb80bf80fc906f30d
MD5 hash:	2a18774f6e9cfb896bce930f24ff0402
humanhash:	king-one-crazy-football
File name:	file
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	337'920 bytes
First seen:	2023-03-09 23:10:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	573b4b7efb3441aeba723c69e52e8c67 (9 x RedLineStealer, 4 x Amadey, 3 x LaplasClipper)
ssdeep	6144:YILU3r5Kw0ysBrQt/kD+yUuKomudSX4LCIV:fg3rr0Z4MqyUluQi
Threatray	3 similar samples on MalwareBazaar
TLSH	T11F74C003D2E0BCE1F5624A768E6FCEE43AEEF5524E59276B13887A5F09701B1C163319
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	011adecaa29cc680 (1 x LaplasClipper)
Reporter	andretavare5
Tags:	exe LaplasClipper

andretavare5

Sample downloaded from https://imax-mobile.be/serv.exe

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-09 23:12:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/33e3ff6c-148e-47d5-a3bb-3b0eb3ff493e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/373181/

Detection(s):

Sanesecurity.Malware.28876.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/72415/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult babar greyware lockbit

Link:

https://www.filescan.io/uploads/640a67867975027880142b73/reports/1a63ae47-cdfb-460c-946f-0f4732b05f2d/overview

Verdict:

Malicious

Labled as:

Ransom.EDBBA292

Link:

https://www.hybrid-analysis.com/sample/e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33fd8dcb-b40b-4ac4-bdcb-77c821128c22

Result

Threat name:

Laplas Clipper

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1190843

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Laplas Clipper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-03-09 23:13:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4itzz2gddtr76jinbfbmx7ksupwgwbcdp2hop6wprrhwrijrgkgq._file

Verdict:

malicious

LaplasClipper

1f82d62864c25453635305964b06a4baa8c9710d7f5d67daa451327463697406

LaplasClipper

b3e6c6fb06b116e1c39efee2903ca6e81d4f3e7d3e5a54d132b9885a4bf69c7d

LaplasClipper

Result

Malware family:

laplas

Score:

10/10

Tags:

family:laplas clipper persistence stealer

Link:

https://tria.ge/reports/230309-2586msaf86/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Laplas Clipper

Malware Config

C2 Extraction:

http://45.159.189.105

Unpacked files

SH256 hash:

15292f131325e2a813f5902dd0ce52ced4359abd4f6794d9939646aaf1e0fd85

MD5 hash:

72f142b5ca1d464f54a7083c0a906c30

SHA1 hash:

352994fdc392dad6f661ee23036b85ca86a886ff

Link:

https://www.unpac.me/results/3d5b6ae2-1365-4f81-818f-2ca637bab6bf/

SH256 hash:

e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d

MD5 hash:

2a18774f6e9cfb896bce930f24ff0402

SHA1 hash:

3678c97cc3d8bec04670494fb80bf80fc906f30d

Link:

https://www.unpac.me/results/3d5b6ae2-1365-4f81-818f-2ca637bab6bf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/373181/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample