MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2
SHA3-384 hash: bb2397fae0e65549c5603a54d2f50856060519399da5a5b0c528a201f1501a78a526ee851920e67b8cb5f91479d0f049
SHA1 hash: e10a14cede8f2e48ccd6fb5111583fcf5156030a
MD5 hash: 2aa0fe002aeee888c33dbb6864580e6c
humanhash: summer-william-uniform-mike
File name:Lang[1].bin
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:4'081'664 bytes
First seen:2023-07-21 13:29:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 79b3362178937bf9559741c46bb9e035 (18 x LaplasClipper, 9 x RaccoonStealer, 8 x ArkeiStealer)
ssdeep 98304:LdD7hTCd16KI1cqLrUmolDD/0z+lzZQ57j:LJ7F4wcYUdRzI7j
Threatray 16 similar samples on MalwareBazaar
TLSH T10C1633A4FB7CE120D65C153284ABA032B15BBE5C84DC7F48B18C772A7E35AC7291BD15
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 686c74e4c2e8e4e0 (1 x RedLineStealer, 1 x LaplasClipper)
Reporter JAMESWT_WT
Tags:exe LaplasClipper

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
https://www.mediafire.com/file/1d7kyp18vba4a8f/FILES-S0ft.rar/file
Verdict:
Malicious activity
Analysis date:
2023-07-17 16:05:23 UTC
Tags:
arkei stealer vidar trojan laplasclipper miner
Link:
https://app.any.run/tasks/47c2c5a4-d752-4ba2-a2d4-15665bd5aac3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/427413/
Detection(s):
Win.Packed.Ulise-10004320-0
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/42156053-6e37-4612-bab3-38453db0be0a
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277429
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-24 07:01:00 UTC
File Type:
PE+ (Exe)
Extracted files:
158
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4urektd7xek4wzpefzt6vgeq35pk2e2wau7fmpcdufqd6zu4n6ra._file
Verdict:
unknown
Similar samples:
4b4c5e3bd2d16feef05e1f2cfcee8e8d31e5fe8e7237e319385b433fe66c6c35
LaplasClipper
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7
LaplasClipper
5a0501d96e313d2df39c38516aef7b5283a4f2979a4377f0f54e110d69de8e40
LaplasClipper
67770d3ab80bd1d5d9c2be66f5bb8084f61c15a3060f84cdba21852e9609eb64
LaplasClipper
6d0ff2c18bea7fe884610ad954c19ba97cd140e4723ea654f556da3ba4bcec2a
LaplasClipper
6e47a310f6e5d8032f5a6beb227009be5bfa3c878b2642b6f6bf975c6adfda8a
LaplasClipper
7564e44c0b07a0f161c5a245ba8f2029ea70a297a5f9944c4c786a75f1e8524a
LaplasClipper
797575606aa8f510d7d84596fcc81180354f0b65ec50ed5864ad6c18d15f3086
LaplasClipper
876c48b443b068c16e40065e0b7ecb9a1aaf4c4ee1b06d83dc0d4a4d65a44943
LaplasClipper
b20d74c759e6d677148c3cf1ddac1056631d69ec738f098d2c8103782d8d82c6
LaplasClipper
+ 6 additional samples on MalwareBazaar
Result
Malware family:
laplas
Create hunting rule
Score:
  10/10
Tags:
family:laplas clipper evasion persistence stealer trojan
Link:
https://tria.ge/reports/230721-qrtcgsfd2y/
Behaviour
GoLang User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Laplas Clipper
Malware Config
C2 Extraction:
http://185.209.161.89
Unpacked files
SH256 hash:
e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2
MD5 hash:
2aa0fe002aeee888c33dbb6864580e6c
SHA1 hash:
e10a14cede8f2e48ccd6fb5111583fcf5156030a
Link:
https://www.unpac.me/results/4d64fe88-657f-412a-84a4-5056859495f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:laplas_golang
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:Laplas Clipper Golang Payload
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427413/

Comments