MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
SHA3-384 hash: b7b5dffd04489690d604412e9c156df7a33fdbb7f9094fc6a2e695c92ae243ef48131f2cf0901acd7a4643a4ed4d4d91
SHA1 hash: 180325b8b6e64638e167601c67cd9c53331ba9f6
MD5 hash: fb0deff37fe12bbc4f0c1fe21e2d15ef
humanhash: friend-illinois-mississippi-december
File name:SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:7'839'744 bytes
First seen:2023-03-19 16:34:15 UTC
Last seen:2023-07-21 13:23:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0e8db307701582115b12426e04e3928 (3 x LaplasClipper, 1 x RaccoonStealer)
ssdeep 196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy
TLSH T1998623B3A9660204E4B2CC398527ECB432F60E7A6A427D7D54DDF9C129334A4F623D5B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fe7ee68212729286 (1 x LaplasClipper, 1 x RaccoonStealer)
Reporter SecuriteInfoCom
Tags:exe LaplasClipper

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751
Verdict:
Malicious activity
Analysis date:
2023-03-19 16:35:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2135e172-2619-4b73-a1a0-57bb4ee4bf3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375730/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74144/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/641739ba3b01ade53e6f7175/reports/7b98d570-3e98-408b-afee-1b0c14038d3e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a01b54bb-aab1-4a29-b0e3-9f4faf2c7315
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1197188
Signature
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-19 16:35:12 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tqqbobeb57lamwlggnadhv2cvjkygpvmorjdt4eekyqsdgptn3a._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
laplas
Create hunting rule
Score:
  10/10
Tags:
family:laplas clipper persistence stealer
Link:
https://tria.ge/reports/230319-t3n4pahb89/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Laplas Clipper
Malware Config
C2 Extraction:
http://185.174.137.94
Unpacked files
SH256 hash:
dd0bd6037f2df4822f3cc1f42552aca9c1af965b5f2c67769af2bf1e3713cb7b
MD5 hash:
6e373182af6611aa47504ca670d4d60c
SHA1 hash:
aa5d90ced3540b617e63c1ddb2a9bcb4871a5be4
Link:
https://www.unpac.me/results/de35163e-ee8e-4088-b700-64ed7aec6d8c/
SH256 hash:
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
MD5 hash:
fb0deff37fe12bbc4f0c1fe21e2d15ef
SHA1 hash:
180325b8b6e64638e167601c67cd9c53331ba9f6
Link:
https://www.unpac.me/results/de35163e-ee8e-4088-b700-64ed7aec6d8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/375730/
  
URLhaus
https://urlhaus.abuse.ch/url/2577449/
  
Delivery method
Distributed via web download

Comments