MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f225e43f3103ad25557eeb0c40be9958ec49d6b857f1ba571027f506c0a0e081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f225e43f3103ad25557eeb0c40be9958ec49d6b857f1ba571027f506c0a0e081
SHA3-384 hash: 6ca83b3a234f0eadcc9f651738f972b00fe5d69b929351a11b6787895ca5097ac3a1dd5e87184d94af3fa7d283b23c1f
SHA1 hash: 3415dfff1b84047b5b3157bf80d1c1496f67b9f9
MD5 hash: 374da5efe031f07818c6fa2b142752c1
humanhash: queen-whiskey-magnesium-sierra
File name:374da5efe031f07818c6fa2b142752c1.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:200'192 bytes
First seen:2023-01-05 23:35:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ba7c561b263813caefdcaff04fcb6a1 (1 x LaplasClipper)
ssdeep 3072:aVJqAtAHyQPYIwzVoP0QpcOPb6mTPHl/mYN3sEkyybBzj:azqAtmQI8+plVhXkyybp
Threatray 2'043 similar samples on MalwareBazaar
TLSH T19C14DF2074E34C77DEC24938983BDB118D7EE6E1467E204B3FA99DC51F687A0D63A606
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe LaplasClipper


Avatar
abuse_ch
LaplasClipper C2:
79.137.192.32:40581

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
374da5efe031f07818c6fa2b142752c1.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 23:37:16 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/39061f12-4229-4ebc-a63f-a4c4d2f95198

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349833/
Detection(s):
Win.Packed.Zusy-9981644-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63b75ee440e878e30423039d/reports/057aa3d1-809d-4ffb-8801-48e43106c6a3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffb98a72-132e-47e9-b2d3-9f77284b696f
Result
Threat name:
Laplas Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145977
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778709 Sample: 3ZCjiZ9TFe.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 6 other signatures 2->54 9 3ZCjiZ9TFe.exe 1 2->9         started        12 svcupdater.exe 17 2->12         started        process3 dnsIp4 62 Contains functionality to inject code into remote processes 9->62 64 Writes to foreign memory regions 9->64 66 Allocates memory in foreign processes 9->66 68 Injects a PE file into a foreign processes 9->68 15 AppLaunch.exe 15 7 9->15         started        20 conhost.exe 9->20         started        34 clipper.guru 45.159.189.79, 49700, 80 HOSTING-SOLUTIONSUS Netherlands 12->34 70 Tries to delay execution (extensive OutputDebugStringW loop) 12->70 signatures5 process6 dnsIp7 36 79.137.192.32, 40581, 49698 PSKSET-ASRU Russian Federation 15->36 38 dl.uploadgram.me 92.222.250.82, 443, 49699 OVHFR France 15->38 30 C:\Users\user\AppData\...\Program11Helper.exe, PE32 15->30 dropped 40 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->40 42 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->42 44 Tries to harvest and steal browser information (history, passwords, etc) 15->44 46 Tries to steal Crypto Currency Wallets 15->46 22 Program11Helper.exe 3 15->22         started        file8 signatures9 process10 file11 32 C:\Users\user\AppData\...\svcupdater.exe, PE32 22->32 dropped 56 Machine Learning detection for dropped file 22->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 22->58 60 Tries to delay execution (extensive OutputDebugStringW loop) 22->60 26 schtasks.exe 1 22->26         started        signatures12 process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f225e43f3103ad25557eeb0c40be9958ec49d6b857f1ba571027f506c0a0e081/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-29 21:58:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
31 of 41 (75.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6is6ipzraowskvl65mgebpuzldwetvvyk7y3uvyqe72qnqfa4caq._file
Verdict:
malicious
Similar samples:
050505c077b590adaa0dde0669639616828ffd3e5ced0cba3a94d3c13633195d
LaplasClipper
160625fc9d9070b64847cad9582f16da0ddc6ed074ae3d07ec33e9ea4e28e1c2
LaplasClipper
22d7e40c7ecc7fabf7f7b562e2d476dd0697e0f0482ce646de7771b44c29b1e9
LaplasClipper
6f6e8e9441fa7b35c0b1676a69957404081ca8a357b38a6640adb38375a7424d
LaplasClipper
d0d72bb86445f46afd1cff56e317543011d1d4a4b6ba18791b63b26a7282af7c
LaplasClipper
d7a78307889ab55af6a1475ef731eaf1b19524601e093220afa3830707ff4810
LaplasClipper
f8a941938484a00306232e77b8af41e7f81df56e4aa9864a2b59ea8ebfbc892b
LaplasClipper
+ 2'033 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:817963767 infostealer spyware
Link:
https://tria.ge/reports/230105-3ljx3shc21/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
79.137.192.32:40581
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c10ff9be-5dbe-42e0-8224-33aee195fb88
Unpacked files
SH256 hash:
3a8b52479aa838fa4ee97dd66b8f73143766a94139fb9ad96975e44e4e28087b
MD5 hash:
6fa9345141fb88e4066370b6918ae8a5
SHA1 hash:
a00950e6ffc66a17455dcf7ddda824a88ecc5e9f
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/80cdb70e-aa9c-416f-8d74-a1e38fdf0380/
SH256 hash:
f225e43f3103ad25557eeb0c40be9958ec49d6b857f1ba571027f506c0a0e081
MD5 hash:
374da5efe031f07818c6fa2b142752c1
SHA1 hash:
3415dfff1b84047b5b3157bf80d1c1496f67b9f9
Link:
https://www.unpac.me/results/80cdb70e-aa9c-416f-8d74-a1e38fdf0380/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f225e43f3103/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f225e43f3103ad25557eeb0c40be9958ec49d6b857f1ba571027f506c0a0e081

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349833/

Comments