MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
SHA3-384 hash: c72062de6320417594765121220ffbce2eec66048b3592c872c83f87b9eb77a9370e7e923612dca9376c74e8829d4ca2
SHA1 hash: 9313fbbc7acf2933e144bf638e236059b62e6ef5
MD5 hash: cf1c27c6b6d72245a99e14a0425605ab
humanhash: sixteen-two-fourteen-magnesium
File name:fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:1'765'809 bytes
First seen:2023-04-14 06:25:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:t7FUDowAyrTVE3U5FmcmqKVYSK5x7awFhJdNo69lOy7KTijl6:tBuZrEUcXo55DdN7POGjk
TLSH T1F385CF3FF268A13EC46E1B3245B39220997BBA61781A8C1E47FC344DCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe LaplasClipper


Avatar
abuse_ch
LaplasClipper C2:
79.137.202.0:25828

Intelligence

File Origin
# of uploads :
1
# of downloads :
482
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 06:29:03 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c1245386-6f17-45ce-b51f-a09272658981

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382190/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.6493.25268.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/79582/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6438f1fc0c9f1744b585f78b/reports/fbd43b8b-0aab-4be5-974a-bf17e9006d62/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332545
Link:
https://www.hybrid-analysis.com/sample/fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e07dd993-a5d5-481e-bfaa-308731db9c4a
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1213677
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 846603 Sample: fe1b82d8fada96c0ebe4429000c... Startdate: 14/04/2023 Architecture: WINDOWS Score: 78 93 45.12.253.72 CMCSUS Germany 2->93 95 45.12.253.75 CMCSUS Germany 2->95 97 2 other IPs or domains 2->97 117 Snort IDS alert for network traffic 2->117 119 Multi AV Scanner detection for domain / URL 2->119 121 Found malware configuration 2->121 123 8 other signatures 2->123 10 msiexec.exe 2->10         started        13 fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9.exe 2 2->13         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 81 C:\Windows\Installer\MSID76D.tmp, PE32 10->81 dropped 83 C:\Windows\Installer\MSID73D.tmp, PE32 10->83 dropped 85 C:\Windows\Installer\MSID0F2.tmp, PE32 10->85 dropped 91 14 other malicious files 10->91 dropped 21 msiexec.exe 10->21         started        26 msiexec.exe 10->26         started        28 msiexec.exe 10->28         started        87 fe1b82d8fada96c0eb...ff88c19a55340a9.tmp, PE32 13->87 dropped 135 Obfuscated command line found 13->135 30 fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9.tmp 3 24 13->30         started        137 Query firmware table information (likely to detect VMs) 16->137 99 allroadslimit.com 188.114.96.7, 443, 49717 CLOUDFLARENETUS European Union 18->99 89 C:\Windows\Temp\...\Windows Updater.exe, PE32 18->89 dropped 139 Changes security center settings (notifications, updates, antivirus, firewall) 18->139 file6 signatures7 process8 dnsIp9 107 pstbbk.com 157.230.96.32, 49714, 80 DIGITALOCEAN-ASNUS United States 21->107 109 collect.installeranalytics.com 54.225.90.235, 443, 49713, 49715 AMAZON-AESUS United States 21->109 65 C:\Users\user\AppData\Local\...\shiC8B6.tmp, PE32 21->65 dropped 67 C:\Users\user\AppData\Local\...\shiC829.tmp, PE32 21->67 dropped 131 Query firmware table information (likely to detect VMs) 21->131 32 taskkill.exe 21->32         started        69 C:\Users\user\AppData\Local\...\shiBC04.tmp, PE32 26->69 dropped 71 C:\Users\user\AppData\Local\...\shiBB38.tmp, PE32 26->71 dropped 111 45.12.253.74, 49707, 80 CMCSUS Germany 30->111 113 log.angersummer.xyz 172.67.152.155, 49709, 80 CLOUDFLARENETUS United States 30->113 115 2 other IPs or domains 30->115 73 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 30->73 dropped 75 C:\Users\user\AppData\Local\...\setup_1.exe, PE32 30->75 dropped 77 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 30->77 dropped 79 2 other files (1 malicious) 30->79 dropped 133 Performs DNS queries to domains with low reputation 30->133 34 setup_1.exe 30->34         started        39 setup_0.exe 15 30->39         started        file10 signatures11 process12 dnsIp13 41 conhost.exe 32->41         started        101 3.222.139.61, 443, 49759 AMAZON-AESUS United States 34->101 103 collect.installeranalytics.com 34->103 57 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 34->57 dropped 59 C:\Users\user\AppData\...\Windows Updater.exe, PE32 34->59 dropped 61 C:\Users\user\AppData\Local\...\shiA1A1.tmp, PE32+ 34->61 dropped 63 3 other malicious files 34->63 dropped 125 Multi AV Scanner detection for dropped file 34->125 43 msiexec.exe 34->43         started        105 45.12.253.56, 49708, 80 CMCSUS Germany 39->105 127 Detected unpacking (changes PE section rights) 39->127 129 Detected unpacking (overwrites its own PE header) 39->129 45 cmd.exe 39->45         started        47 WerFault.exe 9 39->47         started        49 WerFault.exe 9 39->49         started        51 7 other processes 39->51 file14 signatures15 process16 process17 53 conhost.exe 45->53         started        55 taskkill.exe 45->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-14 06:26:07 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ynyfwh23klmb27eikiabrqa76emdgsvgqfj62ti3e55cvazwisa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230414-g663fsgf59/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/a2dc7d19-08ca-4d0d-88a0-6f726abcc753/
SH256 hash:
dfaac5610ba852175071cc36e101bf8593e98c21dea4f5ded899b141c46d2f55
MD5 hash:
16a450ae4f0a6c47468e361c34ecd575
SHA1 hash:
afe2ed80d60d20601c6395efcf01206b74ec28cb
Link:
https://www.unpac.me/results/a2dc7d19-08ca-4d0d-88a0-6f726abcc753/
SH256 hash:
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
MD5 hash:
cf1c27c6b6d72245a99e14a0425605ab
SHA1 hash:
9313fbbc7acf2933e144bf638e236059b62e6ef5
Link:
https://www.unpac.me/results/a2dc7d19-08ca-4d0d-88a0-6f726abcc753/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe1b82d8fada/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/382190/

Comments