Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ao88ZLN0Wi.exe

Overview

General Information

Sample Name:Ao88ZLN0Wi.exe
Analysis ID:754720
MD5:24774c7b900e0a51df665776b502cfc9
SHA1:220db17c0ba6b83ead730bf65c6e34d4da4eadaa
SHA256:81e9eefec051e50a819e76fa1ec2f088c2e8c5de677537838193cf6c2e5c7584
Tags:exeLaplasClipper
Infos:

Detection

Laplas Clipper
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Yara detected Laplas Clipper
Snort IDS alert for network traffic
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Drops PE files
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE file contains executable resources (Code or Archives)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • Ao88ZLN0Wi.exe (PID: 5536 cmdline: C:\Users\user\Desktop\Ao88ZLN0Wi.exe MD5: 24774C7B900E0A51DF665776B502CFC9)
    • cmd.exe (PID: 2040 cmdline: cmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3216 cmdline: schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f MD5: 15FF7D8324231381BAD48A052F85DF04)
  • PNcznLwIMl.exe (PID: 5376 cmdline: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe MD5: 6CE4DAC5A778F8E717E5C9C1222AE0DF)
  • cleanup

Malware Configuration

Threatname: Laplas Clipper

{"C2 url": ["http://clipper.guru/bot/online"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.640977716.0000000002B6A000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LaplasClipperYara detected Laplas ClipperJoe Security
    00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000006.00000003.563123119.0000000003230000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LaplasClipperYara detected Laplas ClipperJoe Security
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Ao88ZLN0Wi.exe.2d10e67.1.unpackJoeSecurity_LaplasClipperYara detected Laplas ClipperJoe Security
        6.2.PNcznLwIMl.exe.400000.0.unpackJoeSecurity_LaplasClipperYara detected Laplas ClipperJoe Security
          0.3.Ao88ZLN0Wi.exe.31b0000.0.unpackJoeSecurity_LaplasClipperYara detected Laplas ClipperJoe Security
            0.2.Ao88ZLN0Wi.exe.400000.0.unpackJoeSecurity_LaplasClipperYara detected Laplas ClipperJoe Security
              0.3.Ao88ZLN0Wi.exe.31b0000.0.raw.unpackJoeSecurity_LaplasClipperYara detected Laplas ClipperJoe Security
                Click to see the 7 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.445.159.189.11549685802039775 11/27/22-18:21:56.410768
                SID:2039775
                Source Port:49685
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.48.8.8.862577532039774 11/27/22-18:21:56.327003
                SID:2039774
                Source Port:62577
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Ao88ZLN0Wi.exeVirustotal: Detection: 51%Perma Link
                Source: Ao88ZLN0Wi.exeReversingLabs: Detection: 41%
                Antivirus detection for URL or domain
                Source: http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdbjoAvira URL Cloud: Label: phishing
                Source: http://clipper.guru/bot/online?guid=computerAvira URL Cloud: Label: phishing
                Source: http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdbAvira URL Cloud: Label: phishing
                Multi AV Scanner detection for domain / URL
                Source: clipper.guruVirustotal: Detection: 13%Perma Link
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exeAvira: detection malicious, Label: HEUR/AGEN.1242346
                Machine Learning detection for sample
                Source: Ao88ZLN0Wi.exeJoe Sandbox ML: detected
                Source: 00000006.00000002.643112091.0000000013882000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Laplas Clipper {"C2 url": ["http://clipper.guru/bot/online"]}

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exeUnpacked PE file: 0.2.Ao88ZLN0Wi.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exeUnpacked PE file: 6.2.PNcznLwIMl.exe.400000.0.unpack
                Source: Ao88ZLN0Wi.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: 5s8C:\yizija_wimekejepoj47_ceyi.pdb source: Ao88ZLN0Wi.exe, PNcznLwIMl.exe.0.dr
                Source: Binary string: C:\yizija_wimekejepoj47_ceyi.pdb source: Ao88ZLN0Wi.exe, PNcznLwIMl.exe.0.dr

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2039774 ET TROJAN Laplas Clipper CnC Domain (clipper .guru) in DNS Lookup 192.168.2.4:62577 -> 8.8.8.8:53
                Source: TrafficSnort IDS: 2039775 ET TROJAN Laplas Clipper - Regex CnC Request 192.168.2.4:49685 -> 45.159.189.115:80
                Source: Joe Sandbox ViewASN Name: HOSTING-SOLUTIONSUS HOSTING-SOLUTIONSUS
                Source: Joe Sandbox ViewIP Address: 45.159.189.115 45.159.189.115
                Source: PNcznLwIMl.exe, 00000006.00000002.643112091.0000000013882000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clipper.guru/bot/online?guid=computer
                Source: PNcznLwIMl.exe, 00000006.00000002.643181685.000000001388A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
                Source: PNcznLwIMl.exe, 00000006.00000002.643181685.000000001388A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdbjo