{
	"id": "19a90dd8-f6f4-4953-8b49-f4b3f9c6bbf8",
	"created_at": "2026-04-06T00:13:50.030996Z",
	"updated_at": "2026-04-10T03:20:17.655845Z",
	"deleted_at": null,
	"sha1_hash": "945baa84fcf4e40ac9da45c56b5e42beeccc7996",
	"title": "Cyble - New Laplas Clipper Distributed Via SmokeLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1126933,
	"plain_text": "Cyble - New Laplas Clipper Distributed Via SmokeLoader\r\nPublished: 2022-11-02 · Archived: 2026-04-05 17:36:44 UTC\r\nCyble Research \u0026 Intelligence Labs analyses How Laplas Clipper Distributed via SmokeLoader targeting Cryptocurrency\r\nUsers.\r\nSpiking Clipper Infection Targeting Cryptocurrency Users\r\nCyble Research and Intelligence Labs (CRIL) has continuously monitored malware campaigns that distribute different\r\nmalware families, such as stealer, clipper, and ransomware.\r\nRecently, CRIL observed a malware strain known as SmokeLoader, which carries popular malware family samples such as\r\nSystemBC and Raccoon Stealer 2.0, along with a new clipper malware dubbed Laplas Clipper that targets cryptocurrency\r\nusers.\r\nWorld's Best AI-Native Threat Intelligence\r\nThrough our research, we have identified more than 180 different samples related to the clipper malware in the last two\r\nweeks, indicating that the malware has been widely deployed in recent weeks. Our intelligence indicates that the incidents of\r\nLaplas Clipper infection are on the rise, as shown below.\r\nFigure 1 – Rise of Laplas Clipper malware\r\nSmokeLoader\r\nSmokeLoader is primarily a loader; its intended purpose is to download and load other malware into the victim’s system.\r\nGenerally, the SmokeLoader is either distributed via malicious documents such as Word/PDF documents, sent through spam\r\nemails, or targeted spear-phishing attacks.\r\nUpon execution of SmokeLoader, it injects malicious code into the “explorer.exe” process and starts its malicious activity.\r\nThen, it downloads additional malware from the following URLs.\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 1 of 9\n\nhxxp[:]//45.83.122[.]33/admin/wevtutil[.]exe – SystemBC RAT\r\nhxxp[:]//45.83.122[.]33/admin/Microsoft.AppV.AppVClientWmi[.]exe – RecordBreaker (Raccoon Stealer 2.0)\r\nhxxp[:]//45.83.122[.]33/admin/avicap32[.]exe – Laplas Clipper\r\nThe below figure shows the network information of SmokeLoader downloading additional malware into the victim’s system.\r\nFigure 2 – Smoke Loader downloads additional malware\r\nSystemBC\r\nSystemBC is a Proxy and Remote Administrative Tool (RAT) first seen in 2019. Various Threat Actors (TAs) have used this\r\nProxy malware for the last few years. While it was recently distributed via SmokeLoader, this malware has increasingly\r\nbeen used in various ransomware attacks in the past.\r\nAfter successful infection, the TAs can control the victim’s machine to perform malicious activities such as stealing\r\nWindows usernames, volume serial numbers, downloading additional payloads, etc. It also acts as Proxy Bot, allowing the\r\nTAs to hide the IP when performing malicious activity.\r\nRecordBreaker (Raccoon Stealer 2.0)\r\nIn June 2022, a new edition of the Raccoon Stealer was discovered in the wild by security researchers. Initially, the malware\r\nwas named “Recordbreaker” but was later identified as a revived version of Raccoon stealer.\r\nRaccoon Stealer is a type of malware that steals various data such as stored browser credentials and information, credit\r\ncards, cryptocurrency wallets, email data, and several other types of sensitive data from different applications from a\r\nvictim’s computer.\r\nThe operator of Racoon Stealer “Mark Sokolovky” had been arrested in March by Dutch authorities and was charged for his\r\nsuspected role in conspiring to operate the Infostealer as a malware-as-a-service. While Dutch authorities arrested the\r\nsuspect, the FBI and law enforcement partners in the Netherlands and Italy dismantled Raccoon Infostealer’s infrastructure\r\nand took down the malware’s existing version offline. The FBI has set up a website where people can verify whether they\r\nmay have been a victim of a Racoon attack: raccoon.ic3.gov\r\nLaplas Clipper\r\nClipper is a family of malicious programs that targets cryptocurrency users. This malware hijacks a cryptocurrency\r\ntransaction by swapping a victim’s wallet address with the wallet address owned by TAs. When a user tries to make a\r\npayment from their cryptocurrency account, it redirects the transaction to TAs account instead of their original recipient.\r\nClipper malware performs this swap by monitoring the clipboard of the victim’s system, where copied data is stored.\r\nWhenever the user copies data, the clipper verifies if the clipboard data contains any cryptocurrency wallet addresses. If\r\nfound, the malware replaces it with the TAs wallet address, resulting in the victim’s financial loss.\r\nLaplas is new clipper malware that generates a wallet address similar to the victim’s wallet address. The victim will not\r\nnotice the difference in the address, which significantly increases the chances of successful clipper activity.\r\nThe figure below shows the TA’s Laplas Clipper advertisement on a cybercrime forum with feature details.\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 2 of 9\n\nFigure 3 – Laplas Clipper advertisement used by TA on the dark web forum\r\nThe clipper can support wallets such as Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, ZCash, Dash,\r\nRonin, Tron, and Steam Trade URL. The Laplas Clipper is priced as shown below:\r\n$29 / 1 Sunday\r\n$59 / 1 month\r\n$159 / 3 months\r\n$299 / 6 months\r\n$549 / 1 year\r\nIn this report, Cyble Research and Intelligence Labs (CRIL) conducts a deep analysis of the new Laplas Clipper malware to\r\nunderstand its behavior and capability.\r\nTechnical Details\r\nThe clipper sample Sha256: e5bc55ce98909742d2f1353b3bc8749ecc71206a5b8fa2e656d2a3ae186c1e63 was taken for\r\nanalysis. The sample is compiled using VB.NET and protected by VMProtect.\r\nFigure 4 – Static File Information\r\nUpon execution, the malware loaded a new module named “build.exe” in memory which performs the clipper activities.\r\nInitially, the module (“build.exe”) creates a mutex to ensure that only one instance of malware runs on the victim’s system at\r\nany given time. The below figure shows the new module loaded in memory and mutex creation in the main function.\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 3 of 9\n\nFigure 5 – New Clipper module loaded in memory and mutex creation\r\nAfter that, the clipper creates a copy of itself into %appdata% location and adds task schedular entry for persistence\r\n(executes every 1 min for a duration of 416 days) by using the following command line:\r\n“cmd.exe /C schtasks /create /tn \\\\{0} /tr \\”{1}\\” /st 00:00 /du 9999:59 /sc once /ri 1 /f”\r\nFigure 6 – Task scheduler entry\r\nThen, the malware initially downloads the regex pattern, monitors the user’s clipboard activity, and validates if the clipboard\r\ncontains any cryptocurrency address using the downloaded regex pattern. If the clipper identifies any wallet address in the\r\nclipboard data, then it downloads a similar TA’s wallet address to the remote server by using the following functions:\r\nGetRegEx()\r\nSetOnline()\r\nGetAddress()\r\nGetRegex():\r\nThe malware uses GetRegex() function to get all the regex patterns from the C\u0026C server. This function calls SendRequest()\r\nfunction internally, which forms the below URL that downloads the regex pattern to identify the victim’s cryptocurrency\r\nwallet address.\r\n“hxxp[:]//clipper[.]guru/bot/regex?\r\nkey=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34”\r\nThe below figure shows the code snippet used to get the regex pattern from the remote server.\r\nFigure 7 – Regex pattern downloaded from C\u0026C server\r\nThe below table shows the details of targeted cryptocurrencies and their regular expressions.\r\nCrypto\r\nCurrencies\r\nRegular Expression\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 4 of 9\n\nBitcoin (BTC)\r\n(?:(1[a-zA-HJ-NP-Z1-9]{25,59}) (3[a-zA-HJ-NP-Z0-9]{25,59}) (bc1[a-zA-HJ-NP-Z0-9]{25,59})\r\nBitcoin Cash\r\n(BCH)\r\n(1[a-km-zA-HJ-NP-Z1-9]{25,34}) (3[a-km-zA-HJ-NP-Z1-9]{25,34}) (q[a-z0-9]\r\n{41}) (p[a-z0-9]{41})\r\nLitecoin (LTC)\r\n(L[a-km-zA-HJ-NP-Z1-9]{26,33}) (M[a-km-zA-HJ-NP-Z1-9]{26,33}) (3[a-km-zA-HJ-NP-Z1-9]{26,33}) (ltc1q[a-km-zA-HJ-NP-Z1-9]{26,33})\r\nEthereum (ETH) (0x[a-fA-F0-9]{40})\r\nDogecoin\r\n(DOGE)\r\n(D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})\r\nMonero (XMR) (4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}) (8[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\r\nRipple (XRP) (r[0-9a-zA-Z]{24,34})\r\nZcash (ZEC) (t1[a-km-zA-HJ-NP-Z1-9]{33})\r\nDash (DASH) (X[1-9A-HJ-NP-Za-km-z]{33})\r\nRonin (RON) (ronin:[a-fA-F0-9]{40})\r\nTron (TRX) (T[A-Za-z1-9]{33})\r\nSteam Trade\r\nURL\r\n(http[s]*:\\/\\/steamcommunity.com\\/tradeoffer\\/new\\/\\?partner=([0-9]+)\u0026token=([a-zA-Z0-9]+))\r\nTezos (XTZ) (tz[1-3][1-9A-HJ-NP-Za-km-z]{33})\r\nCardano (ADA) (addr1[a-z0-9]+)\r\nCosmos (ATOM) (cosmos1[a-z0-9]{38})\r\nQtum (QTUM) (Q[a-zA-Z0-9]+))\r\nSetOnline():\r\nThe malware calls the SetOnline() function and confirms the victim is online by connecting to the below URL, which\r\ncontains the system guide and API key.\r\n“hxxp[:]//clipper[.]guru/bot/online?guid=DESKTOP-[Redacted]\r\n\u0026key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34”\r\nGetAddress():\r\nThe malware uses the GetAddress() function, which forms the below URL with the victim’s wallet address and API key. The\r\nmalware then connects to the formed URL to download similar TAs cryptocurrency wallet addresses from the remote server.\r\n“hxxp[:]//clipper[.]guru/bot/get?\r\naddress=0x5B28638188D7D9be3cAfE4EB72D978a909a70466\u0026key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34\r\nThe below figure shows the code snippet used to get the TAs wallet address from the server.\r\nFigure 8 – TAs wallet address download from server\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 5 of 9\n\nAfter downloading the TAs wallet address, the clipper replaces it with the victim’s wallet address using the\r\nClipboard.SetText() method as shown below.\r\nFigure 9 – Replacing Clipboard value with TA’s wallet address\r\nThe clipper actively monitors the victim’s clipboard activity and replaces the wallet address whenever it identifies if the\r\nvictim tries to copy any wallet addresses for performing cryptocurrency transactions. This results in redirecting the\r\ntransaction to TAs wallet address.\r\nLaplas Clipper Web Panel:\r\nHere are some screenshots that showcase the web panel of the Laplas Clipper.\r\nThe login page of Laplas Clipper is shown below.\r\nFigure 10 – Laplas Clipper C\u0026C panel login page\r\nThe figure below shows the Dashboard page of the Laplas clipper web panel from TAs telegram channel, which\r\ndemonstrates the status of infected computers and active TAs wallet address details.\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 6 of 9\n\nFigure 11 – Laplas C\u0026C panel dashboard\r\nThe TAs can also add their wallet address in the Clipper menu to replace the victim’s wallet Address with the TA’s wallet\r\naddress, as shown below.\r\nFigure 12 – TAs wallet address page in C\u0026C panel\r\nConclusion\r\nSmoke Loader is a well-known, highly configurable, effective malware that TAs are actively renovating. It is a modular\r\nmalware, indicating it can get new execution instructions from C\u0026C servers and download additional malware for expanded\r\nfunctionality. In this case, the TAs use three different malware families for financial gain and other malicious purposes.\r\nThe RecordBreaker, a revived version of Raccoon Stealer, is used to steal sensitive information, the SystemBC is a\r\nmultifunctional threat combining proxy and remote access trojan features, and the new Laplas clipper performs clipboard\r\nhijacking to steal cryptocurrency from victims.\r\nCyble Research and Intelligence Labs will continue monitoring the latest phishing or malware strains in the wild and update\r\nblogs with actionable intelligence to protect users from such notorious attacks.\r\nOur Recommendations\r\nThe initial infection happens via spam email, so the enterprise should use email-based security to detect phishing\r\nemails. Also, refrain from opening untrusted links and email attachments without first verifying their authenticity.\r\nThe actual loader downloads other malware families, so using a reputed antivirus is recommended on connected\r\ndevices, including PCs and laptops. The security software should have the latest security updates to detect new\r\nmalware families such as Laplas Clipper.\r\nThe users should carefully check their wallet addresses before making any cryptocurrency transaction to ensure there\r\nis no change when copying and pasting the actual wallet addresses.\r\nThe seeds for wallets should be stored safely and encrypted on any devices.\r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.\r\nBlock URLs that could spread the malware, e.g., Torrent/Warez. \r\nMITRE ATT\u0026CK® Techniques\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 7 of 9\n\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nExecution\r\nT1204\r\nT1203\r\nUser Execution Exploitation for Client Execution\r\nPersistence T1053 Scheduled Task/Job\r\nPrivilege\r\nEscalation\r\nT1055\r\nT1574\r\nProcess Injection DLL Side-Loading\r\nDefense Evasion\r\nT1027\r\nT1562\r\nT1497\r\nT1036\r\nT1070\r\nT1564\r\nSoftware Packing\r\nDisable or Modify Tools Virtualization/Sandbox Evasion\r\nMasquerading File Deletion Hidden Files and Directories\r\nDiscovery\r\nT1057\r\nT1082\r\nT1518\r\nProcess Discovery System Information Discovery Security Software\r\nDiscovery\r\nCommand and\r\nControl\r\nT1071\r\nT1105\r\nT1571\r\nApplication Layer Protocol Ingress Tool Transfer Non-Standard Port\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\n825a7c6d1b4adfe2b1cc7b29199f5033 1edcdc6899fe0aad0b953dee9f3660da0e052699\r\nf4a57ad535ec4b0c7c1b3fbd9a116e451a392ee3f1e5e8b7a5ee0b05141208cc\r\n457c9934ea081a6594d8f630ef5a9460\r\nef0692e35a6d55aff3814ebe4e40fc231a24873e 19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3\r\n7f9a14f5eb35f5edd11624abfafba8f0\r\ned586dd2973f3126ff07950dacbd484643de06f7 de0eb9f1d712ec2c91fea05e26fb01a019cadcc8beb4ad6d2f4a0b4db2cfbfaf\r\nb76188bafa717975768bd24d09ffeb09\r\nf623849274e0303a33a20f28d5b972869b89f947\r\ne5bc55ce98909742d2f1353b3bc8749ecc71206a5b8fa2e656d2a3ae186c1e63\r\nhxxp[:]//45.83.122[.]33/admin/wevtutil[.]exe\r\nhxxp[:]//45.83.122[.]33/admin/Microsoft.AppV.AppVClientWmi[.]exe\r\nhxxp[:]//45.83.122[.]33/admin/avicap32[.]exe\r\nhxxp[:]//clipper[.]guru/bot/get?\r\naddress=0x5B28638188D7D9be3cAfE4EB72D978a909a70466\u0026key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a\r\nhxxp[:]//clipper[.]guru/bot/online?guid=DESKTOP-[Redacted] \u0026key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a\r\nhxxp[:]//clipper[.]guru/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34\r\n25d746af48d645f521157bce0201c89a ce1a8753cfa6a3201ec14c2e2d6c2c3c fad177ef62684282355546f19952cf15\r\nb59bae8f31cf49096a7e222372dddb02 18a0b8dbec69e8243451d8ab2baf08b8 1d8d26a2473b7a1a178ae6711e651428\r\n1aee575e4c0166891589c665ab4284f8 c8f500d04cd278f3f116d738c283af5e fedfd00548c257f71035c9e04839cef0\r\n76de4b33764b404503fb5bab6a722f46 e6b35376651ce442e0698346f0f24640 fb3d52a6dde88e25961373716c4d2e86\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 8 of 9\n\n994a559d0d0992c9eb8db2812c790303 78e7172569b6cd4b0896e45598d705ed 92837369abac7478c5d98fd3dc02e4a0\r\nd7098fc31fc30167397595f2a5364354 5818ffa75608143954014237b0db17c8 587c8d8ed424ce27fa4b402e53cb4083\r\n688b75eb9297938aeea80fe48634f8bc 40d6d8aed45ad02b8f95738a61b673df db73e5eda0520179f7cd126201b3c48e\r\n8df24d58771ddd234e501d829878c4c9 e153d073305e9c81f159790d5974c33c 3bcf293da9ead23f641eae7688f47989\r\n3cdef8225b0872b89c4a3eb677b44499 915fd1cdb69bf18d1f73549f6d5fd7c7 de8b56260476fecd8291eb7db21958fb\r\nfeb528729ffd2e59166f5063edbd2fdc e40c2f168946f7194fdcf14984b18dbd 7bb6e8906a0daedb5a872be9bf9efc15\r\neec511e01e9e99500dad1dad5b1f95da 6e99606f611109b4d797469ecdc48d4a 78ebdef5771ca29c0bfe4faec242ff34\r\na2d5ec971571a14d8fb52eafb6b870d7 819ebffcb61f8fb1c48960a906b81081 69c323e38d7fc42bd727b7ccf908fa50\r\n23ae38390ffd78fdddff9fd96453119c 76de5446bd4427858e8a3b12b3d15f77 9cd3d0b2a198b998a80580eada1a113d\r\na4c55995cdcde200c09c545e6ab0ecd4 956565e1d1085d41d17571a1117d1481 b6fad24f4c916d33d6d7bf94197c973d\r\nabb57da15fe1176f0a56a4b82a0a0e25 d8cef2c2069118c66b1c75f113626fcf d775ccb1c93ca876a0d2ff0228d84e3e\r\naeee19cbe274f32ee83e0d5a28178ee5 fea8167cb58393e2b7aa3fa4e3857f24 94225e1d103479828bef47a069ef4ef3\r\n62d6453529e7559cbea59600a83f870d 1818f833f4d654f76009885605b37f2a 00fa891101b4601fbc7cd2cd66eba10f\r\n2a807fbd301499b442c3751ca3086681 ae6725ed917a70102c0cfb3050a8c278 4b42a0a525a4c6840a1b74621e6fdd00\r\na419e6b2e63a449f2d261920ae535ede 8732db8a00e54d4563ee4500aa2726b5 cfb5d62497bd1c277d2079cf943d9ff6\r\nd5e1660fd9b842afb055005dfc4733b7 ac80ff070f79c5dc7a3454c97f950744 ba8ad308b649c46a06017680df4734f2\r\nb2f990367964eef7093f382f174f35e9 cba79d0950de4f0fe07a6843a0f90ef1 fa5a0c975813a54c70f0b5438ad2ea52\r\n3f53a77b20c55d3f664478a22567a1c5 b491f711272344f719ee13d98ff337bf ad0388c2657426eca03800a5e6f9e324\r\n9829f84fa25599049655f967f437343d a169fb1a323c970f7a169b30657112cc d50fef57ac27c858dcac1d9b38c59452\r\nff3289eb561cb37af573eefd73e17565 c447674323e2fca8b78e215759426cbf 9d4c3f5fc6c57b311a1426614f572026\r\ne1bff429b1c0ebd9bf4687dabc7012d2 b5686152e9e35844fc36304b019b2398 f301ffdb36d5791f6d886b59e4c56614\r\n07eb585b200c7aa2634b6815c7d758be 2b4e8a748b2fb123cd5a106fc838f3c1 97e9e5e420256d938dbda45aa792e0e3\r\n32b2d9f37c2ad9dc8350213bfe4e86f7 a5ba098ff1a7258e89be53bbb436f6d5 d99fbe73e529110529c00ea713ae3e65\r\n2f3fd9e718316bc9e26e8aab11db707a 7d2984bffe8119d5516271df390a930a 65eef58b3c1da89fb5a282522c084fb9\r\n079feda86cace84e8ca835e146ab0f0c 63a36317393ff3ea158083f67663eea4 58cb38a174c52dd6b5574ebf7efdd9b7\r\n0b9d43bac93982250061e4a9643966e1 6449b05a4b391b74132378bbcbddf608 8b1528a78d7716d5c52797456f99ec75\r\n16db56d9a318e8c013e9edabe384a021 59c1002802ba0fbe1184b7d53ca63611 c6414a97a110f8eb0cb9564013a8bd1b\r\n20655e73dd090d9414af9ffe586eea04 ea4ed54c7093ad6d2bc3eeb71c8a3554 c59badc576ad0f460517d8f3af1c37b1\r\n75f27f1c006cb9752c068b26e938f3a2 f2255f5a5e7f2a19642557d3999945e8 e67888266db0229b8a9ea516e935b295\r\n82719e00373b053d13fc9e32e054097e 78b27dbc5c39d4d9a0dc0bfcec3f04f1 887cfc738950c8768d07ae05ed7bb1f8\r\na2c49394ec79c44e4c9bd8a998dce757 fa5edc05d6d7a9d50f2d83803832d92f 58c1d5dd6cc2e9996a631df8723cedbf\r\ne7d6901f9aef9ff66d3a2bef0afeb5f4 1d3cd9ca31ba177237db973a874403ba 0888bcc5bd9c722ad50332fbd43c15e8\r\nba6c699acd9fc9a77222be4ef270f37f 4bdf963931aa83a1fcd519c71df19f1d 1d7b251c7d9d2b3ebf44b6321b1dffbc\r\n183b863415c58dc453f7c320711c16ed c6688ae7a75cc1f8e8969205542a198c 2e0736b673c24d6b9329a4e79c4efafd\r\n601d264436cb773d43760d8b3e4ad5e4 fb682408b7be3b9ca62c07724a7d4f6e 5107acb290f06571cff2e28273125341\r\n063e3ca9b211a7a653f3795ae696a28a 28a424c3b03501e9a164000f379fddb1 f7855cb44ab336c4489cbd33ea30abf2\r\nc1320d9de397d9615ab8067e46a91b14 18dc340f7f3ec0338952b10fedd4b67f 331487d7a372fbb8d378f18c8d7f5790\r\n9b13391d9dd985d13afd29a77921c847 a462d9956888676860d9a43c32a83fb1 444bcb3a3fcf8389296c49467f27e1d6\r\n95739b2e1f7b9d344e672cfa3d7d4f36 a277e780860da78591d85058a343bc55 7f6e56868c449b2f9665383cdca6891f\r\n112df3b7292259b25c0aded0433a7da4 d5c452e714b9acaf3f74e38b0ade86cf e84f2c12de7bca71cf8607f4af174bfe\r\n2f4b0081d9a3ff46a8235a5ed91609a2 e9d2985b1fb7406cc6b4f5ec701f46ff 0717e07951e0b33f91c4f3c18bfe6b65\r\n7d1600db3144c4f7bf6c169abcf06e50 429c18e66a13bdfc79db32f3f46df180 627953b1f8d0f3a43b7d28e3d6ac871d\r\nc29d86db9e8d1feae47cf944263de804 4d6ffbea2f0e8ba1ba6b106c6b033ec6 b92a37d89e9884cc97908d0b1aeb21a3\r\n2edc36281939ab08b6db56aa2448c5d9 a85eb940314ea0effc74d21269f91614 d5c38324b7e485be9670db1c8613cb5e\r\n7e3f1dbdcc310d1d0641a3e4da6d3d02 9932a10a6a0106089b3e999b5f1358f2 71ca5e47e3d9b07754393f02feb2fef9\r\na128bcfb569d1a7f66c6f78d45b49210 dce404046e69f796b0a779b279e4acc9 60d7be926dc7908a01bb2cc836317c24\r\nbe04f702123291b203e2fea897eadd09 df9c395f5640a450d5aba408567e7226 a2c801ee43ff3116ce812693f5c78912\r\n12b028183fb3c1c6ae7490df805774ff 175830313c1916db904aab7b8e86c458 76d1475beae873740e79b1c9454fe14b\r\n53a8ef5c59466b85ea45c43335ddb629 37db829df627011ab37fa541ea71d00e 6fd0e40ec98a453d9c73c7854f166aaa\r\nbdb4e27b10a253509c96fecc4967ce0e b993c543af9af801e71656499a4c6800 76b253d585534773a5096b1a925e19f2\r\nfd49759ca686862225c1bbb86341d060 9af259b9be66a019f2c3191beb5c90ea e40fba16c0c65774618589cad251d088\r\nc9e44d64d39d312d0752bb28b9e2d650 74a107a8982b13f26a43abc4ea192066 2e4bf486e7f76fe32187221e3bdb5099\r\nedab70b7eaf6a427c635ee98d9ec43e6 e4b5c2706961858e71ff95b0a9d49533 71e3f83831c94d2d61691e587db505e2\r\nb76188bafa717975768bd24d09ffeb09 fd01ddcd954c0481b401bbbc7b1b9133 350e3de1f003f18ecf81bbae7c9282f2\r\nc86374ff5e281d3abf124a11aeb6aa0c 4a8683397302af5d59bd68a6d2508e56 d159497e9786d8bc80ee3176407232cf\r\nf54fde502ee4056ae59df7156fa9961f 4e4bd491a86e7c94714b3fa69d774e9f\r\nSource: https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nhttps://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/"
	],
	"report_names": [
		"new-laplas-clipper-distributed-by-smokeloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/945baa84fcf4e40ac9da45c56b5e42beeccc7996.pdf",
		"text": "https://archive.orkl.eu/945baa84fcf4e40ac9da45c56b5e42beeccc7996.txt",
		"img": "https://archive.orkl.eu/945baa84fcf4e40ac9da45c56b5e42beeccc7996.jpg"
	}
}