MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d6c6aa72b119b2bc82d377602bfbcebf9f71393c31d2d6b34643adf50f6e82f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ClipBanker


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d6c6aa72b119b2bc82d377602bfbcebf9f71393c31d2d6b34643adf50f6e82f
SHA3-384 hash: 06b2128ca2bc94d2aaa8af9fba5edcf390f8a9221a88f6c4cd8440fbfa68bf4e6915c1fde97e7963acde0fefc2f1f4b6
SHA1 hash: 4e0977439e273a084ae44986edba1a343e285593
MD5 hash: e8719fad9816c40755e1c4821650e14b
humanhash: chicken-foxtrot-black-steak
File name:e8719fad9816c40755e1c4821650e14b.exe
Download: download sample
Signature ClipBanker
Create hunting rule
File size:3'467'264 bytes
First seen:2021-10-17 07:22:09 UTC
Last seen:2021-10-17 08:18:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 106f3d3e521ab0377bf478b03f3dd87b (55 x ClipBanker)
ssdeep 98304:aSyqHFt/qr04owuG4ZCSmT+wVzl/HKhO:aSvn/twuG4ZCShwtl/H
Threatray 1'577 similar samples on MalwareBazaar
TLSH T145F533F9D5F9D5FAE4D84E71311FEC5D840AF4E248CAA775348F8081C2AA85834AFDA1
Reporter abuse_ch
Tags:ClipBanker exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
385
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Download+file+Serial_IO_Intel_February_2018.exe+(16,97+Mb)+In+free+mode+_+Turbobit.net.zip
Verdict:
Malicious activity
Analysis date:
2021-10-17 02:22:29 UTC
Tags:
evasion trojan loader opendir stealer vidar rat redline raccoon
Link:
https://app.any.run/tasks/9d370c8d-f9ee-4bec-beee-64582061c647

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197953/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.44638.9231.29922.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/616bcf58db358dd15ebd91eb/reports/7b8d035d-8788-4d7a-be5c-76273ce0b88b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92ef5231-934e-47d7-bfbb-83d0b68aa9bb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/871737
Signature
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d6c6aa72b119b2bc82d377602bfbcebf9f71393c31d2d6b34643adf50f6e82f/
Threat name:
Win64.Dropper.Scrop
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 21:47:40 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99
ClipBanker
4c89265179f2471e24688ac126c541886173be7773617450b0849cb48a5a293d
ClipBanker
4dd950fcdcd8483ec9346b4a5214931134975c439cf463daa3a0518cfc5db9a6
ClipBanker
7c3b5f1493854daf8b8c4c7385b9e3dcb6e4701b97617efbfa85852a47e3fffa
ClipBanker
88f1c469317a8dfaf4c6fd17951a7d218e6a98445fa7ec12cb35ef786d1c2b2f
ClipBanker
93e582393fca866d1291b3852e63dbe2e7a1460e9e2ab3d750083f28f4d04e64
ClipBanker
9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb
ClipBanker
f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0
ClipBanker
f73aae62b00a5cc2dd5e1e484e25ff47ab8ab8c01ffd88e17a44779c1ea7699c
ClipBanker
+ 1'567 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211017-h7s3nacea2/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
0d6c6aa72b119b2bc82d377602bfbcebf9f71393c31d2d6b34643adf50f6e82f
MD5 hash:
e8719fad9816c40755e1c4821650e14b
SHA1 hash:
4e0977439e273a084ae44986edba1a343e285593
Link:
https://www.unpac.me/results/5f84284d-e272-4fab-9183-1ebb2681d117/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/0d6c6aa72b119b2bc82d377602bfbcebf9f71393c31d2d6b34643adf50f6e82f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ClipBanker

Executable exe 0d6c6aa72b119b2bc82d377602bfbcebf9f71393c31d2d6b34643adf50f6e82f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1684876/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197953/

Comments