MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3
SHA3-384 hash:	a7136b8a080102ddbcd07fc5c3f5b8b13302fea3279d0717762352060064ac7f490d6564c483d450904b3bc38bf2c144
SHA1 hash:	a90e99b5170a192b1eb7c5c9808c6b6ab69b9e83
MD5 hash:	8b6cc96796268e86b9a821da4d8d08d5
humanhash:	lactose-snake-mango-salami
File name:	SecuriteInfo.com.Trojan.Clipper.835.20853.12052
Download:	download sample
File size:	295'424 bytes
First seen:	2025-12-05 12:54:27 UTC
Last seen:	2025-12-06 06:17:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b95e73ad92c2049315610876e4406ec8
ssdeep	6144:+hzTLdWUF63UDlkiy2x2/hSTyC2fPJyTpg+q9k1s:+ryg/x4JSg+q9kq
Threatray	84 similar samples on MalwareBazaar
TLSH	T10B545C4937A440F4D9679239C9A39A46E7B2B8550770A3CF036443B96F3B7E19E3E321
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/e5111587-0829-45a3-bcf0-e5d5d1f0bd12/

Malware family:

n/a

ID:

File name:

Loader.exe

Verdict:

Malicious activity

Analysis date:

2025-12-05 10:15:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/83b4b515-e8e4-461a-9e2c-79858eb7f60a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42645/

Detection(s):

SecuriteInfo.com.Trojan.Clipper.835.20853.12052.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6932cd6c2b2823e41e748788

Tags:

clipbanker autorun emotet

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug clipbanker exploit explorer fingerprint krypt lolbin microsoft_visual_cc schtasks

Link:

https://www.filescan.io/uploads/6932d63bbba50eaf0422fa3a/reports/d79758a8-cacb-45d2-a7da-59ff5c30d16c/overview

Verdict:

Malicious

Labled as:

Trojan.Loader.Marte.6.Generic

Link:

https://www.hybrid-analysis.com/sample/20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-05T07:53:00Z UTC

Last seen:

2025-12-07T11:27:00Z UTC

Hits:

~100

Detections:

Trojan-Dropper.Win32.Injector.sb VHO:Trojan-Banker.Win32.ClipBanker.agfp PDM:Trojan.Win32.Generic MEM:Trojan.Win32.Cometer.gen Trojan.Win32.Agent.sb Trojan-Banker.Win32.ClipBanker.sb HEUR:Trojan-Banker.Win32.ClipBanker.gen HEUR:HackTool.Win32.Inject.heur Backdoor.Win32.Androm Trojan-Banker.Win32.ClipBanker.agfp VHO:Backdoor.Win32.Androm.gen

Link:

https://opentip.kaspersky.com/20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3/results?tab=lookup

Malware family:

LogMeIn

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ae0fccf3-e444-46b9-bf39-bf74e1105885

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/8b6cc96796268e86b9a821da4d8d08d5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3/

Verdict:

Malicious

Threat:

VHO:Trojan-Banker.Win32.ClipBanker

Link:

https://tip.neiki.dev/file/20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3

Threat name:

Win64.Infostealer.ClipBanker

Status:

Malicious

First seen:

2025-12-05 10:55:47 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ec6vxlsf5p6e5xmr74rylxizdiom7udykpaayztr2ed6q36i6srq._file

Verdict:

malicious

Label(s):

unc_loader_073

779696f4bf969ef9da50b98c884bc149a601847c5ca3b854bb2fd6909040462c

956d607b88f263303037375a1c5e631ac644d447ba1452adfa905656820b66f6

95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f

aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

adf118b20cee8c1934614b22d36d206725a123cb87f7476c14f8242710f1e24e

b82478e796a34845419bf7c88ad2727684db48a6e719ec5fe7a1086f8c70def5

c1d781f4c9469977a32f2ad6edea4fda98e6a8eda5aa10149be2311cb369c48a

error

f58fcc5d3c9be3261305a5309b2055f0ac098ddb58d8e8731252f00c5d44fd43

+ 74 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

execution persistence

Link:

https://tria.ge/reports/251205-p5y98azqgv/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3d9c103c-dbd8-482b-a6a4-b85219fd3114

Unpacked files

SH256 hash:

20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3

MD5 hash:

8b6cc96796268e86b9a821da4d8d08d5

SHA1 hash:

a90e99b5170a192b1eb7c5c9808c6b6ab69b9e83

Detections:

win_sdbbot_auto

Link:

https://www.unpac.me/results/fd0e433b-6708-4b51-a89c-07857e1f107b/

SH256 hash:

440ad536f2391373467469837e0337aa2c53c95a460d77f761781e4a117b89d5

MD5 hash:

b84a4f6b76ca0ca0d31cbcf399a9204d

SHA1 hash:

5b072e40e558a186569994c31887f46eacfc7f60

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/fd0e433b-6708-4b51-a89c-07857e1f107b/

Parent samples :

20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3
b5588ea2f98d661192c901a59bfad2975d1a1ead2e45eaadbf7815892fc009a6

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	win_sdbbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.sdbbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3

(this sample)

Cape

https://www.capesandbox.com/analysis/42645/

URLhaus

https://urlhaus.abuse.ch/url/3725991/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample