MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ClipBanker


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
SHA3-384 hash: c5bafbddd4269686b144fb3caa67615492c60ec63b4b2847912fb00d195ecac258fca067224a57800cb211a6653556d8
SHA1 hash: 6b1d33d1afec238f49a23be639790145ee0b3dfd
MD5 hash: 7a99d0912a3371081b8a866c6ff48351
humanhash: tennis-nevada-kansas-delta
File name:sonia_6.txt
Download: download sample
Signature ClipBanker
Create hunting rule
File size:1'186'304 bytes
First seen:2021-07-28 16:30:54 UTC
Last seen:2021-07-28 17:47:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1a0cc0d6c71b1f1abf86a8693fc16e (1 x ClipBanker, 1 x DiamondFox, 1 x RedLineStealer)
ssdeep 24576:0XdmFGXOGXlTztlj3RbjjCStIUZf7xqRRpTLD9ONY/tV4:8dfLVTLjxJtIUQTf9O2V4
Threatray 2'234 similar samples on MalwareBazaar
TLSH T16B457E20F642E0B0DD9100B52BE57B7594AD2C38877449EFF7C42AB59A316D2B731B2B
dhash icon f0a8bab082828292 (8 x AgentTesla, 3 x RedLineStealer, 3 x PrivateLoader)
Reporter CholeVallabh
Tags:ClipBanker exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.140.147.111:22333 https://threatfox.abuse.ch/ioc/163684/

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 14:07:33 UTC
Tags:
evasion stealer loader trojan opendir kelihos autoit rat redline
Link:
https://app.any.run/tasks/09e9935c-4c9c-491c-9fb7-b9183f279005

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174726/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.47356.10896.27237.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae1e8c0a-ac2b-4a26-bc98-9b93c1abc2eb
Result
Threat name:
Backstage Stealer Glupteba Raccoon RedLi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823247
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Backstage Stealer
Yara detected Glupteba
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455660 Sample: sonia_6.txt Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 47 185.234.247.100 INTERKONEKT-ASPL Russian Federation 2->47 49 ip-api.com 208.95.112.1 TUT-ASUS United States 2->49 51 14 other IPs or domains 2->51 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Antivirus detection for URL or domain 2->83 85 17 other signatures 2->85 7 sonia_6.exe 4 58 2->7         started        12 svchost.exe 1 2->12         started        signatures3 process4 dnsIp5 53 37.0.11.9, 49732, 80 WKD-ASIE Netherlands 7->53 55 37.0.11.8, 49734, 49735, 80 WKD-ASIE Netherlands 7->55 57 9 other IPs or domains 7->57 25 C:\Users\...\y_AH16KMqLzjPiw5Vqv4TMO4.exe, PE32 7->25 dropped 27 C:\Users\...\reqiN1H5VmEvvx3L_ZnESG0E.exe, PE32 7->27 dropped 29 C:\Users\...\r5JA8Fy65inoZHqCBo5AF64q.exe, PE32 7->29 dropped 31 37 other files (20 malicious) 7->31 dropped 87 Drops PE files to the document folder of the user 7->87 89 May check the online IP address of the machine 7->89 91 Performs DNS queries to domains with low reputation 7->91 93 Disable Windows Defender real time protection (registry) 7->93 14 E5XJYsXNMRO4znRWDUcvHbxZ.exe 80 7->14         started        19 hFXFeEKA5ca6nBnCW7TQUnQY.exe 1 15 7->19         started        21 hvqMRgcSI_sMqaTnFMm89dEU.exe 2 7->21         started        23 2 other processes 7->23 file6 signatures7 process8 dnsIp9 59 telete.in 195.201.225.248 HETZNER-ASDE Germany 14->59 61 34.141.84.7 ATGS-MMD-ASUS United States 14->61 63 192.168.2.1 unknown unknown 14->63 33 C:\Users\user\AppData\...\vcruntime140.dll, PE32 14->33 dropped 35 C:\Users\user\AppData\...\ucrtbase.dll, PE32 14->35 dropped 37 C:\Users\user\AppData\...\softokn3.dll, PE32 14->37 dropped 45 56 other files (none is malicious) 14->45 dropped 71 Tries to steal Mail credentials (via file access) 14->71 73 Tries to harvest and steal browser information (history, passwords, etc) 14->73 65 45.136.151.102 ENZUINC-US Latvia 19->65 67 s.lletlee.com 104.21.17.130 CLOUDFLARENETUS United States 19->67 69 ip-api.com 19->69 39 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 19->39 dropped 41 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 19->41 dropped 43 C:\Users\user\AppData\...\aaa_v008[1].dll, DOS 19->43 dropped 75 May check the online IP address of the machine 19->75 77 Sample uses process hollowing technique 21->77 file10 signatures11
Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 09:54:39 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oh23w7m2zyc47oe6swcdjgobygokdvwiwhgwmvq5ethlt75jjbra._file
Verdict:
malicious
Similar samples:
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
ClipBanker
21aad53d28c5415465bef9cd7b36d0d4708f22b57d77f7d6aca5e2de371c1bb5
ClipBanker
3cee28ef52c59c99b841c6927f5085e483523cb8b606ff9ce5d60b3c13574545
ClipBanker
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
ClipBanker
72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
ClipBanker
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
ClipBanker
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
ClipBanker
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
ClipBanker
a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe
ClipBanker
+ 2'224 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:socelars family:tofsee family:vidar botnet:28_7_r botnet:828 botnet:865 botnet:921 botnet:new_5k botnet:ww backdoor discovery dropper evasion infostealer loader persistence spyware stealer suricata themida trojan upx vmprotect
Link:
https://tria.ge/reports/210728-ghk3pq9jze/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses 2FA software files, possible credential harvesting
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
Malware Config
C2 Extraction:
86.106.181.209:18845
zertypelil.xyz:80
193.56.146.60:51431
https://xeronxikxxx.tumblr.com/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
MD5 hash:
7a99d0912a3371081b8a866c6ff48351
SHA1 hash:
6b1d33d1afec238f49a23be639790145ee0b3dfd
Link:
https://www.unpac.me/results/2dc28325-2811-464e-8088-3acf0e7579a2/
Parent samples :
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174726/

Comments