MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ClipBanker


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588
SHA3-384 hash: 8000882acceb6f11663272b7fd14583f560eaf1ccde4487b452610729d52b38f830205a5686be09d8552d7d5f4bbbab2
SHA1 hash: 875d31a7ff19a4e443f7a40ceba9e1ded2007777
MD5 hash: 7b2cba7ce9792101e7180994efc46b8f
humanhash: rugby-virginia-one-eleven
File name:file
Download: download sample
Signature ClipBanker
Create hunting rule
File size:362'496 bytes
First seen:2026-01-29 23:05:21 UTC
Last seen:2026-01-30 07:04:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c546646952cb160243a67da7651da44c (1 x ClipBanker)
ssdeep 6144:WnGd4/gAIJkHNCBkCVgDPV3Y6B9fPcl31eJhpAd+xZ:WnGd4DIJkHeArV3Y6BBcxMJm
TLSH T1BD748D56B7A418F9E577813CC9630A06D7B2BC660760DBDF03A046964F277E09E3EB21
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:ClipBanker dropped-by-Stealc exe zobpx


Avatar
Bitsight
url: http://45.93.20.151/Loader.exe

Intelligence

File Origin
# of uploads :
9
# of downloads :
181
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/10483191-e31a-4aa7-8dd2-591aea63363c/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-29 23:08:25 UTC
Tags:
auto-sch auto-reg
Link:
https://app.any.run/tasks/6f7ee7c8-0807-4b16-a1e9-9b0447f1c8c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697be7c66fa3eed165306cc7
Tags:
clipbanker autorun emotet
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm clipbanker exploit explorer fingerprint lolbin microsoft_visual_cc schtasks
Link:
https://www.filescan.io/uploads/697be7c1981ff1d38a40d709/reports/8109f7e5-b2a0-4a5b-8a1c-304c1cf889be/overview
Verdict:
Malicious
Labled as:
Trojan.Loader.Marte.6.Generic
Link:
https://www.hybrid-analysis.com/sample/b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Link:
https://opentip.kaspersky.com/b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588/results?tab=lookup
Malware family:
MuddyWater
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b303fb2-22b9-4f52-bd6e-552ee37197d9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.ClipBanker
Link:
https://tip.neiki.dev/file/b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588
Threat name:
Win64.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2026-01-29 21:08:49 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wuuugjr5tmipf3gvv7hmajchbpmhvufv57nawxl7ebtpsvjvcwea._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260129-225ztaat5b/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588
MD5 hash:
7b2cba7ce9792101e7180994efc46b8f
SHA1 hash:
875d31a7ff19a4e443f7a40ceba9e1ded2007777
Link:
https://www.unpac.me/results/8bbdb620-c0ad-4ef8-945a-9eea7242f9ee/
SH256 hash:
07229bbbc6371a64dd25b467e75895102bf7018e3b4f4e207eb0a2f0b85858e5
MD5 hash:
fa3619caa0a0095cb57005d53d4c53d9
SHA1 hash:
d4b0ffc45310f11fa7e8018d3023508ca66e3ff3
Detections:
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/8bbdb620-c0ad-4ef8-945a-9eea7242f9ee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b52943263d9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ClipBanker

Executable exe b52943263d9b10f2ecd5afcec024470bd87ad0b5efda0b5d7f2066f955351588

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50763/
  
URLhaus
https://urlhaus.abuse.ch/url/3765838/

Comments