MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ZigClipper

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc
SHA3-384 hash:	3f0afc866519f184a1f8facac438d7915fdbaf4afb2a6b2adc1ad18b6664323545f2dd787e903eb39325cd134fa420f9
SHA1 hash:	c9c6c474a014b1cff3f38398c6f329e053302c51
MD5 hash:	98887ebaac9fe0d1fa9433f9d8811201
humanhash:	twenty-alanine-thirteen-california
File name:	XPA.exe
Download:	download sample
Signature	ZigClipper Create hunting rule
File size:	808'296 bytes
First seen:	2026-06-07 13:52:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:sAEdXtLgSod+vCjiQK7dW9aCYOTAUNqBqgxIBWFb67jbTWs+4HDwx2UPY4BEA2A3:49j/pM8juMMkpLx3Q92/Pmbe
TLSH	T1830507CF41A459D5E4787373C02AFB1EAA39BCE964A151CF1A673320FE384498D1B636
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	70f0e4d89ce4f070 (1 x ZigClipper)
Reporter	aachum
Tags:	celebration-internet-cc exe signed SunWukong ZigClipper

Code Signing Certificate

Organisation:	Osinski and Sons
Issuer:	Osinski and Sons Intermediate CA 2
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-12-01T14:39:21Z
Valid to:	2028-06-01T14:39:21Z
Serial number:	0187278eeb5bd570
Thumbprint Algorithm:	SHA256
Thumbprint:	e63f0f01f929421a590a16b460739627c6c573dbd25c6035807dd3f061aacd77
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

iamaachum

https://radiosanducito.uy/tmp/XPA.exe

ZigClipper C2: celebration-internet.cc

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

guloader

ID:

File name:

BIGFILMS 8211 INFERNO Pack Create Epic Blockbuster Scenes.exe

Verdict:

Malicious activity

Analysis date:

2026-06-07 12:42:56 UTC

Tags:

auto generic adware loader stealer remus guloader advancedinstaller takemyfile websocket etherhiding arch-exec vidar

Link:

https://app.any.run/tasks/40b48761-1044-4834-8955-841fdd67fc2d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69445/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.24736568.UNOFFICIAL

Verdict:

Clean

Score:

50.0%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2577d763a4889c1afa57da

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

installer-heuristic packed signed

Link:

https://www.filescan.io/uploads/6a2577d346e44aecc0d3e156/reports/ca19f111-bd54-4e02-a9cb-e320edca46f0/overview

Verdict:

Malicious

Labled as:

Trojan.GenericS

Link:

https://www.hybrid-analysis.com/sample/cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-06-01T15:39:00Z UTC

Last seen:

2026-06-09T12:38:00Z UTC

Hits:

~100

Detections:

BSS:Trojan.Win32.Generic Trojan-Banker.Win32.ClipBanker.sb Trojan-Banker.Win32.ClipBanker.aiut

Link:

https://opentip.kaspersky.com/cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/baf6e866-0e1a-4129-a83f-3ef69430d823

Result

Threat name:

EtherHiding, ZigClipper

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1924133

Signature

AI detected suspicious PE digital signature

Antivirus detection for URL or domain

Found direct / indirect Syscall (likely to bypass EDR)

Found stalling execution ending in API Sleep call

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Suricata IDS alerts for network traffic

Yara detected EtherHiding

Yara detected ZigClipper

Behaviour

Behavior Graph:

Download SVG

Score:

34%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc/

Verdict:

Malicious

Threat:

Trojan-Banker.Win32.ClipBanker

Link:

https://tip.neiki.dev/file/cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc

Threat name:

Win64.Trojan.Qwexlafiba

Status:

Malicious

First seen:

2026-06-03 05:54:00 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zrzlilc6vusbeixjgxvpcakeukr2k3wesk567ndow6hl34cpq7ga._file

Verdict:

malicious

Label(s):

unc_rust_clipper_001

Similar samples:

error

ZigClipper

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260607-q66alafx5w/

Unpacked files

SH256 hash:

cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc

MD5 hash:

98887ebaac9fe0d1fa9433f9d8811201

SHA1 hash:

c9c6c474a014b1cff3f38398c6f329e053302c51

Link:

https://www.unpac.me/results/dff5b822-1fe0-4250-ace1-f886d34433d4/

Malware family:

ZigCryptoStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cc72b42c5ead/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.