MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


KeyzetsuClipper


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017
SHA3-384 hash: d4de661b4271281f3b2591de83c283d69b8deeaf71d7fa7604094f322e13341a125d01ebd109c82b1415dc731051491b
SHA1 hash: 8ab9bf21aa3e8257a1fcf0341f5f9362f8ca0466
MD5 hash: 601c25496c92e86210fc4351e46b9f5c
humanhash: comet-white-glucose-pasta
File name:601c25496c92e86210fc4351e46b9f5c.exe
Download: download sample
Signature KeyzetsuClipper
Create hunting rule
File size:510'464 bytes
First seen:2024-08-07 06:41:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:l2QRXDD1yed0fsU4GSWgOvPESGj4s32xEdRCSOn:l2Q9NXw2/wPOjdGxYG
Threatray 11 similar samples on MalwareBazaar
TLSH T1BEB4129476F7244CFBBF5EBA87E1F65C4274E523AA04A08539C11345CB269C19E23B3A
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe KeyzetsuClipper

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
601c25496c92e86210fc4351e46b9f5c.exe
Verdict:
Malicious activity
Analysis date:
2024-08-07 06:59:05 UTC
Tags:
telegram
Link:
https://app.any.run/tasks/116269e2-8fce-433c-abed-15aeada81f58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilzilla-10019947-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b3173db35234d5cc659cbc
Tags:
Execution Generic Network Stealth Trojan Clipbanker
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Creating a process from a recently created file
Creating a file in the %temp% directory
Running batch commands
Reading critical registry keys
Changing a file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
clipbanker packed
Link:
https://www.filescan.io/uploads/66b3173a99ea8891b192583b/reports/00ee7e7f-8df1-4987-b96b-4efff0379be4/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Keyzetsu Clipper
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c9b32e0-06ac-4cb5-8e75-df7d33cb1761
Result
Threat name:
Keyzetsu Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1489264
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Keyzetsu Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489264 Sample: cYl7JWax8x.exe Startdate: 07/08/2024 Architecture: WINDOWS Score: 100 42 api.telegram.org 2->42 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Keyzetsu Clipper 2->50 52 Sigma detected: Schedule system process 2->52 56 6 other signatures 2->56 8 cYl7JWax8x.exe 15 10 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 1 2->15         started        17 6 other processes 2->17 signatures3 54 Uses the Telegram API (likely for C&C communication) 42->54 process4 dnsIp5 44 api.telegram.org 149.154.167.220, 443, 49700, 49701 TELEGRAMRU United Kingdom 8->44 36 C:\ProgramData\Appxetry\svchost.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\...\cYl7JWax8x.exe.log, CSV 8->38 dropped 40 C:\...\svchost.exe:Zone.Identifier, ASCII 8->40 dropped 62 Found many strings related to Crypto-Wallets (likely being stolen) 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Drops PE files with benign system names 8->66 19 svchost.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        68 Changes security center settings (notifications, updates, antivirus, firewall) 13->68 26 MpCmdRun.exe 1 13->26         started        70 Query firmware table information (likely to detect VMs) 15->70 46 127.0.0.1 unknown unknown 17->46 file6 signatures7 process8 signatures9 58 Multi AV Scanner detection for dropped file 19->58 60 Machine Learning detection for dropped file 19->60 28 conhost.exe 22->28         started        30 timeout.exe 1 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2024-08-06 10:12:18 UTC
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=76hvlvdrk5jk5ry7mdiamexdnmlsocgt7jq4lyjr7fuwn4g5kalq._file
Verdict:
malicious
Similar samples:
59aa5b7633387b351452b7f03f39083a79912e00098b51b7ac060b31df3572eb
KeyzetsuClipper
5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd
KeyzetsuClipper
9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
KeyzetsuClipper
95f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
KeyzetsuClipper
ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84
KeyzetsuClipper
ca2d6d25c24192283a3cd41efb34a4b04a7e69352d98538bb0bb92ba13fe3f4e
KeyzetsuClipper
ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017
KeyzetsuClipper
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240807-hgb2fsxaqa/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Deletes itself
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b3349ec7-fe59-42a2-819a-cda6acfd951b
Unpacked files
SH256 hash:
ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017
MD5 hash:
601c25496c92e86210fc4351e46b9f5c
SHA1 hash:
8ab9bf21aa3e8257a1fcf0341f5f9362f8ca0466
Link:
https://www.unpac.me/results/2357b014-8e1f-46fe-ab66-ee55e903101b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments