Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 13, 2022, 9:52 a.m.	Dec. 13, 2022, 10:05 a.m.

Size	4.6MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`2b3bff5880cb5d9ab44c302bd1047313`
SHA256	`e65f40ce3d58d2634807945b468acf0fbc3f6b06631d499dcd99536ed4fae4bc`
CRC32	`BE7B0E7B`
ssdeep	`49152:l7LFs2B0KVUUzpyZ9vAaE5FKY/t76oUz7UQqAOiyjrbsnHzvSP9rsvl/m9NjJTnP:RpsC/VyZpoUzJqTknTRQdXOY`
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file

CLEP.exe "C:\Users\test22\AppData\Local\Temp\CLEP.exe"
2052
- cmd.exe cmd.exe /C schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2284
  - schtasks.exe schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    2348

Name	Response	Post-Analysis Lookup
clipper.guru	A 45.159.189.115	45.159.189.115

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.159.189.115	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 45.159.189.115:80	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.103:49167 -> 45.159.189.115:80	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.103:49167 -> 45.159.189.115:80	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.103:49167 -> 45.159.189.115:80	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 13, 2022, 9:52 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

Performs some HTTP requests (2 events)

request	GET http://clipper.guru/bot/regex?key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e
request	GET http://clipper.guru/bot/online?guid=test22-PC\test22&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe

Creates a suspicious process (2 events)

cmdline	schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	cmd.exe /C schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	cmd.exe /C schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	cmd.exe /C schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	cmd.exe /C schtasks /create /tn FWDCznNyRu /tr C:\Users\test22\AppData\Roaming\FWDCznNyRu\MeWIPLCRzw.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Dec. 13, 2022, 9:52 a.m.	ordinal: 0 function_address: 0x0018fe29 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

Executed a process and injected code into it, probably while unpacking (50 out of 175 events)

Time & API	Arguments	Status
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtSetContextThread Dec. 13, 2022, 9:52 a.m.	registers.eip: 4602128 registers.esp: 311082412 registers.edi: 0 registers.eax: 0 registers.ebp: 960494 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000108 process_identifier: 2052	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtSetContextThread Dec. 13, 2022, 9:52 a.m.	registers.eip: 4602128 registers.esp: 311082412 registers.edi: 0 registers.eax: 0 registers.ebp: 756736149 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2052	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtSetContextThread Dec. 13, 2022, 9:52 a.m.	registers.eip: 4602128 registers.esp: 311082412 registers.edi: 0 registers.eax: 0 registers.ebp: 98792432 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2052	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c	1
NtGetContextThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2052	1
NtSetContextThread Dec. 13, 2022, 9:52 a.m.	registers.eip: 4602128 registers.esp: 311082412 registers.edi: 0 registers.eax: 0 registers.ebp: 756736149 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2052	1
NtResumeThread Dec. 13, 2022, 9:52 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2052	1

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.ClipBanker.tscz
Elastic	malicious (moderate confidence)
MicroWorld-eScan	Trojan.Generic.32270434
CAT-QuickHeal	Trojan.Tasker
ALYac	Trojan.Generic.32270434
Cylance	Unsafe
VIPRE	Trojan.Generic.32270434
Sangfor	Banker.Win32.Clipbanker.Vv2b
K7AntiVirus	Trojan ( 0059aaeb1 )
Alibaba	Trojan:Win32/Tasker.c62a1343
K7GW	Trojan ( 0059aaeb1 )
VirIT	Trojan.Win32.Genus.NCS
Cyren	W32/ClipBanker.AZ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of WinGo/ClipBanker.AG
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.Tasker.axla
BitDefender	Trojan.Generic.32270434
NANO-Antivirus	Trojan.Win32.Clipbanker.jtndev
Avast	Win32:Evo-gen [Trj]
Tencent	Win32.Trojan.Tasker.Ssmw
Ad-Aware	Trojan.Generic.32270434
TACHYON	Banker/W32.ClipBanker.4815872
Emsisoft	Trojan.Generic.32270434 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	Trojan.ClipSpy.77
Zillya	Trojan.ClipBanker.Win32.15130
TrendMicro	TROJ_GEN.R002C0PKS22
McAfee-GW-Edition	BehavesLike.Win32.Generic.rh
FireEye	Generic.mg.2b3bff5880cb5d9a
Sophos	Mal/Generic-S
GData	Win32.Trojan.PSE.1XHSUKC
Jiangmin	Trojan.InversedShelma.m
Webroot	W32.Cycbot.Gen
Avira	TR/Crypt.XPACK.Gen
Antiy-AVL	Trojan/Win32.ClipBanker
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Ransom.Win32.Banker.sa
Arcabit	Trojan.Generic.D1EC6862
ZoneAlarm	Trojan.Win32.Tasker.axla
Microsoft	Trojan:Win32/Trickbot!ml
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R535472
McAfee	Trojan-FTRG!2B3BFF5880CB
MAX	malware (ai score=85)
VBA32	TrojanSpy.LClipper
Malwarebytes	Trojan.LaplasClipper
TrendMicro-HouseCall	TROJ_GEN.R002C0PKS22

CLEP.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All