popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

clip.exe

PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 23, 2023, 1:01 p.m. March 23, 2023, 1:09 p.m.
Size 4.2MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5 8d3942d2bfaf962a1177aee8d08ca079
SHA256 6c2d4769002a3032dbf7e7f7cc20ee2e037d9f8a6a4a14e997e5e2a3b1d0ca87
CRC32 9BD15758
ssdeep 98304:GHKnyIBCaUVmAYzLiw4UtCsDB2DsEUcQF+KnG5N73/hx9gnxxVeIaGgchSh13jDX:YoyIM3VczLiw4S5QirnGzpM3VHaGg6ug
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
api.telegram.org
A 149.154.167.220
149.154.167.220
IP Address Status Action
149.154.167.220 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2033966 ET HUNTING Telegram API Domain in DNS Lookup Misc activity
TCP 192.168.56.103:49161 -> 149.154.167.220:443 2033967 ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49161
149.154.167.220:443 		None None None

registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 16
family: 0
1 0 0
section {u'size_of_data': u'0x0042ea00', u'virtual_address': u'0x0039f000', u'entropy': 7.893639426606801, u'name': u'UPX1', u'virtual_size': u'0x0042f000'} entropy 7.89363942661 description A section with a high entropy has been found
entropy 0.999883259398 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
section UPX2 description Section name indicates UPX
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\clip.exe reg_value C:\Users\test22\AppData\Local\Temp\clip.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x0022fb39
function_name: wine_get_version
module: ntdll
module_address: 0x778a0000
3221225785 0
Lionic Riskware.Win32.Generic.1!c
Elastic malicious (moderate confidence)
MicroWorld-eScan Gen:Variant.Razy.873823
FireEye Gen:Variant.Razy.873823
ALYac Gen:Variant.Razy.873823
Malwarebytes Malware.Heuristic.1003
Sangfor Riskware.Win32.Razy.Vc8k
CrowdStrike win/malicious_confidence_70% (W)
Symantec ML.Attribute.HighConfidence
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky not-a-virus:HEUR:RiskTool.Win32.Generic
BitDefender Gen:Variant.Razy.873823
BitDefenderTheta Gen:NN.ZexaF.36344.@pGfaSi!0Y
VIPRE Gen:Variant.Razy.873823
Trapmine suspicious.low.ml.score
Sophos Generic ML PUA (PUA)
Avira TR/Crypt.XPACK.Gen
Antiy-AVL GrayWare/Win32.Kryptik.ffp
Gridinsoft PUP.Win32.Heur.cl
Arcabit Trojan.Razy.DD555F
GData Gen:Variant.Razy.873823
TrendMicro-HouseCall TROJ_GEN.R002H07CM23
Tencent Win32.Risktool.Generic.Dkjl
MAX malware (ai score=82)