Report - clip64.dll

Amadey Malicious Library UPX PE File DLL PE32 OS Processor Check
ScreenShot
Created 2023.10.16 11:12 Machine s1_win7_x6403
Filename clip64.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
5
Behavior Score
3.8
ZERO API file : clean
VT API (file) 51 detected (AIDetectMalware, malicious, high confidence, Zusy, NetLoader, FUUW, Amadey, V5jc, confidence, 100%, AFGA, score, Vmhl, rbcne, Clipper, R06CC0DJC23, ABTrojan, LRHM, ai score=82, Malware@#3sqcijku2e2r7, Detected, unsafe, GdSda, Generic@AI, RDML, 4n+q+us8nQFQqYiOIiA, susgen, ZedlaF, gu4@aOYoLPoi)
md5 ed15379ed0c9f2e2cc0c105fc8f08896
sha256 1ab121c22361884aa13cc654a4e79a6e70240d3ef60bc1e660aeef7bde168aa3
ssdeep 3072:+rU7xUICZ+FOIm2Kosm72uQR6wQr77xUZYNS60Z:uEFhgYsS2uQRevNS60Z
imphash 91452bf3259a3ff5928a3bb7f6be301a
impfuzzy 24:uMUItmS1IYlJnc+MLl3eDorodUSOovbOwZsvzallZuDu:TtmS1I2c+MLpXr3RzallZx
  Network IP location

Signature (8cnts)

Level Description
danger File has been identified by 51 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info Checks if process is being debugged by a debugger
info This executable has a PDB path

Rules (7cnts)

Level Name Description Collection
danger Win_Amadey_Zero Amadey bot binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://77.91.97.162/g93kdwj3S/index.php RU Foton Telecom CJSC 77.91.97.162 clean
74.207.245.195 US Linode, LLC 74.207.245.195 clean
77.91.97.162 RU Foton Telecom CJSC 77.91.97.162 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x10012000 GlobalAlloc
 0x10012004 GlobalLock
 0x10012008 GlobalUnlock
 0x1001200c WideCharToMultiByte
 0x10012010 Sleep
 0x10012014 WriteConsoleW
 0x10012018 CloseHandle
 0x1001201c CreateFileW
 0x10012020 SetFilePointerEx
 0x10012024 GetConsoleMode
 0x10012028 GetConsoleCP
 0x1001202c WriteFile
 0x10012030 FlushFileBuffers
 0x10012034 SetStdHandle
 0x10012038 HeapReAlloc
 0x1001203c HeapSize
 0x10012040 IsProcessorFeaturePresent
 0x10012044 IsDebuggerPresent
 0x10012048 UnhandledExceptionFilter
 0x1001204c SetUnhandledExceptionFilter
 0x10012050 GetStartupInfoW
 0x10012054 GetModuleHandleW
 0x10012058 QueryPerformanceCounter
 0x1001205c GetCurrentProcessId
 0x10012060 GetCurrentThreadId
 0x10012064 GetSystemTimeAsFileTime
 0x10012068 InitializeSListHead
 0x1001206c GetCurrentProcess
 0x10012070 TerminateProcess
 0x10012074 RaiseException
 0x10012078 InterlockedFlushSList
 0x1001207c GetLastError
 0x10012080 SetLastError
 0x10012084 EnterCriticalSection
 0x10012088 LeaveCriticalSection
 0x1001208c DeleteCriticalSection
 0x10012090 RtlUnwind
 0x10012094 InitializeCriticalSectionAndSpinCount
 0x10012098 TlsAlloc
 0x1001209c TlsGetValue
 0x100120a0 TlsSetValue
 0x100120a4 TlsFree
 0x100120a8 FreeLibrary
 0x100120ac GetProcAddress
 0x100120b0 LoadLibraryExW
 0x100120b4 ExitProcess
 0x100120b8 GetModuleHandleExW
 0x100120bc GetModuleFileNameW
 0x100120c0 HeapAlloc
 0x100120c4 HeapFree
 0x100120c8 FindClose
 0x100120cc FindFirstFileExW
 0x100120d0 FindNextFileW
 0x100120d4 IsValidCodePage
 0x100120d8 GetACP
 0x100120dc GetOEMCP
 0x100120e0 GetCPInfo
 0x100120e4 GetCommandLineA
 0x100120e8 GetCommandLineW
 0x100120ec MultiByteToWideChar
 0x100120f0 GetEnvironmentStringsW
 0x100120f4 FreeEnvironmentStringsW
 0x100120f8 LCMapStringW
 0x100120fc GetProcessHeap
 0x10012100 GetStdHandle
 0x10012104 GetFileType
 0x10012108 GetStringTypeW
 0x1001210c DecodePointer
USER32.dll
 0x10012114 EmptyClipboard
 0x10012118 SetClipboardData
 0x1001211c CloseClipboard
 0x10012120 GetClipboardData
 0x10012124 OpenClipboard
WININET.dll
 0x1001212c InternetOpenW
 0x10012130 InternetConnectA
 0x10012134 HttpOpenRequestA
 0x10012138 HttpSendRequestA
 0x1001213c InternetReadFile
 0x10012140 InternetCloseHandle

EAT(Export Address Table) Library

0x100011a0 ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
0x100011a0 ??4CClipperDLL@@QAEAAV0@ABV0@@Z
0x100053f0 Main


Similarity measure (PE file only) - Checking for service failure