Report - clip.dll

Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check
ScreenShot
Created 2024.10.17 11:10 Machine s1_win7_x6403
Filename clip.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
5
Behavior Score
3.6
ZERO API file : malware
VT API (file) 57 detected (AIDetectMalware, ClipBanker, Malicious, score, NetLoader, Zusy, V2hb, confidence, Attribute, HighConfidence, high confidence, TrojanX, Amadey, SpyBot, kpzgmh, nquGHEI3J2D, kgoci, extk, Detected, Artemis, GdSda, Gencirc, sS1uE0wSoz0, susgen)
md5 9730e0bcf27e4265d1be56b8a7767759
sha256 a7a307c332573b2bf76edcf53d37e5a91c1fa3a8ce36f720cb10c8c22928f388
ssdeep 3072:XeCHM7q++uIwqUjW0uVP0rHv/09aNmw62xm4+5L:O6M7lL5jLuVPaFA5L
imphash 61d6334c6ae4948c906d9fa7fdf019fa
impfuzzy 24:uMUftdS1CMYlJeDc+pl3eDorodUSOovbOwZsvzallZuDu:UtdS1CMbc+ppXr3RzallZx
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 57 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info Checks if process is being debugged by a debugger

Rules (8cnts)

Level Name Description Collection
danger Win_Amadey_Zero Amadey bot binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://78.153.139.168/gfj38cHcw/index.php RU Novaya Sibir Plus Ltd. 78.153.139.168 clean
78.153.139.168 RU Novaya Sibir Plus Ltd. 78.153.139.168 malware
110.40.45.163 Unknown 110.40.45.163 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x10017000 GlobalAlloc
 0x10017004 GlobalLock
 0x10017008 GlobalUnlock
 0x1001700c WideCharToMultiByte
 0x10017010 Sleep
 0x10017014 WriteConsoleW
 0x10017018 CloseHandle
 0x1001701c CreateFileW
 0x10017020 SetFilePointerEx
 0x10017024 GetConsoleMode
 0x10017028 GetConsoleCP
 0x1001702c WriteFile
 0x10017030 FlushFileBuffers
 0x10017034 SetStdHandle
 0x10017038 HeapReAlloc
 0x1001703c HeapSize
 0x10017040 UnhandledExceptionFilter
 0x10017044 SetUnhandledExceptionFilter
 0x10017048 GetCurrentProcess
 0x1001704c TerminateProcess
 0x10017050 IsProcessorFeaturePresent
 0x10017054 IsDebuggerPresent
 0x10017058 GetStartupInfoW
 0x1001705c GetModuleHandleW
 0x10017060 QueryPerformanceCounter
 0x10017064 GetCurrentProcessId
 0x10017068 GetCurrentThreadId
 0x1001706c GetSystemTimeAsFileTime
 0x10017070 InitializeSListHead
 0x10017074 RtlUnwind
 0x10017078 RaiseException
 0x1001707c InterlockedFlushSList
 0x10017080 GetLastError
 0x10017084 SetLastError
 0x10017088 EncodePointer
 0x1001708c EnterCriticalSection
 0x10017090 LeaveCriticalSection
 0x10017094 DeleteCriticalSection
 0x10017098 InitializeCriticalSectionAndSpinCount
 0x1001709c TlsAlloc
 0x100170a0 TlsGetValue
 0x100170a4 TlsSetValue
 0x100170a8 TlsFree
 0x100170ac FreeLibrary
 0x100170b0 GetProcAddress
 0x100170b4 LoadLibraryExW
 0x100170b8 ExitProcess
 0x100170bc GetModuleHandleExW
 0x100170c0 GetModuleFileNameW
 0x100170c4 HeapAlloc
 0x100170c8 HeapFree
 0x100170cc FindClose
 0x100170d0 FindFirstFileExW
 0x100170d4 FindNextFileW
 0x100170d8 IsValidCodePage
 0x100170dc GetACP
 0x100170e0 GetOEMCP
 0x100170e4 GetCPInfo
 0x100170e8 GetCommandLineA
 0x100170ec GetCommandLineW
 0x100170f0 MultiByteToWideChar
 0x100170f4 GetEnvironmentStringsW
 0x100170f8 FreeEnvironmentStringsW
 0x100170fc LCMapStringW
 0x10017100 GetProcessHeap
 0x10017104 GetStdHandle
 0x10017108 GetFileType
 0x1001710c GetStringTypeW
 0x10017110 DecodePointer
USER32.dll
 0x10017118 EmptyClipboard
 0x1001711c SetClipboardData
 0x10017120 CloseClipboard
 0x10017124 GetClipboardData
 0x10017128 OpenClipboard
WININET.dll
 0x10017130 InternetOpenW
 0x10017134 InternetConnectA
 0x10017138 HttpOpenRequestA
 0x1001713c HttpSendRequestA
 0x10017140 InternetReadFile
 0x10017144 InternetCloseHandle

EAT(Export Address Table) Library

0x10001d60 ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
0x10001d60 ??4CClipperDLL@@QAEAAV0@ABV0@@Z
0x10005b50 Main


Similarity measure (PE file only) - Checking for service failure