Report - clip.dll

Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check
ScreenShot
Created 2024.11.13 13:57 Machine s1_win7_x6401
Filename clip.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
5
Behavior Score
3.4
ZERO API file : clean
VT API (file) 55 detected (AIDetectMalware, ClipBanker, Malicious, score, NetLoader, GenericKD, Unsafe, confidence, Attribute, HighConfidence, high confidence, TrojanX, Zusy, xbudtu, Amadey, ejfSgHdx95N, sxlrr, R014C0DKA24, Detected, Lazy, ABTrojan, CRHJ, Artemis, Deyma, GdSda, Gencirc, susgen)
md5 0d3418372c854ee228b78e16ea7059be
sha256 885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7
ssdeep 3072:pdUmIYSBYZuziT7Sgmu1ErYn/YoZ3SNqkoZidU1epo:ABY7yASgb1ErY3Z3soodUwpo
imphash fdb088ba51afbf555d7a0f495212d8f1
impfuzzy 24:uMUYtdS1CMYlJeDc+pl3eDorodUSOovbOwZsvzallZuDu:vtdS1CMbc+ppXr3RzallZx
  Network IP location

Signature (5cnts)

Level Description
danger File has been identified by 55 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
info Checks if process is being debugged by a debugger

Rules (8cnts)

Level Name Description Collection
danger Win_Amadey_Zero Amadey bot binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
185.215.113.209 Unknown 185.215.113.209 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x10016000 GlobalAlloc
 0x10016004 GlobalLock
 0x10016008 GlobalUnlock
 0x1001600c WideCharToMultiByte
 0x10016010 Sleep
 0x10016014 WriteConsoleW
 0x10016018 CloseHandle
 0x1001601c CreateFileW
 0x10016020 SetFilePointerEx
 0x10016024 GetConsoleMode
 0x10016028 GetConsoleOutputCP
 0x1001602c WriteFile
 0x10016030 FlushFileBuffers
 0x10016034 SetStdHandle
 0x10016038 HeapReAlloc
 0x1001603c HeapSize
 0x10016040 UnhandledExceptionFilter
 0x10016044 SetUnhandledExceptionFilter
 0x10016048 GetCurrentProcess
 0x1001604c TerminateProcess
 0x10016050 IsProcessorFeaturePresent
 0x10016054 IsDebuggerPresent
 0x10016058 GetStartupInfoW
 0x1001605c GetModuleHandleW
 0x10016060 QueryPerformanceCounter
 0x10016064 GetCurrentProcessId
 0x10016068 GetCurrentThreadId
 0x1001606c GetSystemTimeAsFileTime
 0x10016070 InitializeSListHead
 0x10016074 RtlUnwind
 0x10016078 RaiseException
 0x1001607c InterlockedFlushSList
 0x10016080 GetLastError
 0x10016084 SetLastError
 0x10016088 EncodePointer
 0x1001608c EnterCriticalSection
 0x10016090 LeaveCriticalSection
 0x10016094 DeleteCriticalSection
 0x10016098 InitializeCriticalSectionAndSpinCount
 0x1001609c TlsAlloc
 0x100160a0 TlsGetValue
 0x100160a4 TlsSetValue
 0x100160a8 TlsFree
 0x100160ac FreeLibrary
 0x100160b0 GetProcAddress
 0x100160b4 LoadLibraryExW
 0x100160b8 ExitProcess
 0x100160bc GetModuleHandleExW
 0x100160c0 GetModuleFileNameW
 0x100160c4 HeapAlloc
 0x100160c8 HeapFree
 0x100160cc FindClose
 0x100160d0 FindFirstFileExW
 0x100160d4 FindNextFileW
 0x100160d8 IsValidCodePage
 0x100160dc GetACP
 0x100160e0 GetOEMCP
 0x100160e4 GetCPInfo
 0x100160e8 GetCommandLineA
 0x100160ec GetCommandLineW
 0x100160f0 MultiByteToWideChar
 0x100160f4 GetEnvironmentStringsW
 0x100160f8 FreeEnvironmentStringsW
 0x100160fc LCMapStringW
 0x10016100 GetProcessHeap
 0x10016104 GetStdHandle
 0x10016108 GetFileType
 0x1001610c GetStringTypeW
 0x10016110 DecodePointer
USER32.dll
 0x10016118 EmptyClipboard
 0x1001611c SetClipboardData
 0x10016120 CloseClipboard
 0x10016124 GetClipboardData
 0x10016128 OpenClipboard
WININET.dll
 0x10016130 InternetOpenW
 0x10016134 InternetConnectA
 0x10016138 HttpOpenRequestA
 0x1001613c HttpSendRequestA
 0x10016140 InternetReadFile
 0x10016144 InternetCloseHandle

EAT(Export Address Table) Library

0x10001d60 ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
0x10001d60 ??4CClipperDLL@@QAEAAV0@ABV0@@Z
0x100059a0 Main


Similarity measure (PE file only) - Checking for service failure