Source: clip64.dll |
Malware Configuration Extractor: Amadey {"Wallet Addresses": ["bc1q5geckylyfl4952lsex43u56p9c46eptlds05fj", "0x091451c16090f09214C57cB2D15c0cf7967E04d8", "ltc1q2rmqlk85xegdvh3f36smqf2rrfgwsyy26j6lel", "DPtXND8WRCBwX8WHPBLiCt8Lm6xsD3Mbr2", "48dSg7aiVzoAiDwaNHW316Gitnr1VCe2W1yCMNJqEWMe1M15vU1bVnUPZ8NQBSagnq74r57dEuvkC1Hd3gzvKaVZPjAdVSc"]} |
Source: clip64.dll |
ReversingLabs: Detection: 83% |
Source: 7.2.rundll32.exe.738f0000.0.unpack |
String decryptor: bc1q5geckylyfl4952lsex43u56p9c46eptlds05fj |
Source: 7.2.rundll32.exe.738f0000.0.unpack |
String decryptor: 0x091451c16090f09214C57cB2D15c0cf7967E04d8 |
Source: 7.2.rundll32.exe.738f0000.0.unpack |
String decryptor: ltc1q2rmqlk85xegdvh3f36smqf2rrfgwsyy26j6lel |
Source: 7.2.rundll32.exe.738f0000.0.unpack |
String decryptor: DPtXND8WRCBwX8WHPBLiCt8Lm6xsD3Mbr2 |
Source: 7.2.rundll32.exe.738f0000.0.unpack |
String decryptor: 48dSg7aiVzoAiDwaNHW316Gitnr1VCe2W1yCMNJqEWMe1M15vU1bVnUPZ8NQBSagnq74r57dEuvkC1Hd3gzvKaVZPjAdVSc |
Source: clip64.dll |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: clip64.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: D:\Mktmp\Amadey\ClipperDLL\Release\CLIPPERDLL.pdb source: rundll32.exe, 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4622328387.00000000738FF000.00000002.00000001.01000000.00000003.sdmp, clip64.dll |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F7D7E FindFirstFileExW, |
7_2_738F7D7E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F15E0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,Sleep, |
7_2_738F15E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F15E0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,Sleep, |
7_2_738F15E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F15E0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,Sleep, |
7_2_738F15E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F15E0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,Sleep, |
7_2_738F15E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738FDB01 |
7_2_738FDB01 |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: clip64.dll |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: classification engine |
Classification label: mal88.spyw.evad.winDLL@18/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03 |
Source: clip64.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 |
Source: clip64.dll |
ReversingLabs: Detection: 83% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\clip64.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,Main |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,Main |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 |
Jump to behavior |
Source: clip64.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: clip64.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: clip64.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: clip64.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: clip64.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: clip64.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: clip64.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: clip64.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: D:\Mktmp\Amadey\ClipperDLL\Release\CLIPPERDLL.pdb source: rundll32.exe, 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4622328387.00000000738FF000.00000002.00000001.01000000.00000003.sdmp, clip64.dll |
Source: clip64.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: clip64.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: clip64.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: clip64.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: clip64.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F4196 push ecx; ret |
7_2_738F41A9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Window / User API: threadDelayed 2574 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Window / User API: threadDelayed 7425 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Window / User API: threadDelayed 2900 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Window / User API: threadDelayed 7099 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 7.3 % |
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5072 |
Thread sleep count: 2574 > 30 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5072 |
Thread sleep time: -2574000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5072 |
Thread sleep count: 7425 > 30 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5072 |
Thread sleep time: -7425000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2760 |
Thread sleep count: 2900 > 30 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2760 |
Thread sleep time: -2900000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2760 |
Thread sleep count: 7099 > 30 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2760 |
Thread sleep time: -7099000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F7D7E FindFirstFileExW, |
7_2_738F7D7E |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process Stats: CPU usage > 42% for more than 60s |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F5BB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
7_2_738F5BB4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F62E0 mov eax, dword ptr fs:[00000030h] |
7_2_738F62E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F7885 mov eax, dword ptr fs:[00000030h] |
7_2_738F7885 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F92A5 GetProcessHeap, |
7_2_738F92A5 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F5BB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
7_2_738F5BB4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F42F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
7_2_738F42F4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F4025 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
7_2_738F4025 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F3E45 cpuid |
7_2_738F3E45 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 7_2_738F41AC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
7_2_738F41AC |
Source: Yara match |
File source: clip64.dll, type: SAMPLE |
Source: Yara match |
File source: 7.2.rundll32.exe.738f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.2.rundll32.exe.738f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: clip64.dll, type: SAMPLE |
Source: Yara match |
File source: 7.2.rundll32.exe.738f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.2.rundll32.exe.738f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.4622302958.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |