Trojan:MSIL/ClipBanker!rfn

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:MSIL/ClipBanker!rfn

Trojan:MSIL/ClipBanker!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:MSIL/ClipBanker!rfn

Classification:

Type:Trojan

Platform:MSIL

Family:ClipBanker

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family ClipBanker

Summary:

This threat is a ClipBanker Trojan, a type of malware designed to steal cryptocurrency. It monitors the system clipboard and uses regular expressions to detect when a user copies a cryptocurrency wallet address, then stealthily replaces it with an attacker's address to divert transactions. The malware also establishes persistence using scheduled tasks or registry Run keys.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - System.Text.RegularExpressions (PEHSTR_EXT)
 - \Bitcoin-Grabber-master\Bitcoin-Grabber\ (PEHSTR_EXT)
 - 2.pdb (PEHSTR_EXT)
 - b4([0-9]|[A-B])(.){93} (PEHSTR_EXT)
 - schtasks.exe (PEHSTR_EXT)
 - steamcommunity.com/tradeoffer (PEHSTR_EXT)
 - donationalerts.com/ (PEHSTR_EXT)
 - marie\Desktop\clipmonitor KETHAS FINAL EVERYTHING FIXED\clipmonitor (PEHSTR_EXT)
 - CLIPBOARD: '' vs. '' (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT)
 - ShellExecuteExA (PEHSTR_EXT)
 - C:\ProgramData\MyApp\ (PEHSTR_EXT)
 - v4.0.30319 (PEHSTR_EXT)
 - \b(bitcoincash) (PEHSTR_EXT)
 - choice /C Y /N /D Y /T (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - clrjit.dll (PEHSTR_EXT)
 - http://bot.whatismyipaddress.com/ (PEHSTR_EXT)
 - SOFTWARE\WOW6432Node\Clients\StartMenuInternet (PEHSTR_EXT)
 - shell\open\command (PEHSTR_EXT)
 - ^bc1[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz].*$ (PEHSTR_EXT)
 - https://api.telegram.org/bot (PEHSTR_EXT)
 - https://ipv4bot.whatismyipaddress.com/ (PEHSTR_EXT)
 - WinHost.exe (PEHSTR_EXT)
 - Sevirem.Clipper (PEHSTR_EXT)
 - Decompress (PEHSTR_EXT)
 - pyi-windows-manifest-filename crypto-yank.exe.manifest (PEHSTR_EXT)
 - email._encoded_words (PEHSTR_EXT)
 - http.cookiejar (PEHSTR_EXT)
 - email.base64mime (PEHSTR_EXT)
 - multiprocessing.resource_tracker (PEHSTR_EXT)
 - subst.exe (PEHSTR_EXT)
 - /Create /tn NvTmRep_CrashReport3_{B2FE1952-0186} /sc MINUTE /tr (PEHSTR_EXT)
 - ProcessHacker.exe (PEHSTR_EXT)
 - Users\youar (PEHSTR_EXT)
 - WSOCK32.dll (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - Release\troce.pdb (PEHSTR_EXT)
 - Desktop\1 (PEHSTR_EXT)
 - FileDelete, %A_ScriptDir%\SN.txt (PEHSTR_EXT)
 - click(786, 288,0.4,250) (PEHSTR_EXT)
 - click(779,400,0.4,250) (PEHSTR_EXT)
 - #32768 ahk_exe AutoHotkey.exe (PEHSTR_EXT)
 - C:\src\Solarion2018\Bin32\ (PEHSTR)
 - SELECT * FROM Win32_ComputerSystem (PEHSTR_EXT)
 - Confuser.Core 1.5.0 (PEHSTR_EXT)
 - http://185.215.113.93 (PEHSTR_EXT)
 - SOFTWARE\wtu (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run\ (PEHSTR_EXT)
 - MicrosoftWindowsStart MenuProgramsStartupupdater.lnk (PEHSTR_EXT)
 - Discord Link :  v1.0.0-custom (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - Oreans.vxd (PEHSTR_EXT)
 - Software\Wine (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - 2DJS2 (PEHSTR_EXT)
 - bitcoinminingsoftware.Bitcoin_Grabber (PEHSTR_EXT)
 - bitcoinminingsoftware.pdb (PEHSTR_EXT)
 - Clipper.exe (PEHSTR_EXT)
 - AssemblyDescriptionAttribute (PEHSTR_EXT)
 - mogu.exe (PEHSTR_EXT)
 - Clipper\Clipper\bin\Release\Obfuscated\Inc.Infrastructur Host driver.pdb (PEHSTR_EXT)
 - C:\Users\jon doe\Desktop\Registry\Registry\obj\Release\Registry.pdb (PEHSTR_EXT)
 - My.Computer (PEHSTR_EXT)
 - Registry.exe (PEHSTR_EXT)
 - StringComparison (PEHSTR_EXT)
 - Application Data\Clipper (PEHSTR_EXT)
 - BTC Clipper.pdb (PEHSTR_EXT)
 - \Windowslib.exe (PEHSTR_EXT)
 - HidenProces.pdb (PEHSTR_EXT)
 - /Create /tn MicrosoftDriver /sc MINUTE /tr (PEHSTR_EXT)
 - card.php (PEHSTR_EXT)
 - ChromeUpdate.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - noSXPFMbbZh2Bafej4.bKHDLoYx25MeUohwr7 (PEHSTR_EXT)
 - rJqNEeiWXDvJsanTbLjIo4HO (PEHSTR_EXT)
 - 185.215.113.8 (PEHSTR_EXT)
 - tsrv3.ru (PEHSTR_EXT)
 - tsrv4.ws (PEHSTR_EXT)
 - tldrbox.top (PEHSTR_EXT)
 - tldrhaus.top (PEHSTR_EXT)
 - tldrzone.top (PEHSTR_EXT)
 - \Microsoft\Windows\Start Menu\Programs\StartUp (PEHSTR_EXT)
 - BIOS System.exe (PEHSTR_EXT)
 - 239.255.255.250 (PEHSTR_EXT)
 - 185.215.113.84 (PEHSTR_EXT)
 - /c start .\%s & start .\%s\VolDriver.exe (PEHSTR_EXT)
 - desktop.ini (PEHSTR_EXT)
 - >AUTOHOTKEY SCRIPT< (PEHSTR_EXT)
 - PasswordsList.txt (PEHSTR_EXT)
 - scr.jpg (PEHSTR_EXT)
 - System.txt (PEHSTR_EXT)
 - ip.txt (PEHSTR_EXT)
 - cmd /C "start "q" (PEHSTR_EXT)
 - Users\Awar (PEHSTR_EXT)
 - Setup.pdb (PEHSTR_EXT)
 - main.HideWindow (PEHSTR_EXT)
 - main.createWallets (PEHSTR_EXT)
 - cryptoStealer/proccess64/main.go (PEHSTR_EXT)
 - proccess64/domain/App/replace.ReplaceWallet (PEHSTR_EXT)
 - github.com/go-telegram-bot-api/telegram-bot-api (PEHSTR_EXT)
 - github.com/atotto/clipboard.WriteAll (PEHSTR_EXT)
 - github.com/AllenDang/w32 (PEHSTR_EXT)
 - github.com/technoweenie/multipartstreamer (PEHSTR_EXT)
 - dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php? (PEHSTR_EXT)
 - key.cocotechnology.tech/autologin (PEHSTR_EXT)
 - Ready For Execution! (PEHSTR_EXT)
 - CocoBytecode.dll (PEHSTR_EXT)
 - TEMP%\Indicium-Supra.log (PEHSTR_EXT)
 - Silent Miner.pdb (PEHSTR_EXT)
 - EvilShit\BTC Wallet Changer (PEHSTR_EXT)
 - wscript.exe /E:jscript (PEHSTR_EXT)
 - WinExec (PEHSTR_EXT)
 - RtlSetProcessIsCritical (PEHSTR_EXT)
 - WsP/Vycd5eiHgC0WhpYMwskAjWF6ha5cQ1zwNEheUy0= (PEHSTR_EXT)
 - Si-paling-umberela\Growtopia MultiBot (PEHSTR_EXT)
 - project-umbrella.pdb (PEHSTR_EXT)
 - Realtek.exe (PEHSTR_EXT)
 - 23.88.125.20 (PEHSTR_EXT)
 - CSClipper.pdb (PEHSTR_EXT)
 - (?:[13][a-km-zA-HJ-NP-Z1-9]{25,34})src\main.rs (PEHSTR_EXT)
 - DJSHDHFEKFDMVC (PEHSTR_EXT)
 - 79.137.196.121 (PEHSTR_EXT)
 - XPdriver.exe (PEHSTR_EXT)
 - ComputeHash (PEHSTR_EXT)
 - Lona.pdb (PEHSTR_EXT)
 - TrafficProgrammerv2.exe (PEHSTR_EXT)
 - \stub\x64\Release\stub.pdb (PEHSTR_EXT)
 - \b(0x[a-fA-F0-9]{40}) (PEHSTR_EXT)
 - \b(([13]|bc1)[A-HJ-NP-Za-km-z1-9]{27,34}) (PEHSTR_EXT)
 - M@oUCC/_I3P3?b/p\[-P8);I8".resources (PEHSTR_EXT)
 - BNG}/I9h6x|>\*zj95u$.resources (PEHSTR_EXT)
 - BitcoinClipboardMalware-1-master\btcclipboard\x64\Release\avery.pdb (PEHSTR_EXT)
 - FNinternal.exe (PEHSTR_EXT)
 - O.N.resources (PEHSTR_EXT)
 - H4sIAAAAAAAEAPPwsMrNBQAO/K06BQAAAA== (PEHSTR_EXT)
 - PokemonSystem.Resources.resources (PEHSTR_EXT)
 - bnb1fga0zpcwsvwv32rx6kzt8gmukwrcjm36cjsavm (PEHSTR_EXT)
 - tron.mhxieyi (PEHSTR_EXT)
 - Release\Clipper.pdb (PEHSTR_EXT)
 - Clipper-5059811751\clipper2.0.pdb (PEHSTR_EXT)
 - \Clipez\x64\Debug\Clipez.pdb (PEHSTR_EXT)
 - \Microsoft\Windows\Start Menu\Programs\Startup\Update.exe (PEHSTR_EXT)
 - [4|8]([0-9]|[A-B])(.){93} (PEHSTR_EXT)
 - WinServiceSE.g.resources (PEHSTR_EXT)
 - WinServiceSE.pdb (PEHSTR_EXT)
 - FileDelete, nr.bcn (PEHSTR_EXT)
 - SharpClipboard.exe (PEHSTR_EXT)
 - Telegram.Bot (PEHSTR_EXT)
 - Regex.Match(GetText (PEHSTR_EXT)
 - Convert.ToString(PatternRegex (PEHSTR_EXT)
 - ClipperBuild.g.resources (PEHSTR_EXT)
 - costura.dotnetzip.pdb.compressed (PEHSTR_EXT)
 - vhsposion.xyz (PEHSTR_EXT)
 - 146.19.213.248 (PEHSTR_EXT)
 - Jellybeans.exe (PEHSTR_EXT)
 - CryptoLauncher.Properties.Resources (PEHSTR_EXT)
 - (^|\s)[13]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) (PEHSTR_EXT)
 - |\s)bnb[a-zA-Z0-9]{38,40}($|\s) (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
 - Local\ExitCliper (PEHSTR_EXT)
 - trades.g.resources (PEHSTR_EXT)
 - main.importClipboard (PEHSTR_EXT)
 - PEGASUS_LIME.Design.Algorithmos.Overkill (PEHSTR_EXT)
 - PEGASUS_LIME.Properties.Resources.resources (PEHSTR_EXT)
 - PEGASUS_LIME.Properties (PEHSTR_EXT)
 - Users\Public\Downloads\TeamViewer_Service.exe (PEHSTR_EXT)
 - tron.mhxieyi.com (PEHSTR_EXT)
 - Users\Public\Downloads\ZTXClientn.exe (PEHSTR_EXT)
 - rusqbxgs.000webhostapp.com/1.txt (PEHSTR_EXT)
 - reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - schtasks.exe /create /sc (PEHSTR_EXT)
 - clipper-1.1\Release\clipper-1.1.pdb (PEHSTR_EXT)
 - iuuq;00pdtq/ejhjdfsu/dpn1D (PEHSTR_EXT)
 - xxx/ejhjdfsu/dpn2 (PEHSTR_EXT)
 - zgfn.My (PEHSTR)
 - fgxg.exe (PEHSTR)
 - nahu112.exe (PEHSTR_EXT)
 - ://api.telegram.org/bot (PEHSTR_EXT)
 - /sendMessage?chat_id= (PEHSTR_EXT)
 - Steal.g.resources (PEHSTR_EXT)
 - Steal.exe (PEHSTR_EXT)
 - KMSAutoLite.Properties (PEHSTR_EXT)
 - 89.119.67.154/ (PEHSTR_EXT)
 - kukutrustnet777.info (PEHSTR_EXT)
 - ChromiumData.exe (PEHSTR_EXT)
 - Software\edisys\eNotePad (PEHSTR_EXT)
 - /panel/gate.php (PEHSTR_EXT)
 - wallet. Replacing  (PEHSTR_EXT)
 - [INFO] tor.exe found, skipping download (PEHSTR_EXT)
 - start C:\Windows\Runtime Broker.exe (PEHSTR_EXT)
 - C:\Windows\System32\svchost (PEHSTR_EXT)
 - Tgbot/Telegram Bot Base/bin (PEHSTR_EXT)
 - main.fetchAndDecrypt (PEHSTR_EXT)
 - main.trySend (PEHSTR_EXT)
 - \b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b (PEHSTR_EXT)
 - \bbitcoincash:[a-zA-HJ-NP-Z0-9]{26,42}\b (PEHSTR_EXT)
 - 121>1G1R1\1b1h1n1 (PEHSTR_EXT)
 - /c schtasks /create /tn "{0}" /tr "{1}" /SC MINUTE /MO 1 /IT /F (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
 - cc_Config.exe (PEHSTR_EXT)
 - Confuser.Core (PEHSTR_EXT)
 - Clipper.My.Resources (PEHSTR_EXT)
 - System.Security.Cryptography.CAPIBase+CMSG_KEY_AGREE_PUBLIC_KEY_RECIPIENT_INFO (PEHSTR_EXT)
 - H4sIAAAAAAAEAHMud/X3Ckz3dM90C/B3Ck1yrUiv8DAoNnSv8PRIDKlwDzVMCQ2MiEoEAJJZGpYoAA (PEHSTR_EXT)
 - UserOOBEBroker.exe (PEHSTR_EXT)
 - b(1|3|bc1)[a-zA-HJ-NP-Z0-9]{25,42}\b (PEHSTR_EXT)
 - b0x[a-fA-F0-9]{40}\b (PEHSTR_EXT)
 - b(L|M)[a-zA-HJ-NP-Z0-9]{26,34}\b (PEHSTR_EXT)
 - H;\$@r (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: svchost.exe

de53b0e53e1f33e964436798c2e6323a0396d0df6de874aecf2f4a6d7c1b4357

01/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Use Windows Defender or another reputable antivirus to perform a full system scan and remove the detected threat. Check startup locations (Task Scheduler, Registry Run keys) for any malicious entries. Review any recent cryptocurrency transactions to ensure they were sent to the correct address. Change passwords for financial and cryptocurrency-related accounts as a precaution.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 01/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:MSIL/ClipBanker!rfn - Windows Defender Threat Analysis