user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MSIL/ClipBanker.GC!MTB
Trojan:MSIL/ClipBanker.GC!MTB - Windows Defender threat signature analysis

Trojan:MSIL/ClipBanker.GC!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MSIL/ClipBanker.GC!MTB
Classification:
Type:Trojan
Platform:MSIL
Family:ClipBanker
Detection Type:Concrete
Known malware family with identified signatures
Variant:GC
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family ClipBanker

Summary:

Trojan:MSIL/ClipBanker.GC!MTB is a concrete detection for a .NET-based clipbanker trojan that actively monitors the clipboard for cryptocurrency wallet addresses and swaps them with the attacker's. It includes anti-analysis capabilities, persistence mechanisms via scheduled tasks, and may also target online trade platforms like Steam.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - choice /C Y /N /D Y /T (PEHSTR_EXT)
 - steamcommunity.com/tradeoffer (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
YARA Rule:
rule Trojan_MSIL_ClipBanker_GC_2147774355_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MSIL/ClipBanker.GC!MTB"
        threat_id = "2147774355"
        type = "Trojan"
        platform = "MSIL: .NET intermediate language scripts"
        family = "ClipBanker"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "16"
        strings_accuracy = "High"
    strings:
        $x_10_1 = "Clipper" ascii //weight: 10
        $x_1_2 = "Clipboard" ascii //weight: 1
        $x_1_3 = "Regex" ascii //weight: 1
        $x_1_4 = "choice /C Y /N /D Y /T" ascii //weight: 1
        $x_1_5 = "schtasks" ascii //weight: 1
        $x_1_6 = "0x[a-fA-F0-9]{40}" ascii //weight: 1
        $x_1_7 = "APPDATA" ascii //weight: 1
        $x_1_8 = "processhacker" ascii //weight: 1
        $x_1_9 = "procexp" ascii //weight: 1
        $x_1_10 = "taskmgr" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_10_*) and 6 of ($x_1_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: SecuriteInfo.com.Trojan.PWS.Stealer.41153.32336.843
c733a9293f2f3dbe2a6681c3dd8c814a2bb22a7561e98d8194f69b82fefe7134
31/01/2026
VirusTotalDownload Sample
9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd
30/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system to prevent further compromise. Perform a full system scan with an updated antivirus solution and manually remove all detected threats. Review and remove any suspicious scheduled tasks or startup entries created by the malware. Users should change passwords for all online accounts, especially those related to cryptocurrency or online trading, that were accessed from the compromised machine.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 30/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$