Trojan:Win64/ClipBanker.NKA!MTB - Windows Defender Threat Analysis

This threat is a ClipBanker trojan that monitors the system's clipboard. It detects when a user copies a cryptocurrency wallet address and stealthily replaces it with an attacker-controlled address to divert financial transactions and steal funds.

Relevant strings associated with this threat:
 - b(1|3|bc1)[a-zA-HJ-NP-Z0-9]{25,42}\b (PEHSTR_EXT)
 - b0x[a-fA-F0-9]{40}\b (PEHSTR_EXT)
 - b(L|M)[a-zA-HJ-NP-Z0-9]{26,34}\b (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

rule Trojan_Win64_ClipBanker_NKA_2147952238_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/ClipBanker.NKA!MTB"
        threat_id = "2147952238"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "ClipBanker"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "8"
        strings_accuracy = "High"
    strings:
        $x_2_1 = "b(1|3|bc1)[a-zA-HJ-NP-Z0-9]{25,42}\\b" ascii //weight: 2
        $x_1_2 = "b0x[a-fA-F0-9]{40}\\b" ascii //weight: 1
        $x_1_3 = "b(L|M)[a-zA-HJ-NP-Z0-9]{26,34}\\b" ascii //weight: 1
        $x_1_4 = "DT6aiXkYdYGt7LcrJDkG4pbiJwDGcAb1Wy" ascii //weight: 1
        $x_1_5 = "1DgwPCJ2Tct51MRieFLg1mn2xMXEPacx9x" ascii //weight: 1
        $x_1_6 = "LXmzfNpNpKqiavz3MfcPowFk3ivCfqEgSk" ascii //weight: 1
        $x_1_7 = "SetClipboardData" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Use antivirus software to quarantine and remove the detected file, then run a full system scan. Scrutinize all recent cryptocurrency transactions for unauthorized transfers and change passwords for financial accounts as a precaution.