TrojanDownloader:PowerShell/ClipBanker!MTB

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat TrojanDownloader:PowerShell/ClipBanker!MTB

TrojanDownloader:PowerShell/ClipBanker!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: TrojanDownloader:PowerShell/ClipBanker!MTB

Classification:

Type:TrojanDownloader

Platform:PowerShell

Family:ClipBanker

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan Downloader - Downloads additional malware for PowerShell platform, family ClipBanker

Summary:

This threat is a PowerShell-based trojan from the ClipBanker family, detected through behavioral analysis. It monitors the system clipboard, using regular expressions to find and replace cryptocurrency wallet addresses, Steam trade offers, and donation links with attacker-controlled equivalents. The malware also creates persistence via Scheduled Tasks and Run keys to ensure it executes on startup.

Severity:

Medium

VDM Static Detection:

Relevant strings associated with this threat:
 - System.Text.RegularExpressions (PEHSTR_EXT)
 - \Bitcoin-Grabber-master\Bitcoin-Grabber\ (PEHSTR_EXT)
 - 2.pdb (PEHSTR_EXT)
 - b4([0-9]|[A-B])(.){93} (PEHSTR_EXT)
 - schtasks.exe (PEHSTR_EXT)
 - steamcommunity.com/tradeoffer (PEHSTR_EXT)
 - donationalerts.com/ (PEHSTR_EXT)
 - marie\Desktop\clipmonitor KETHAS FINAL EVERYTHING FIXED\clipmonitor (PEHSTR_EXT)
 - CLIPBOARD: '' vs. '' (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT)
 - ShellExecuteExA (PEHSTR_EXT)
 - C:\ProgramData\MyApp\ (PEHSTR_EXT)
 - v4.0.30319 (PEHSTR_EXT)
 - \b(bitcoincash) (PEHSTR_EXT)
 - choice /C Y /N /D Y /T (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - clrjit.dll (PEHSTR_EXT)
 - http://bot.whatismyipaddress.com/ (PEHSTR_EXT)
 - SOFTWARE\WOW6432Node\Clients\StartMenuInternet (PEHSTR_EXT)
 - shell\open\command (PEHSTR_EXT)
 - ^bc1[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz].*$ (PEHSTR_EXT)
 - https://api.telegram.org/bot (PEHSTR_EXT)
 - https://ipv4bot.whatismyipaddress.com/ (PEHSTR_EXT)
 - WinHost.exe (PEHSTR_EXT)
 - Sevirem.Clipper (PEHSTR_EXT)
 - Decompress (PEHSTR_EXT)
 - pyi-windows-manifest-filename crypto-yank.exe.manifest (PEHSTR_EXT)
 - email._encoded_words (PEHSTR_EXT)
 - http.cookiejar (PEHSTR_EXT)
 - email.base64mime (PEHSTR_EXT)
 - multiprocessing.resource_tracker (PEHSTR_EXT)
 - subst.exe (PEHSTR_EXT)
 - /Create /tn NvTmRep_CrashReport3_{B2FE1952-0186} /sc MINUTE /tr (PEHSTR_EXT)
 - ProcessHacker.exe (PEHSTR_EXT)
 - Users\youar (PEHSTR_EXT)
 - WSOCK32.dll (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - Release\troce.pdb (PEHSTR_EXT)
 - Desktop\1 (PEHSTR_EXT)
 - FileDelete, %A_ScriptDir%\SN.txt (PEHSTR_EXT)
 - click(786, 288,0.4,250) (PEHSTR_EXT)
 - click(779,400,0.4,250) (PEHSTR_EXT)
 - #32768 ahk_exe AutoHotkey.exe (PEHSTR_EXT)
 - C:\src\Solarion2018\Bin32\ (PEHSTR)
 - SELECT * FROM Win32_ComputerSystem (PEHSTR_EXT)
 - Confuser.Core 1.5.0 (PEHSTR_EXT)
 - http://185.215.113.93 (PEHSTR_EXT)
 - SOFTWARE\wtu (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run\ (PEHSTR_EXT)
 - MicrosoftWindowsStart MenuProgramsStartupupdater.lnk (PEHSTR_EXT)
 - Discord Link :  v1.0.0-custom (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - Oreans.vxd (PEHSTR_EXT)
 - Software\Wine (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - 2DJS2 (PEHSTR_EXT)
 - bitcoinminingsoftware.Bitcoin_Grabber (PEHSTR_EXT)
 - bitcoinminingsoftware.pdb (PEHSTR_EXT)
 - Clipper.exe (PEHSTR_EXT)
 - AssemblyDescriptionAttribute (PEHSTR_EXT)
 - mogu.exe (PEHSTR_EXT)
 - Clipper\Clipper\bin\Release\Obfuscated\Inc.Infrastructur Host driver.pdb (PEHSTR_EXT)
 - C:\Users\jon doe\Desktop\Registry\Registry\obj\Release\Registry.pdb (PEHSTR_EXT)
 - My.Computer (PEHSTR_EXT)
 - Registry.exe (PEHSTR_EXT)
 - StringComparison (PEHSTR_EXT)
 - Application Data\Clipper (PEHSTR_EXT)
 - BTC Clipper.pdb (PEHSTR_EXT)
 - \Windowslib.exe (PEHSTR_EXT)
 - HidenProces.pdb (PEHSTR_EXT)
 - /Create /tn MicrosoftDriver /sc MINUTE /tr (PEHSTR_EXT)
 - card.php (PEHSTR_EXT)
 - ChromeUpdate.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - noSXPFMbbZh2Bafej4.bKHDLoYx25MeUohwr7 (PEHSTR_EXT)
 - rJqNEeiWXDvJsanTbLjIo4HO (PEHSTR_EXT)
 - 185.215.113.8 (PEHSTR_EXT)
 - tsrv3.ru (PEHSTR_EXT)
 - tsrv4.ws (PEHSTR_EXT)
 - tldrbox.top (PEHSTR_EXT)
 - tldrhaus.top (PEHSTR_EXT)
 - tldrzone.top (PEHSTR_EXT)
 - \Microsoft\Windows\Start Menu\Programs\StartUp (PEHSTR_EXT)
 - BIOS System.exe (PEHSTR_EXT)
 - 239.255.255.250 (PEHSTR_EXT)
 - 185.215.113.84 (PEHSTR_EXT)
 - /c start .\%s & start .\%s\VolDriver.exe (PEHSTR_EXT)
 - desktop.ini (PEHSTR_EXT)
 - >AUTOHOTKEY SCRIPT< (PEHSTR_EXT)
 - PasswordsList.txt (PEHSTR_EXT)
 - scr.jpg (PEHSTR_EXT)
 - System.txt (PEHSTR_EXT)
 - ip.txt (PEHSTR_EXT)
 - cmd /C "start "q" (PEHSTR_EXT)
 - Users\Awar (PEHSTR_EXT)
 - Setup.pdb (PEHSTR_EXT)
 - main.HideWindow (PEHSTR_EXT)
 - main.createWallets (PEHSTR_EXT)
 - cryptoStealer/proccess64/main.go (PEHSTR_EXT)
 - proccess64/domain/App/replace.ReplaceWallet (PEHSTR_EXT)
 - github.com/go-telegram-bot-api/telegram-bot-api (PEHSTR_EXT)
 - github.com/atotto/clipboard.WriteAll (PEHSTR_EXT)
 - github.com/AllenDang/w32 (PEHSTR_EXT)
 - github.com/technoweenie/multipartstreamer (PEHSTR_EXT)
 - dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php? (PEHSTR_EXT)
 - key.cocotechnology.tech/autologin (PEHSTR_EXT)
 - Ready For Execution! (PEHSTR_EXT)
 - CocoBytecode.dll (PEHSTR_EXT)
 - TEMP%\Indicium-Supra.log (PEHSTR_EXT)
 - Silent Miner.pdb (PEHSTR_EXT)
 - EvilShit\BTC Wallet Changer (PEHSTR_EXT)
 - wscript.exe /E:jscript (PEHSTR_EXT)
 - WinExec (PEHSTR_EXT)
 - RtlSetProcessIsCritical (PEHSTR_EXT)
 - WsP/Vycd5eiHgC0WhpYMwskAjWF6ha5cQ1zwNEheUy0= (PEHSTR_EXT)
 - Si-paling-umberela\Growtopia MultiBot (PEHSTR_EXT)
 - project-umbrella.pdb (PEHSTR_EXT)
 - Realtek.exe (PEHSTR_EXT)
 - 23.88.125.20 (PEHSTR_EXT)
 - CSClipper.pdb (PEHSTR_EXT)
 - (?:[13][a-km-zA-HJ-NP-Z1-9]{25,34})src\main.rs (PEHSTR_EXT)
 - DJSHDHFEKFDMVC (PEHSTR_EXT)
 - 79.137.196.121 (PEHSTR_EXT)
 - XPdriver.exe (PEHSTR_EXT)
 - ComputeHash (PEHSTR_EXT)
 - Lona.pdb (PEHSTR_EXT)
 - TrafficProgrammerv2.exe (PEHSTR_EXT)
 - \stub\x64\Release\stub.pdb (PEHSTR_EXT)
 - \b(0x[a-fA-F0-9]{40}) (PEHSTR_EXT)
 - \b(([13]|bc1)[A-HJ-NP-Za-km-z1-9]{27,34}) (PEHSTR_EXT)
 - M@oUCC/_I3P3?b/p\[-P8);I8".resources (PEHSTR_EXT)
 - BNG}/I9h6x|>\*zj95u$.resources (PEHSTR_EXT)
 - BitcoinClipboardMalware-1-master\btcclipboard\x64\Release\avery.pdb (PEHSTR_EXT)
 - FNinternal.exe (PEHSTR_EXT)
 - O.N.resources (PEHSTR_EXT)
 - H4sIAAAAAAAEAPPwsMrNBQAO/K06BQAAAA== (PEHSTR_EXT)
 - PokemonSystem.Resources.resources (PEHSTR_EXT)
 - bnb1fga0zpcwsvwv32rx6kzt8gmukwrcjm36cjsavm (PEHSTR_EXT)
 - tron.mhxieyi (PEHSTR_EXT)
 - Release\Clipper.pdb (PEHSTR_EXT)
 - Clipper-5059811751\clipper2.0.pdb (PEHSTR_EXT)
 - \Clipez\x64\Debug\Clipez.pdb (PEHSTR_EXT)
 - \Microsoft\Windows\Start Menu\Programs\Startup\Update.exe (PEHSTR_EXT)
 - [4|8]([0-9]|[A-B])(.){93} (PEHSTR_EXT)
 - WinServiceSE.g.resources (PEHSTR_EXT)
 - WinServiceSE.pdb (PEHSTR_EXT)
 - FileDelete, nr.bcn (PEHSTR_EXT)
 - SharpClipboard.exe (PEHSTR_EXT)
 - Telegram.Bot (PEHSTR_EXT)
 - Regex.Match(GetText (PEHSTR_EXT)
 - Convert.ToString(PatternRegex (PEHSTR_EXT)
 - ClipperBuild.g.resources (PEHSTR_EXT)
 - costura.dotnetzip.pdb.compressed (PEHSTR_EXT)
 - vhsposion.xyz (PEHSTR_EXT)
 - 146.19.213.248 (PEHSTR_EXT)
 - Jellybeans.exe (PEHSTR_EXT)
 - CryptoLauncher.Properties.Resources (PEHSTR_EXT)
 - (^|\s)[13]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) (PEHSTR_EXT)
 - |\s)bnb[a-zA-Z0-9]{38,40}($|\s) (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
 - Local\ExitCliper (PEHSTR_EXT)
 - trades.g.resources (PEHSTR_EXT)
 - main.importClipboard (PEHSTR_EXT)
 - PEGASUS_LIME.Design.Algorithmos.Overkill (PEHSTR_EXT)
 - PEGASUS_LIME.Properties.Resources.resources (PEHSTR_EXT)
 - PEGASUS_LIME.Properties (PEHSTR_EXT)
 - Users\Public\Downloads\TeamViewer_Service.exe (PEHSTR_EXT)
 - tron.mhxieyi.com (PEHSTR_EXT)
 - Users\Public\Downloads\ZTXClientn.exe (PEHSTR_EXT)
 - rusqbxgs.000webhostapp.com/1.txt (PEHSTR_EXT)
 - reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - schtasks.exe /create /sc (PEHSTR_EXT)
 - clipper-1.1\Release\clipper-1.1.pdb (PEHSTR_EXT)
 - iuuq;00pdtq/ejhjdfsu/dpn1D (PEHSTR_EXT)
 - xxx/ejhjdfsu/dpn2 (PEHSTR_EXT)
 - zgfn.My (PEHSTR)
 - fgxg.exe (PEHSTR)
 - nahu112.exe (PEHSTR_EXT)
 - ://api.telegram.org/bot (PEHSTR_EXT)
 - /sendMessage?chat_id= (PEHSTR_EXT)
 - Steal.g.resources (PEHSTR_EXT)
 - Steal.exe (PEHSTR_EXT)
 - KMSAutoLite.Properties (PEHSTR_EXT)
 - 89.119.67.154/ (PEHSTR_EXT)
 - kukutrustnet777.info (PEHSTR_EXT)
 - ChromiumData.exe (PEHSTR_EXT)
 - Software\edisys\eNotePad (PEHSTR_EXT)
 - /panel/gate.php (PEHSTR_EXT)
 - wallet. Replacing  (PEHSTR_EXT)
 - [INFO] tor.exe found, skipping download (PEHSTR_EXT)
 - start C:\Windows\Runtime Broker.exe (PEHSTR_EXT)
 - C:\Windows\System32\svchost (PEHSTR_EXT)
 - Tgbot/Telegram Bot Base/bin (PEHSTR_EXT)
 - main.fetchAndDecrypt (PEHSTR_EXT)
 - main.trySend (PEHSTR_EXT)
 - \b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b (PEHSTR_EXT)
 - \bbitcoincash:[a-zA-HJ-NP-Z0-9]{26,42}\b (PEHSTR_EXT)
 - 121>1G1R1\1b1h1n1 (PEHSTR_EXT)
 - /c schtasks /create /tn "{0}" /tr "{1}" /SC MINUTE /MO 1 /IT /F (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
 - cc_Config.exe (PEHSTR_EXT)
 - Confuser.Core (PEHSTR_EXT)
 - Clipper.My.Resources (PEHSTR_EXT)
 - System.Security.Cryptography.CAPIBase+CMSG_KEY_AGREE_PUBLIC_KEY_RECIPIENT_INFO (PEHSTR_EXT)
 - H4sIAAAAAAAEAHMud/X3Ckz3dM90C/B3Ck1yrUiv8DAoNnSv8PRIDKlwDzVMCQ2MiEoEAJJZGpYoAA (PEHSTR_EXT)
 - UserOOBEBroker.exe (PEHSTR_EXT)
 - b(1|3|bc1)[a-zA-HJ-NP-Z0-9]{25,42}\b (PEHSTR_EXT)
 - b0x[a-fA-F0-9]{40}\b (PEHSTR_EXT)
 - b(L|M)[a-zA-HJ-NP-Z0-9]{26,34}\b (PEHSTR_EXT)
 - H;\$@r (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 1

e3888ed6bc225dc6656ee02a4dcd5608f7901ebfb6ba665fc3a5e0956c40621e

04/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Quarantine the affected machine from the network. Allow the antivirus to remove the detected files and run a full system scan. Manually inspect and remove persistence mechanisms found in Task Scheduler and the Windows 'Run' registry keys.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 04/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

TrojanDownloader:PowerShell/ClipBanker!MTB - Windows Defender Threat Analysis