Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 28, 2025, 10:09 a.m.	April 28, 2025, 10:17 a.m.

Size	124.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`e5c8cfb872996ad51af92a5c30246025`
SHA256	`012df1ec7071e430236bf30a908819c3579799749594a826636654b571c4d629`
CRC32	`A29FF7F4`
ssdeep	`3072:oYZ27UeZm+wr7CImzEyv/Y4Z3SNq2fYYOpf:lo7JfuCIsEyfZ3SYnpf`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) Win_Amadey_Zero - Amadey bot Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
2040
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
2140
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\clip64.dll,Main
2236
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\clip64.dll,
2332

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.81.68.81	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 28, 2025, 10:09 a.m.			0	0
IsDebuggerPresent April 28, 2025, 10:09 a.m.			0	0
IsDebuggerPresent April 28, 2025, 10:09 a.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74440000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74440000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

185.81.68.81

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.81.68.81:80

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Amadey.i!c
MicroWorld-eScan	Gen:Variant.Zusy.446682
CAT-QuickHeal	Trojan.Ghanarava.1745616923246025
ALYac	Gen:Variant.Zusy.446682
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.446682
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Zusy.446682
K7GW	Trojan ( 005b155f1 )
K7AntiVirus	Trojan ( 005b155f1 )
Arcabit	Trojan.Zusy.D6D0DA
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/ClipBanker.SJ
Avast	Win32:MalwareX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-PSW.Win32.Kliper.gen
Alibaba	TrojanPSW:Win32/Amadey.362d21ed
NANO-Antivirus	Trojan.Win32.Kliper.kwarug
Rising	Downloader.Amadey!1.1275B (CLASSIC)
Emsisoft	Gen:Variant.Zusy.446682 (B)
F-Secure	Trojan.TR/ClipBanker.qbunl
Zillya	Trojan.ClipBanker.Win32.25353
McAfeeD	ti!012DF1EC7071
CTX	dll.trojan.clipbanker
Sophos	Troj/Amadey-Gen
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/ClipBanker.qbunl
Antiy-AVL	Trojan/Win32.Amadey
Gridinsoft	Ransom.Win32.Banker.sa
Microsoft	Trojan:Win32/Amadey.MA!MTB
ViRobot	Trojan.Win.Z.Clipbanker.126976.K
ZoneAlarm	Troj/Amadey-Gen
GData	Win32.Trojan-Stealer.Amadey.F
Varist	W32/ABTrojan.ZUIV-3618
AhnLab-V3	Trojan/Win.Amadey.C5684740
VBA32	TrojanDownloader.Deyma
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.ClipBanker
Ikarus	Trojan.Win32.Clipbanker
Panda	Trj/GdSda.A
Tencent	Malware.Win32.Gencirc.10c31a82
Yandex	Trojan.ClipBanker!9mXIl7ISQWY
huorong	TrojanSpy/ClipBanker.y
Fortinet	W32/ClipBanker.SJ!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml

clip64.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All