download:

/DevxStudio/Phoenix-Clipper-Malware/releases/download/Clipper/Phoenix-Clipper-Malware_Release.zip

Full analysis: https://app.any.run/tasks/499d7952-0527-4dfb-8ee4-dab7125e09a7
Verdict: Malicious activity
Analysis date: February 09, 2024, 21:44:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

634630354A4E8E5488EFF6EB63516489

SHA1:

B2FBB8BDF52C31CEC638FA7CE2AB83E7C29FE051

SHA256:

54BE168149A6B5C5F2D1B81DFC60E11EF3CAC237A5F9919DE1AD949E7365B723

SSDEEP:

98304:1vAMzEfBTvZ7KIBVG+Hl4RSk9+6pItNvWhLjOSbsvCAIWC6rYNk6Z+AFwaG2Xnzc:ouhLXB8rp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ClipperBuild.exe (PID: 1836)
      • WinRAR.exe (PID: 3700)

  • SUSPICIOUS

    • Starts itself from another location

      • ClipperBuild.exe (PID: 1836)

    • Reads security settings of Internet Explorer

      • Builder.exe (PID: 3660)
      • ClipperBuild.exe (PID: 1836)

    • Executable content was dropped or overwritten

      • ClipperBuild.exe (PID: 1836)

    • Reads the Internet Settings

      • ClipperBuild.exe (PID: 1836)
      • Builder.exe (PID: 3660)

    • Executing commands from ".cmd" file

      • ClipperBuild.exe (PID: 1836)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2896)

    • Starts CMD.EXE for commands execution

      • ClipperBuild.exe (PID: 1836)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3700)

    • Reads the computer name

      • Builder.exe (PID: 3660)
      • ClipperBuild.exe (PID: 1836)
      • accc.exe (PID: 3996)

    • Reads the machine GUID from the registry

      • ClipperBuild.exe (PID: 1836)
      • Builder.exe (PID: 3660)
      • accc.exe (PID: 3996)

    • Creates files in the program directory

      • ClipperBuild.exe (PID: 1836)

    • Checks supported languages

      • Builder.exe (PID: 3660)
      • accc.exe (PID: 3996)
      • ClipperBuild.exe (PID: 1836)

    • Manual execution by a user

      • Builder.exe (PID: 3660)
      • ClipperBuild.exe (PID: 1836)

    • Create files in a temporary directory

      • ClipperBuild.exe (PID: 1836)

    • Creates files or folders in the user directory

      • Builder.exe (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:01:03 14:53:30
ZipCRC: 0xd6e9e8a1
ZipCompressedSize: 214
ZipUncompressedSize: 250
ZipFileName: BTC_1_3.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe builder.exe no specs clipperbuild.exe schtasks.exe no specs accc.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1824timeout 6 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1836"C:\Users\admin\Desktop\ClipperBuild.exe" C:\Users\admin\Desktop\ClipperBuild.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\clipperbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2896C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp9C5A.tmp.cmd""C:\Windows\System32\cmd.exeClipperBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3660"C:\Users\admin\Desktop\Builder.exe" C:\Users\admin\Desktop\Builder.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Builder
Exit code:
0
Version:
4.1.0.0
Modules
Images
c:\users\admin\desktop\builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3700"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Phoenix-Clipper-Malware_Release.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3960"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 21:50 /du 23:59 /sc daily /ri 1 /fC:\Windows\System32\schtasks.exeClipperBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
2147500037
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3996"C:\ProgramData\KMSAuto\accc.exe" C:\ProgramData\KMSAuto\accc.exeClipperBuild.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\kmsauto\accc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
10 581
Read events
10 498
Write events
77
Delete events
6

Modification events

(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Phoenix-Clipper-Malware_Release.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
9
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.8078\Builder.pdbpdb
MD5:579F1B3FE2D37E8278A1ABDBC5F24377
SHA256:30F7FA476D90B6386C065D107C56AA309E2C70F1D733F8835F369A3EE7ECDE4C
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.8078\BTC_1_3.txttext
MD5:482C2F6BFBF9A98D622B5544D222776F
SHA256:224ACDAD30B1CB7E6E977F44670BC237932E0878B15A4359E01ECAB7C611FCB6
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.8078\Builder.exeexecutable
MD5:4DDE43C7422B0AF5636E6379D9B51AC5
SHA256:82E10DB2BE75B64854EAF32E5F4FCCC45362E5BCED01E45183E77EE15A2CC46A
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.8078\Stub\Stub.exe.configxml
MD5:8810B832F11B6E5A1AFAB929618059F2
SHA256:68CBB1295389A1BD6B830DEBFD0A8BB0A88BEE2522304F5894C710912021194C
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.8078\Stub\Stub.pdbpdb
MD5:05CFD880AD36D337ABD8D41CE721BA01
SHA256:40B53A13A49023025D32B585EE766C4FE5DB0A73FF2689AF106687C7A9CC66C9
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.8078\IconExtractor.dllexecutable
MD5:7BCF61E29E5CBCD1B81D9AB72CBFED93
SHA256:2C359CE857982F45B09AF49DBCCFB2AE302839ACF1956E8325E7F854B339A8C9
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.8078\IconExtractor.xmlxml
MD5:5DF1BC39DC11A928BE141EDF9A30270B
SHA256:ABD5B0ADC717DBA0D4B098FCEF362328D42301D8DC90718390E5CDBE5EB0C267
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.8078\Vestris.ResourceLib.dllexecutable
MD5:944CE5123C94C66A50376E7B37E3A6A6
SHA256:7DA3F0E77C4DDDC82DF7C16C8C781FADE599B7C91E3D32EEFBCE215B8F06B12A
3660Builder.exeC:\Users\admin\AppData\Local\Builder\Builder.exe_Url_qmfjfm4jt4oqj0mr4bwowwhqdsoabvys\4.1.0.0\user.configxml
MD5:DB4CFC518D9E5BBA1D2E7F029E20D68F
SHA256:0D17667FA8E0138654A3031567CB00A844BE50D6D7527FAA2DC12BB576F4A03D
1836ClipperBuild.exeC:\Users\admin\AppData\Local\Temp\tmp9C5A.tmp.cmdtext
MD5:B64CD607B08959F542133E6FABBF1ADB
SHA256:91678E41C32B2E4402EA8C20B1E0AC430CFB7D013B8D01EB24326B8C524B23E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/DevxStudio/Phoenix-Clipper-Malware/releases/download/Clipper/Phoenix-Clipper-Malware_Release.zip