Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Trojan.Clipper.231

Added to the Dr.Web virus database: 2023-05-26

Virus description added:

Packer: absent

Compilation date: 09.03.2023 15:48:49

SHA1 hash:

  • d31df5ea0f82784c010a16597675937fc4896cb0 (kd_08_5e78.dll)

Description

A malicious stealer app written in C++ and targeting 64-bit Microsoft Windows operating systems. It is designed to substitute crypto wallet addresses that have been copied to the clipboard with ones provided by the attackers.

Operating routine

Trojan.Clipper.231 functions in the context of the %WINDIR%\\System32\\Lsaiso.exe system process where it is injected by the Trojan.Inject4.57873 malware.

The stealer substitutes crypto wallet addresses in the clipboard with addresses assigned by malicious actors. These addresses are hardcoded in the DATA section of the trojan:

1KBPqssutEjRmeFs3qJ5xAqRR44yDYeAeL
3Kw3hbuBieaTK16LbFj7bCjj5uhPgkR3yh
bc1q2z6ethfp7rdlsgkmnrujl2nlujpftsxeknljcv
0x92cE5AB754e8f4D07e93aB95303b7A9760F982a2
bc1pakyf5w5wzf5h3edjl9mjn38mznzu9epmf2nn5ffa33374yjlpv8q40uhtn
123C1Hxr5qE8RN2v292fGo9xAAnXaCHNvh
17dF9qxwSLvXxaqwsQW9df53z5MgLPbsqD
1KBUsZd4w7wtQTbedaFJPZDQ5hRZzu1QFy
1Mrm3subvzFWt4MPU3XKuw8XsFiVtRRF5P
1MGkYC5kVQMwRKq5cz3sQ4qi36H3m6fcD5
18z927kX85gAmKwsWXYYt2mrT3s2A1cfmD
1GD3eRQnYhYDDva5Jag2cpYbaBNA58HvBe
13w3rCkgXKeh7qbZRrpys6UGP2UgUVznTE
1G5DML1u6bubY8d6kt9nXmRL7kDiLVnjjU
1HSynBUuX1RGybTBrAJHczsWafX8tNB7CH
13NyF5CkLHEtHjeBgqn9Jsw5Y4HiphQeCd
1B6u98XphKa561mN5jwFNbApzd8TeqPDjs
19J97jTPNxqaNg8RmNLKEMuWe1dB6Cdd3Y
1KEN4uXw5FhzxoioHm6JWTMTDbXceRm54p
1FtrbvkurNzN6tj1EdHkH8GeuZPgnRWKoK
127cw6C2qpdM7fwKTKhHu7QXWNrruPSY9z
14uXzkNa6UjG6cHrfkHNDB5grBZkqajcMa
1CVPWXDStmsfewy5faMSPUia5DNHShzAwy
1PXyNqM7RwWv4Qat9ix4ZejLq4mD1qMEEi
1PCrf5wTX1HcRwic5zfTAUggnr9RBR5EYB
1EQCWuY4226rhdggoXXoDehFtXWJ2WTBgq
17SECQVwcpXth6WEeRjiszSxHvKzLHFBcZ
18BeMJhGeVJgyvn913g35aFfQqC1DFzWAr
1M7z6YwAdUdu364pL7N8vU6Hzpj7X3WCDD
1LN64hGUuAiMnZV7h23uwTCQeLb1aMvGvE
17wHmPPy7v9mvEASPPLXVxGNz3kbb69vgV
1DZmzZEzfViyz5etmsPzN72ThHEz6qx5Fi
15d1wi3wBizhBfwEAYhQddu5ABToV16HZH
18U6vGpzMSdVxDzK5SBFzdA5ggaU9ymEwj
1P4nX6A1vw2KBueFzYbNNF9vva2RNWGTEz

At the same time, Trojan.Clipper.231 proceeds to substitute the addresses only if the %WINDIR%\\INF\\scunown.inf file is present in the system.

Moreover, the trojan verifies if the following processes are present:

L"Taskmgr.exe"
L"procexp.exe"
L"procexp64.exe"
L"procexp64a.exe"
L"Procmon.exe"
L"Procmon64.exe"
L"Procmon64a.exe"
L"ProcessHacker.exe"
L"SystemExplorer.exe"
L"Daphne.exe"
L"myprocesses.exe"
L"TMX.exe"
L"TMX64.exe"
L"DeskExp.exe"
L"DeskExp64.exe"
L"SystemMonitor64.exe"
L"SystemMonitor.exe"
L"WhatsRunning.exe"
L"ExtensionsServer.exe"
L"Ultimate_Process_Killer1.1.exe"
L"DTaskManager.exe"
L"KillProcess.exe"
L"ToolProcessSecurity.exe"
L"spacetornadoKiller.exe"

If it detects any of them, it will not substitute crypto wallet addresses.

Artifacts

The sample contains the path to the PDB file: C:\\Users\\DDD\\source\\repos\\BUFF_dll\\x64\\Release\\BUFF_dll.pdb.

Indicators of compromise

More details on Trojan.Inject4.57873

News about the trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android