Packer: absent
Compilation date: 09.03.2023 15:48:49
SHA1 hash:
- d31df5ea0f82784c010a16597675937fc4896cb0 (kd_08_5e78.dll)
Description
A malicious stealer app written in C++ and targeting 64-bit Microsoft Windows operating systems. It is designed to substitute crypto wallet addresses that have been copied to the clipboard with ones provided by the attackers.
Operating routine
Trojan.Clipper.231 functions in the context of the %WINDIR%\\System32\\Lsaiso.exe system process where it is injected by the Trojan.Inject4.57873 malware.
The stealer substitutes crypto wallet addresses in the clipboard with addresses assigned by malicious actors. These addresses are hardcoded in the DATA section of the trojan:
1KBPqssutEjRmeFs3qJ5xAqRR44yDYeAeL
3Kw3hbuBieaTK16LbFj7bCjj5uhPgkR3yh
bc1q2z6ethfp7rdlsgkmnrujl2nlujpftsxeknljcv
0x92cE5AB754e8f4D07e93aB95303b7A9760F982a2
bc1pakyf5w5wzf5h3edjl9mjn38mznzu9epmf2nn5ffa33374yjlpv8q40uhtn
123C1Hxr5qE8RN2v292fGo9xAAnXaCHNvh
17dF9qxwSLvXxaqwsQW9df53z5MgLPbsqD
1KBUsZd4w7wtQTbedaFJPZDQ5hRZzu1QFy
1Mrm3subvzFWt4MPU3XKuw8XsFiVtRRF5P
1MGkYC5kVQMwRKq5cz3sQ4qi36H3m6fcD5
18z927kX85gAmKwsWXYYt2mrT3s2A1cfmD
1GD3eRQnYhYDDva5Jag2cpYbaBNA58HvBe
13w3rCkgXKeh7qbZRrpys6UGP2UgUVznTE
1G5DML1u6bubY8d6kt9nXmRL7kDiLVnjjU
1HSynBUuX1RGybTBrAJHczsWafX8tNB7CH
13NyF5CkLHEtHjeBgqn9Jsw5Y4HiphQeCd
1B6u98XphKa561mN5jwFNbApzd8TeqPDjs
19J97jTPNxqaNg8RmNLKEMuWe1dB6Cdd3Y
1KEN4uXw5FhzxoioHm6JWTMTDbXceRm54p
1FtrbvkurNzN6tj1EdHkH8GeuZPgnRWKoK
127cw6C2qpdM7fwKTKhHu7QXWNrruPSY9z
14uXzkNa6UjG6cHrfkHNDB5grBZkqajcMa
1CVPWXDStmsfewy5faMSPUia5DNHShzAwy
1PXyNqM7RwWv4Qat9ix4ZejLq4mD1qMEEi
1PCrf5wTX1HcRwic5zfTAUggnr9RBR5EYB
1EQCWuY4226rhdggoXXoDehFtXWJ2WTBgq
17SECQVwcpXth6WEeRjiszSxHvKzLHFBcZ
18BeMJhGeVJgyvn913g35aFfQqC1DFzWAr
1M7z6YwAdUdu364pL7N8vU6Hzpj7X3WCDD
1LN64hGUuAiMnZV7h23uwTCQeLb1aMvGvE
17wHmPPy7v9mvEASPPLXVxGNz3kbb69vgV
1DZmzZEzfViyz5etmsPzN72ThHEz6qx5Fi
15d1wi3wBizhBfwEAYhQddu5ABToV16HZH
18U6vGpzMSdVxDzK5SBFzdA5ggaU9ymEwj
1P4nX6A1vw2KBueFzYbNNF9vva2RNWGTEz
At the same time, Trojan.Clipper.231 proceeds to substitute the addresses only if the %WINDIR%\\INF\\scunown.inf file is present in the system.
Moreover, the trojan verifies if the following processes are present:
L"Taskmgr.exe"
L"procexp.exe"
L"procexp64.exe"
L"procexp64a.exe"
L"Procmon.exe"
L"Procmon64.exe"
L"Procmon64a.exe"
L"ProcessHacker.exe"
L"SystemExplorer.exe"
L"Daphne.exe"
L"myprocesses.exe"
L"TMX.exe"
L"TMX64.exe"
L"DeskExp.exe"
L"DeskExp64.exe"
L"SystemMonitor64.exe"
L"SystemMonitor.exe"
L"WhatsRunning.exe"
L"ExtensionsServer.exe"
L"Ultimate_Process_Killer1.1.exe"
L"DTaskManager.exe"
L"KillProcess.exe"
L"ToolProcessSecurity.exe"
L"spacetornadoKiller.exe"
If it detects any of them, it will not substitute crypto wallet addresses.
Artifacts
The sample contains the path to the PDB file: C:\\Users\\DDD\\source\\repos\\BUFF_dll\\x64\\Release\\BUFF_dll.pdb.
More details on Trojan.Inject4.57873