ClipBanker Trojan

Posted: February 26, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	917
Threat Level:	8/10
Infected PCs:	105,310

First Seen:	February 26, 2016
Last Seen:	October 17, 2023
OS(es) Affected:	Windows

The ClipBanker Trojan is a Trojan that hijacks transactions such as cryptocurrency payments by redirecting them towards the threat actors' accounts. Monitoring your transaction history can help with identifying the telltale symptoms of this threat, which, otherwise, leaves few traces of its attacks. Always have your anti-malware program uninstall the ClipBanker Trojan before disputing any misdirected charges as is necessary.

Trojans Serpenting into Your Coinage

Although most spyware is content at collecting data as their victims enter it, other forms of theft are more than possible with today's Trojans. The danger of having one's payments rerouted, while rarely on the forefront of any user's thoughts while they're making a purchase or sending money to a friend, is highly-pertinent to some classes of threats, such as the ClipBanker Trojan. This Trojan monitors its victim's financial dealings, for not extracting information, but for replacing it.

The ClipBanker Trojan is in the Python programming language, which gives it potential compatibility with different environments, including macOS, Linux and Windows. Its central feature involves manipulating the clipboard by replacing payment addresses with the threat actor's account information – letting it redirect payments, presuming that the victim doesn't notice the change.

Variants of the ClipBanker Trojan may target different types of purchases and trades, such as:

Electrum Bitcoin
Bitcoin Core
Bitcoin WIF keys
Steam trade offers

For comparison with competing threats of a similar classification, readers may look at CryptoShuffler Cryptojacking and ComboJack Cryptojacking, which also use link-hijacking techniques for profit-based purposes equally.

Clipping ClipBanker Trojan Out of Your Finances

Users paying close attention to Bitcoin transfers, Steam inventory trades, and similar activities may notice the changes in transaction information that the ClipBanker Trojan causes. Payment records also can provide details for notifying the victims of the fraud after the fact. While malware researchers have yet of seeing any version of ClipBanker Trojan collects clipboard data such as password, victims should consider changing their login credentials after disinfecting their PC, to be safe.

ClipBanker Trojan's latest campaign took place at the end of 2018. While malware experts have limited data on its circulation statistics, infections do coincide with the presence of other threats, such as Trojan downloaders and Potentially Unwanted Programs (PUPs), as well as torrenting software. The latter may be the ClipBanker Trojan's propagation method, which could involve delivery via downloads for game cracks, movies or music. High-quality anti-malware software is your best defense against this threat and should enable removing ClipBanker Trojan infections painlessly.

The ClipBanker Trojan may be hibernating, but it could awaken at any time. Discrepancies in where you mean for your money to go and where it goes, in reality, usually are signs that something is wrong with more than just your eyes.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows rtl handler\srvrtl.exe

File name: srvrtl.exe
Size: 186.88 KB (186880 bytes)
MD5: 9779b9378ca6173462b89c9521177764
Detection count: 4,057
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows rtl handler\srvrtl.exe
Group: Malware file
Last Updated: January 8, 2022

c:\Users\<username>\appdata\roaming\1000107060\ntredirect.dll

File name: ntredirect.dll
Size: 19.92 MB (19922432 bytes)
MD5: 61131c939b98075c07e189830ff2879d
Detection count: 667
File type: Dynamic link library
Mime Type: unknown/dll
Path: c:\Users\<username>\appdata\roaming\1000107060
Group: Malware file
Last Updated: October 11, 2023

%SYSTEMDRIVE%\Users\<username>\appdata\roaming\1000098060\ndproxy.dll

File name: ndproxy.dll
Size: 761.97 KB (761976 bytes)
MD5: a5141201690835a00d4ae138358c36c2
Detection count: 602
File type: Dynamic link library
Mime Type: unknown/dll
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\1000098060\ndproxy.dll
Group: Malware file
Last Updated: October 14, 2023

%SYSTEMDRIVE%\Users\<username>\AppData\Roaming\eyT97uo9.exe

File name: eyT97uo9.exe
Size: 8.22 MB (8228352 bytes)
MD5: 89f7111c4e38e1b15d34cd9c294e410f
Detection count: 443
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\eyT97uo9.exe
Group: Malware file
Last Updated: August 12, 2023

C:\Users\<username>\1000011062\avicapn32.dll

File name: avicapn32.dll
Size: 1.54 MB (1543168 bytes)
MD5: 5e95d4d1f6b6398a9bd43714fb382f94
Detection count: 386
File type: Dynamic link library
Mime Type: unknown/dll
Path: C:\Users\<username>\1000011062\avicapn32.dll
Group: Malware file
Last Updated: October 13, 2023

C:\Users\<username>\AppData\Roaming\NVIDIA\dllhost.exe

File name: dllhost.exe
Size: 380.41 KB (380416 bytes)
MD5: ef41c74b3376c412f33bebf9bb2a1cbe
Detection count: 330
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\NVIDIA\dllhost.exe
Group: Malware file
Last Updated: November 7, 2022

C:\Users\<username>\AppData\Local\Temp\1000123001\clip.exe

File name: clip.exe
Size: 4.38 MB (4386304 bytes)
MD5: 8d3942d2bfaf962a1177aee8d08ca079
Detection count: 295
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Temp\1000123001\clip.exe
Group: Malware file
Last Updated: July 11, 2023

C:\Users\<username>\AppData\Roaming\NVIDIA\dllhost.exe

File name: dllhost.exe
Size: 382.46 KB (382464 bytes)
MD5: 7dcebe30515d82df53f07c50b1539c38
Detection count: 204
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\NVIDIA\dllhost.exe
Group: Malware file
Last Updated: November 12, 2022

C:\Users\<username>\AppData\Local\Temp\G54IJEBFCA80M8H.exe

File name: G54IJEBFCA80M8H.exe
Size: 187.39 KB (187392 bytes)
MD5: d23dba81354832b3ebee6ff8e79ac839
Detection count: 190
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Temp\G54IJEBFCA80M8H.exe
Group: Malware file
Last Updated: February 11, 2023

C:\Program Files (x86)\Google\CrashReports\crashreporter.exe

File name: crashreporter.exe
Size: 187.83 KB (187832 bytes)
MD5: 3bb940f619750cbe0bcfc244830077e2
Detection count: 131
File type: Executable File
Mime Type: unknown/exe
Path: C:\Program Files (x86)\Google\CrashReports\crashreporter.exe
Group: Malware file
Last Updated: November 16, 2022

%ALLUSERSPROFILE%\Microsoft VAIOI7\taskhos.exe

File name: taskhos.exe
Size: 22.01 KB (22016 bytes)
MD5: 1236075f71604f1fcef7b46f6c7bef5c
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Microsoft VAIOI7
Group: Malware file
Last Updated: January 26, 2017

a6f97da1bbd5fbff3bb5496489c33f1f

File name: a6f97da1bbd5fbff3bb5496489c33f1f
Size: 256 KB (256000 bytes)
MD5: a6f97da1bbd5fbff3bb5496489c33f1f
Detection count: 65
Group: Malware file

C:\Users\<username>\AppData\Roaming\KThX19g6.exe

File name: KThX19g6.exe
Size: 8.07 MB (8075776 bytes)
MD5: e67794445d4082a91b6918d8966bd0f9
Detection count: 59
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\KThX19g6.exe
Group: Malware file
Last Updated: July 26, 2023

C:\Users\<username>\AppData\Roaming\5Ieg5J6t.exe

File name: 5Ieg5J6t.exe
Size: 8.86 MB (8866816 bytes)
MD5: 75032ec6fc183cd80008b1cd4799e7dc
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\5Ieg5J6t.exe
Group: Malware file
Last Updated: August 2, 2023

C:\Users\<username>\AppData\Roaming\38cCDuZM.exe

File name: 38cCDuZM.exe
Size: 4.78 MB (4786688 bytes)
MD5: cd18e484f6d852e0bcb8a58b9ce25de7
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\38cCDuZM.exe
Group: Malware file
Last Updated: July 3, 2023

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%ALLUSERSPROFILE%\windowsnetwork\networkfix.exe%ALLUSERSPROFILE%\xun.exe%APPDATA%\check.exe%APPDATA%\Microsoft\Windows\updlive.exe%APPDATA%\Sound Volume Control\sndvol.exe%LOCALAPPDATA%\winhost.exe%TEMP%\conshost.exe

Additional Information

The following directories were created:

%ALLUSERSPROFILE%\Bonjour\2020%ALLUSERSPROFILE%\HP\2020%ALLUSERSPROFILE%\Java\2020%ALLUSERSPROFILE%\ProductData\2020%APPDATA%\Windows RTL Handler%APPDATA%\sata monitor%APPDATA%\windows maintenance service%LOCALAPPDATA%\AptLnchb%LOCALAPPDATA%\mscboard%UserProfile%\Local Settings\Application Data\mscboard