ClipBanker Trojan
Posted: February 26, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Ranking: | 917 |
---|---|
Threat Level: | 8/10 |
Infected PCs: | 105,310 |
First Seen: | February 26, 2016 |
---|---|
Last Seen: | October 17, 2023 |
OS(es) Affected: | Windows |
The ClipBanker Trojan is a Trojan that hijacks transactions such as cryptocurrency payments by redirecting them towards the threat actors' accounts. Monitoring your transaction history can help with identifying the telltale symptoms of this threat, which, otherwise, leaves few traces of its attacks. Always have your anti-malware program uninstall the ClipBanker Trojan before disputing any misdirected charges as is necessary.
Trojans Serpenting into Your Coinage
Although most spyware is content at collecting data as their victims enter it, other forms of theft are more than possible with today's Trojans. The danger of having one's payments rerouted, while rarely on the forefront of any user's thoughts while they're making a purchase or sending money to a friend, is highly-pertinent to some classes of threats, such as the ClipBanker Trojan. This Trojan monitors its victim's financial dealings, for not extracting information, but for replacing it.
The ClipBanker Trojan is in the Python programming language, which gives it potential compatibility with different environments, including macOS, Linux and Windows. Its central feature involves manipulating the clipboard by replacing payment addresses with the threat actor's account information – letting it redirect payments, presuming that the victim doesn't notice the change.
Variants of the ClipBanker Trojan may target different types of purchases and trades, such as:
- Electrum Bitcoin
- Bitcoin Core
- Bitcoin WIF keys
- Steam trade offers
For comparison with competing threats of a similar classification, readers may look at CryptoShuffler Cryptojacking and ComboJack Cryptojacking, which also use link-hijacking techniques for profit-based purposes equally.
Clipping ClipBanker Trojan Out of Your Finances
Users paying close attention to Bitcoin transfers, Steam inventory trades, and similar activities may notice the changes in transaction information that the ClipBanker Trojan causes. Payment records also can provide details for notifying the victims of the fraud after the fact. While malware researchers have yet of seeing any version of ClipBanker Trojan collects clipboard data such as password, victims should consider changing their login credentials after disinfecting their PC, to be safe.
ClipBanker Trojan's latest campaign took place at the end of 2018. While malware experts have limited data on its circulation statistics, infections do coincide with the presence of other threats, such as Trojan downloaders and Potentially Unwanted Programs (PUPs), as well as torrenting software. The latter may be the ClipBanker Trojan's propagation method, which could involve delivery via downloads for game cracks, movies or music. High-quality anti-malware software is your best defense against this threat and should enable removing ClipBanker Trojan infections painlessly.
The ClipBanker Trojan may be hibernating, but it could awaken at any time. Discrepancies in where you mean for your money to go and where it goes, in reality, usually are signs that something is wrong with more than just your eyes.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows rtl handler\srvrtl.exe
File name: srvrtl.exeSize: 186.88 KB (186880 bytes)
MD5: 9779b9378ca6173462b89c9521177764
Detection count: 4,057
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows rtl handler\srvrtl.exe
Group: Malware file
Last Updated: January 8, 2022
c:\Users\<username>\appdata\roaming\1000107060\ntredirect.dll
File name: ntredirect.dllSize: 19.92 MB (19922432 bytes)
MD5: 61131c939b98075c07e189830ff2879d
Detection count: 667
File type: Dynamic link library
Mime Type: unknown/dll
Path: c:\Users\<username>\appdata\roaming\1000107060
Group: Malware file
Last Updated: October 11, 2023
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\1000098060\ndproxy.dll
File name: ndproxy.dllSize: 761.97 KB (761976 bytes)
MD5: a5141201690835a00d4ae138358c36c2
Detection count: 602
File type: Dynamic link library
Mime Type: unknown/dll
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\1000098060\ndproxy.dll
Group: Malware file
Last Updated: October 14, 2023
%SYSTEMDRIVE%\Users\<username>\AppData\Roaming\eyT97uo9.exe
File name: eyT97uo9.exeSize: 8.22 MB (8228352 bytes)
MD5: 89f7111c4e38e1b15d34cd9c294e410f
Detection count: 443
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\eyT97uo9.exe
Group: Malware file
Last Updated: August 12, 2023
C:\Users\<username>\1000011062\avicapn32.dll
File name: avicapn32.dllSize: 1.54 MB (1543168 bytes)
MD5: 5e95d4d1f6b6398a9bd43714fb382f94
Detection count: 386
File type: Dynamic link library
Mime Type: unknown/dll
Path: C:\Users\<username>\1000011062\avicapn32.dll
Group: Malware file
Last Updated: October 13, 2023
C:\Users\<username>\AppData\Roaming\NVIDIA\dllhost.exe
File name: dllhost.exeSize: 380.41 KB (380416 bytes)
MD5: ef41c74b3376c412f33bebf9bb2a1cbe
Detection count: 330
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\NVIDIA\dllhost.exe
Group: Malware file
Last Updated: November 7, 2022
C:\Users\<username>\AppData\Local\Temp\1000123001\clip.exe
File name: clip.exeSize: 4.38 MB (4386304 bytes)
MD5: 8d3942d2bfaf962a1177aee8d08ca079
Detection count: 295
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Temp\1000123001\clip.exe
Group: Malware file
Last Updated: July 11, 2023
C:\Users\<username>\AppData\Roaming\NVIDIA\dllhost.exe
File name: dllhost.exeSize: 382.46 KB (382464 bytes)
MD5: 7dcebe30515d82df53f07c50b1539c38
Detection count: 204
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\NVIDIA\dllhost.exe
Group: Malware file
Last Updated: November 12, 2022
C:\Users\<username>\AppData\Local\Temp\G54IJEBFCA80M8H.exe
File name: G54IJEBFCA80M8H.exeSize: 187.39 KB (187392 bytes)
MD5: d23dba81354832b3ebee6ff8e79ac839
Detection count: 190
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Temp\G54IJEBFCA80M8H.exe
Group: Malware file
Last Updated: February 11, 2023
C:\Program Files (x86)\Google\CrashReports\crashreporter.exe
File name: crashreporter.exeSize: 187.83 KB (187832 bytes)
MD5: 3bb940f619750cbe0bcfc244830077e2
Detection count: 131
File type: Executable File
Mime Type: unknown/exe
Path: C:\Program Files (x86)\Google\CrashReports\crashreporter.exe
Group: Malware file
Last Updated: November 16, 2022
%ALLUSERSPROFILE%\Microsoft VAIOI7\taskhos.exe
File name: taskhos.exeSize: 22.01 KB (22016 bytes)
MD5: 1236075f71604f1fcef7b46f6c7bef5c
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Microsoft VAIOI7
Group: Malware file
Last Updated: January 26, 2017
a6f97da1bbd5fbff3bb5496489c33f1f
File name: a6f97da1bbd5fbff3bb5496489c33f1fSize: 256 KB (256000 bytes)
MD5: a6f97da1bbd5fbff3bb5496489c33f1f
Detection count: 65
Group: Malware file
C:\Users\<username>\AppData\Roaming\KThX19g6.exe
File name: KThX19g6.exeSize: 8.07 MB (8075776 bytes)
MD5: e67794445d4082a91b6918d8966bd0f9
Detection count: 59
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\KThX19g6.exe
Group: Malware file
Last Updated: July 26, 2023
C:\Users\<username>\AppData\Roaming\5Ieg5J6t.exe
File name: 5Ieg5J6t.exeSize: 8.86 MB (8866816 bytes)
MD5: 75032ec6fc183cd80008b1cd4799e7dc
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\5Ieg5J6t.exe
Group: Malware file
Last Updated: August 2, 2023
C:\Users\<username>\AppData\Roaming\38cCDuZM.exe
File name: 38cCDuZM.exeSize: 4.78 MB (4786688 bytes)
MD5: cd18e484f6d852e0bcb8a58b9ce25de7
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\38cCDuZM.exe
Group: Malware file
Last Updated: July 3, 2023
Registry Modifications
Regexp file mask%ALLUSERSPROFILE%\windowsnetwork\networkfix.exe%ALLUSERSPROFILE%\xun.exe%APPDATA%\check.exe%APPDATA%\Microsoft\Windows\updlive.exe%APPDATA%\Sound Volume Control\sndvol.exe%LOCALAPPDATA%\winhost.exe%TEMP%\conshost.exe
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.