{ "Event": { "analysis": "1", "date": "2026-04-09", "extends_uuid": "", "info": "[Threat Intel] The long road to your crypto: ClipBanker and its marathon infection chain", "protected": false, "publish_timestamp": "1776720313", "published": true, "threat_level_id": "3", "timestamp": "1776720303", "uuid": "7d158cf2-eeae-47d5-ad50-444e5b8112ca", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"ClipBanker\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775790009", "to_ids": false, "type": "link", "uuid": "37bdb13d-aa39-465e-b819-0b068f3a78bd", "value": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775790009", "to_ids": false, "type": "text", "uuid": "63fc4483-9282-4355-9671-14a069952efd", "value": "Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments. By coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license. If you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That\u2019s exactly where the source of the primary infection lives." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775790009", "to_ids": false, "type": "text", "uuid": "fa523388-d2e1-4507-8d7f-13f7c507d37f", "value": "Name: The long road to your crypto: ClipBanker and its marathon infection chain\nAuthor: AlienVault\nAdversary: \nTags: []\nTgtd countries: []\nMlwr families: [\"ClipBanker\"]\nAttack_ids: []\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776720123", "to_ids": true, "type": "md5", "uuid": "4bcc9e25-a0cf-4696-9607-2cf4a640a227", "value": "107484d66423cb601f418344cd648f12", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776720210", "to_ids": true, "type": "sha1", "uuid": "96d65436-3c5b-4858-83da-754b51cbf45c", "value": "d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776691085", "to_ids": true, "type": "domain", "uuid": "920a6209-917a-4ca7-9e16-1b062a3dc06b", "value": "chiaselinks.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776043991", "to_ids": true, "type": "domain", "uuid": "a88b9faf-0d83-4f91-a165-f2aa10a5e0dc", "value": "rlim.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044013", "to_ids": true, "type": "hostname", "uuid": "13fe3de9-ad04-4594-8f32-fc2aec9a569d", "value": "git.parat.swiss", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044035", "to_ids": true, "type": "hostname", "uuid": "76a6027a-b5d8-4c81-9eed-7adb4b88001c", "value": "paste.kealper.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044056", "to_ids": true, "type": "hostname", "uuid": "a1bef24c-9404-4cec-9e04-ae92337d00bf", "value": "pinhole.rootcode.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044077", "to_ids": true, "type": "url", "uuid": "483ffd2e-179f-482b-bf1c-cb35aa651a96", "value": "https://pastebin.com/raw/FmpsDAtQ", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044098", "to_ids": true, "type": "url", "uuid": "11eeca1f-d462-4092-a9d1-b3437eba841e", "value": "https://snippet.host/aaxniv/raw", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044120", "to_ids": true, "type": "url", "uuid": "138f8d9e-e8cd-4503-835c-1651aca03609", "value": "https://chiaselinks.com/raw/nkkywvmhux", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044141", "to_ids": true, "type": "url", "uuid": "21d6cc0c-a234-49fc-8f24-f1d2a62d1a22", "value": "https://rlim.com/55Dfq32kaR/raw", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044162", "to_ids": true, "type": "url", "uuid": "ed1b261f-6937-43b6-8593-b4c7c72ea767", "value": "https://paste.kealper.com/raw/k3K5aPJQ", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044183", "to_ids": true, "type": "url", "uuid": "48d86541-2589-4b45-a3f8-7282c59febca", "value": "https://git.parat.swiss/rogers7/dev-api/raw/master/cpzn", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044204", "to_ids": true, "type": "url", "uuid": "dd3e3e7c-57cd-427d-b876-0364f1d9b630", "value": "https://pinhole.rootcode.ru/rogers7/dev-api/raw/master/cpzn", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044226", "to_ids": true, "type": "url", "uuid": "12613cc6-5a5d-469d-b3d9-c5b3ba9c461a", "value": "https://github.com/lukecodix/Proxifier/releases/download/4.12/Proxifier.zip", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776044247", "to_ids": true, "type": "url", "uuid": "d1d69b3c-cada-4e7a-bb29-62dfe15ec782", "value": "https://gist.github.com/msfcon5ol3/107484d66423cb601f418344cd648f12/raw/d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7/upxz", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776720125", "uuid": "aff289c1-d6d1-4b04-bf97-69058be3f8fe", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776720124", "to_ids": true, "type": "md5", "uuid": "dc40cc87-b680-4899-be02-1baa16053363", "value": "34a0f70ab100c47caaba7a5c85448e3d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776720124", "to_ids": true, "type": "sha1", "uuid": "306b6aae-0804-4af0-a008-9c323c7d6d17", "value": "15efe7c0a510950c753a9ec1a388d699b341a2c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776720125", "to_ids": true, "type": "sha256", "uuid": "93bc64fb-de25-47e7-b014-1cb8da0a6c1f", "value": "fdae784b02b22916bf4bac1344b3e8e13f98996e3cd85f2daf171084983247e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776720124", "to_ids": true, "type": "ssdeep", "uuid": "709ed1c7-51de-4590-bfd0-dfcd2e7afb3e", "value": "98304:bZ/0hvAq4KvDZYbpODh7IBdI+0SkK4UocMHakudJmXuJgTeQTNB/5OsJ4d1I7:VwAEubqsvIUwUfgakIIXuqTZBBhOAqm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776720124", "to_ids": false, "type": "size-in-bytes", "uuid": "acf5d27a-458d-474a-afab-3fd4179afbfc", "value": "8539121" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776720124", "to_ids": true, "type": "vhash", "uuid": "04e5970c-fcf3-40ac-b839-802237fb867e", "value": "0860ce6e1e5e0e1e0e1e|z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776720124", "to_ids": true, "type": "filename", "uuid": "a2cd43cd-a318-4938-acce-0f6645049666", "value": "Proxifier.exe" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776720124", "to_ids": false, "type": "text", "uuid": "d1808f42-b239-454d-9f2c-60addd9e4a01", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:38/72\nFirst Submission:2026-01-31T12:13:28.000000+00:00\nLast Submission:2026-04-18T02:23:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776720146", "uuid": "9355b184-bf79-4fc0-b569-25ad02152686", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776720146", "to_ids": true, "type": "md5", "uuid": "eae6ee1b-4303-407b-934d-3ff3620e64c6", "value": "7528bf597fd7764fcb7ec06512e073e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776720146", "to_ids": true, "type": "sha1", "uuid": "d01aa052-a3e0-4445-9f9a-47e157023c44", "value": "2a70c867740bc0756260d799e3b1b07ff7d7e29a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776720146", "to_ids": true, "type": "sha256", "uuid": "db3fb7b8-3b90-4f61-bc2e-59271b521aff", "value": "c13c194fc1a119fd110ee75f8011eddf126197bb76e404e17a6806c88960e6b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776720146", "to_ids": true, "type": "ssdeep", "uuid": "e3150757-df7c-42df-90a0-17770a115df6", "value": "12288:H2odGmZ9oMGyDAM8ZnA/jz5R4W3XkUrO6m0EnHRf:HTgmZ9o9yMM4NH" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776720146", "to_ids": false, "type": "size-in-bytes", "uuid": "7504e3d8-5ff6-4d9a-8c53-9034548fdad9", "value": "704000" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776720146", "to_ids": true, "type": "vhash", "uuid": "9ddd209e-c373-466c-b16a-1023efbb8176", "value": "0750a76d1555551c0d1d1az3b3dlz6fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776720146", "to_ids": true, "type": "filename", "uuid": "02498024-4d6b-4183-92ab-4626c328185a", "value": "c13c194fc1a119fd110ee75f8011eddf126197bb76e404e17a6806c88960e6b3.exe" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776720146", "to_ids": false, "type": "text", "uuid": "652c41c1-6792-4546-87b7-8f8b0fd2a562", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:45/72\nFirst Submission:2025-03-31T22:03:33.000000+00:00\nLast Submission:2026-04-13T11:40:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776720168", "uuid": "788aeb72-e2d6-4269-baea-de44665da05d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776720168", "to_ids": true, "type": "md5", "uuid": "ca8338b4-eccd-4844-b003-a36e890211a5", "value": "8354223cd6198b05904337b5dff7772b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776720168", "to_ids": true, "type": "sha1", "uuid": "3e5e40bd-a698-4998-a0b7-982760213e25", "value": "4876adb47f26e3614e138856746caec156e31f94", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776720168", "to_ids": true, "type": "sha256", "uuid": "bbac10b0-2825-4a68-b68a-fed5bce86e4b", "value": "8753ee2c666dd05532d1a87cab942317b143d69f1ea92345df30e5b83485ef3b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776720167", "to_ids": true, "type": "ssdeep", "uuid": "d495562e-2cac-4f07-9b6a-736ae1814b95", "value": "12288:H2odGmZ9oMGyDAM8ZnA/jz5R4W3XkUrO6m0EnHRf:HTgmZ9o9yMM4NH" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776720167", "to_ids": false, "type": "size-in-bytes", "uuid": "933405cc-6190-4305-a0da-03dfc15f388b", "value": "707232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776720167", "to_ids": true, "type": "vhash", "uuid": "b5beb65f-6e47-447d-b95a-fe43e0c5f157", "value": "0750a76d1555551c0d1d1az3b3dlz6fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776720167", "to_ids": true, "type": "filename", "uuid": "e4d2709b-571e-4d1d-8e86-ce31fae9976c", "value": "8753ee2c666dd05532d1a87cab942317b143d69f1ea92345df30e5b83485ef3b.exe" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776720167", "to_ids": false, "type": "text", "uuid": "b07ce755-684e-4f38-9a27-d17f0940e24d", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:44/72\nFirst Submission:2025-03-26T14:45:35.000000+00:00\nLast Submission:2026-04-13T11:40:20.000000+00:00" } ] } ] } }