{
	"id": "199a6d98-13b9-40fd-801d-1ae1bbd90c11",
	"created_at": "2026-04-06T01:32:13.634754Z",
	"updated_at": "2026-04-10T03:20:55.085702Z",
	"deleted_at": null,
	"sha1_hash": "b3129b3fd5513597f4e02190df2c7c98f9cd3ad9",
	"title": "Allcome clipbanker is a newcomer in underground forums",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145903,
	"plain_text": "Allcome clipbanker is a newcomer in underground forums\r\nBy Karsten Hahn\r\nPublished: 2022-02-14 · Archived: 2026-04-06 00:06:38 UTC\r\n02/14/2022\r\nReading time: 3 min (861 words)\r\nThe malware underground market might seem astoundingly professional in marketing and support. Let's take a\r\nlook under the covers of one particular malware-as-a-service—the clipboard banker Allcome.\r\nUnderground marketing\r\nAllcome clipbanker was first discovered by researcher @3xp0rtblog including underground forum screenshots,\r\npricing information and a listing of contact numbers for Telegram where the malware can be purchased and\r\ndownloaded. This malware-as-a-service starts from 25$ for a month of usage up until 220$ for a life-time license.\r\nThe advertisment specifically highlights that Allcome supports stealing lots of different cryptocurrency wallets\r\nand payment forms with new payment forms added weekly. Criminal customers can also add their own currency\r\nstealing capabilities by purchasing a private query builder.\r\nThe marketing for this malware might seem astounding, but what is really under the hood?\r\nBanner translation\r\nhttps://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums\r\nPage 1 of 6\n\nAllcome\r\nSteal yourself or someone will steal from you\r\nOur clipper is the best solution of all times\r\nOur advantages:\r\n- Security\r\n- Convenient builder\r\n- Fast response\r\n- Swift support\r\n- Weekly adding new services\r\n- Stealth\r\nClipper will steal funds from tens of currently available\r\nhttps://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums\r\nPage 2 of 6\n\nwallets and you will remain unnoticed.\r\nHas the functionality of\r\npayment link substitution and much more.\r\nTariff:\r\nBasic: $25 per month\r\nStandard: $35 for 3 months\r\nPremium: $90 for 2 months\r\nVIP: $220 forever\r\nAllcome_support\r\nSupport contact info\r\nFunctionality\r\nAllcome is a relatively small (120 KB) native C/C++ program. All of the current versions have the same persistent\r\nmechanism. They copy themselves into %LOCALAPPDATA%\\CrashDumps\\subst.exe and then set up a\r\nscheduled task named NvTmRep_CrashReport3_{B2FE1952-0186} to run the clipper every minute.\r\nThe clipper creates a mutex named 08841d-18c7-4e2d-f7e29d, then it checks if the filename starts with 'subst'. It\r\napplies the peristence mechanism described above if it doesn't.\r\nThe clipper retrieves the encrypted C2 URL from the PE resources and decrypts it. This contains not only the C2\r\ndomain but also delivers a username of the criminal customer as argument.\r\nThe server replies with either '+' or '-', depending on whether the criminal customer has a valid license for the\r\nclipper. If the sever responds with '-', the clipper will not steal any information. If the response is anything else, the\r\nclipper starts checking and potentially replacing the clipboard contents.\r\nhttps://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums\r\nPage 3 of 6\n\nCheck if clipboard content is an email\r\nThe core functionality is in the clipboard content checking and replacement function. Like every clipbanker,\r\nAllcome replaces cryptocurrency addresses with the address of the attacker, so that transactions arrive at the\r\nattacker's wallet. The same is done for PayPal addresses, Steam trade offer URLs and more.\r\nThis content checking and replacement code turns out to be rather basic. The clipper mostly checks the length of\r\nstrings and one or two characters (mostly the start of the string). It does not take care where the content comes\r\nfrom and it does not make an effort to avoid false clipboard content replacements.\r\nThe best example is the replacement for PayPal. If that option is used, any string containing an '@' and a '.'\r\nafterwards will be replaced with the attacker's email. So anytime someone copies an email address, it will be\r\nchanged, even if that is only used to write emails to someone. While the attacker may not mind receiving love\r\nletters, it also means the infection is noisy and users of infected systems will realize early on that something is not\r\nright.\r\nConfiguration Extractor\r\nhttps://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums\r\nPage 4 of 6\n\nThe configuration for C2 and replacement wallets, steam trade offers, PayPal emails etc is saved as encrypted\r\nstrings in the String Table in the PE resources. Every ID in the string table corresponds to a certain address that is\r\nused to replace the clipboard content with.\r\nI wrote a decryption script in python to extract configurations en masse. The python script is available in my\r\nGithub repository and I added a list of extracted configurations there. Some of the wallets have already\r\ntransactions, possibly from infected systems. I collected the samples via the VirusTotal query\r\n\"behaviour_network:dba692117be7b6d3480fe5220fdd58b38bf.xyz\"\r\nConclusion\r\nUnlike its elaborate marketing banner, Allcome clipbanker is very simple under the hood. Especially its main\r\nfunctionality, the clipboard replacement, is not thought-out which is good for potentially affected users, who will\r\nsoon realize that something is wrong. Nevertheless it seems to have gained quite some traction. A quick VirusTotal\r\nsearch already came up with 51 Allcome samples. Sometimes marketing is everything.\r\nIndicators of Compromise\r\nA list of hashes and their extracted configurations is in this file on Github.\r\nDescription Indicator\r\nsha256 02b06acb113c31f5a2ac9c99f9614e0fab0f78afc5ae872e46bae139c2c9b1f6\r\nmutex name 08841d-18c7-4e2d-f7e29d\r\nfilepath %LOCALAPPDATA%\\CrashDumps\\subst.exe\r\nscheduled task\r\ncommand\r\n/Create /tn NvTmRep_CrashReport3_{B2FE1952-0186} /sc MINUTE /tr %s\r\ndebug path C:\\Users\\youar\\Desktop\\Allcome\\Source code\\Build\\Release\\Build.pdb\r\nuser agent\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101\r\nFirefox/93.0\r\nC2 server hxxp://dba692117be7b6d3480fe5220fdd58b38bf.xyz/exp(.)php\r\nRelated articles:\r\nhttps://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums\r\nPage 5 of 6\n\nKarsten Hahn\r\nPrincipal Malware Researcher\r\n Content\r\nUnderground marketing\r\nFunctionality\r\nConfiguration Extractor\r\nConclusion\r\nIndicators of Compromise\r\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums\r\nhttps://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums"
	],
	"report_names": [
		"37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums"
	],
	"threat_actors": [],
	"ts_created_at": 1775439133,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3129b3fd5513597f4e02190df2c7c98f9cd3ad9.pdf",
		"text": "https://archive.orkl.eu/b3129b3fd5513597f4e02190df2c7c98f9cd3ad9.txt",
		"img": "https://archive.orkl.eu/b3129b3fd5513597f4e02190df2c7c98f9cd3ad9.jpg"
	}
}