unclassified-pe64-clipper: af6e1f46 — MinGW-w64 infostealer with wallet regex, Telegram user ID, and screenshot capture

Executive Summary

A 176 KB PE32+ x64 console binary compiled with MinGW-w64 binutils 2.41. Hardcoded wallet-seed regex, a Telegram-style user identifier (user_1779580244692), screenshot capture (screenshot.jpg), and directory traversal of %DESKTOP%|%DOWNLOADS%|%DOCUMENTS%. No CAPE detonation available (static-only). Network functions absent from IAT — resolved dynamically or via a secondary stage. Low-confidence family; first observed sibling.

What It Is

• Format: PE32+ x86-64 console, 5 sections, stripped, unsigned, no exports, zero resource directory ^[file.txt] ^[pefile.txt:177-189] ^[rabin2-info.txt]
• Toolchain: MinGW-w64 GCC (LinkerVersion 2.41, binutils 2.41) ^[pefile.txt:43-46] ^[rabin2-info.txt:17-18]. lang: c per radare2, with C++ STL std::string artefacts in decompilation ^[r2:fcn.00421910, fcn.00423df0].
• Timestamp: 2026-05-23 23:59:22 UTC — likely fabricated, sample ingested 2026-05-26 ^[exiftool.json:15] ^[triage.json]
• IAT: KERNEL32.dll (42 imports) + USER32.dll (13 imports) only. No WS2_32, WinInet, Crypt32, or ADVAPI32 in static IAT ^[pefile.txt:228-309].
• Notable imports: CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, VirtualProtectEx, OpenProcess, FindFirstFileW, FindNextFileW ^[pefile.txt:239,267,269,270,277,278].

How It Works

Collection

• Scans %DESKTOP%, %DOWNLOADS%, %DOCUMENTS%, %MUSIC%, %VIDEOS%, %PICTURES% for files matching the regex *wallet*|*seed*|*mnemonic*|*phrase*|*backup*|*recovery*|*12words*|*24words* ^[strings.txt:279] ^[strings.txt:285-291].
• Captures a screenshot saved as screenshot.jpg (string present, function at fcn.004207f0 references .jpg path construction) ^[strings.txt:274] ^[r2:fcn.004207f0].
• Harvests MachineGuid from SOFTWARE\Microsoft\Cryptography and username via GetUserNameW ^[strings.txt:280-281] ^[strings.txt:292].
• browser: and [BLOB: fragments suggest clipboard or in-memory browser-data capture ^[strings.txt:275-276].

Process Injection / Evasion

• Imports CreateRemoteThread + WriteProcessMemory + VirtualAllocEx; full set for cross-process injection ^[pefile.txt:239,277,278].
• Beep and DisconnectNamedPipe imports are odd noise — possibly residual from a generic import table or library linkage ^[pefile.txt:238,240].

C2 / Exfiltration

• Hardcoded Telegram-style identifier user_1779580244692 referenced twice in .rdata and loaded by entry-point setup code ^[strings.txt:277,293] ^[r2:entry0 @ 0x422e76, 0x422ea2].
• Chrome User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.0.0.0 Safari/537.36 ^[strings.txt:282] — suggests HTTP(S) transport.
• No static URL, IP, or Telegram bot token in strings or IAT. Network APIs are runtime-resolved or the payload relies on a downloader stage (none observed in this sample). C2 protocol inferred as Telegram Bot API or generic HTTPS POST.

Decompiled Behavior

• entry0 (0x421b90) zeroes BSS, calls CRT init, then enters the main orchestrator.
• fcn.0041a700 — large orchestrator function. Sets up a 0x100-byte key/lookup table (possible lightweight stream cipher or string-decoding LUT), opens files, and drives collection loops. Calls into file-enumeration and string-serialization helpers. ^[r2:fcn.0041a700]
• fcn.00411c40 — loads the wallet regex from .rdata (0x4273a0), splits on |, and iterates the pattern list against discovered filenames. ^[r2:fcn.00411c40], ^[r2:str.walletseedmnemonicphrasebackuprecovery12words24words]
• fcn.004207f0 — JSON-like string builder. Concatenates ", ", ", "\":\"" fragments around collected data fields, constructs file paths (%s\%s), and appends blob tags. ^[r2:fcn.004207f0]
• fcn.004046b0 — directory enumerator. Uses FindFirstFileW/FindNextFileW patterns (imported) with %s\* wildcard. ^[pefile.txt:267-270]
• Standard C++ STL helpers: fcn.00421910 / fcn.00423df0 / fcn.00423e40 match std::string constructor / append / destroy signatures. ^[r2:fcn.00421910, fcn.00423df0, fcn.00423e40]

C2 Infrastructure

Interesting Tidbits

• MinGW-w64, not MSVC. LinkerVersion 2.41 identifies binutils 2.41 (2023) — an older toolchain with a fresh 2026 timestamp, suggesting fabrication or a repacked builder. ^[pefile.txt:43-46]
• Zero anti-analysis. No anti-VM, anti-debug, or packed sections. .text entropy 6.32, .rdata 5.30 — within normal ranges for uncompressed native code. ^[pefile.txt:91,131]
• No code signing, no version info, no PDB path. Clean but anonymous. ^[rabin2-info.txt] ^[pefile.txt]
• No CAPE detonation. The Windows guest was unavailable. All behavior is static inference confirmed by decompilation.

How To Mess With It (Homelab Replication)

Toolchain: MinGW-w64 GCC 13.x / binutils 2.41, target x86_64-w64-mingw32, subsystem CONSOLE.

x86_64-w64-mingw32-gcc -O2 -s -static-libgcc -static-libstdc++ \
  stealer.c -o reproducer.exe -lws2_32

Verification: file reproducer.exe should emit PE32+ executable (console) x86-64 (stripped to external PDB).

Deployable Signatures

YARA — WalletRegex_Stealer

rule WalletRegex_Stealer : infostealer {
    meta:
        description = "Detects PE64 infostealer with hardcoded wallet seed regex"
        author = "PacketPursuit"
        date = "2026-06-16"
        sha256 = "af6e1f4644b2e1e2a9c269d3acbd2faa1ea3facb9b68829c6f6a93a34ddb9c44"
    strings:
        $wallet_regex = "*wallet*|*seed*|*mnemonic*|*phrase*|*backup*|*recovery*|*12words*|*24words*" ascii wide
        $ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/" ascii wide
        $screenshot = "screenshot.jpg" ascii wide
        $machineguid = "MachineGuid" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        $wallet_regex and
        3 of them
}

YARA — TelegramUser_Campaign_IOC

rule TelegramUser_Campaign_IOC {
    meta:
        description = "Campaign-specific IOC: hardcoded Telegram user identifier"
        author = "PacketPursuit"
        date = "2026-06-16"
        sha256 = "af6e1f4644b2e1e2a9c269d3acbd2faa1ea3facb9b68829c6f6a93a34ddb9c44"
    strings:
        $user_id = "user_1779580244692" ascii wide
    condition:
        uint16(0) == 0x5A4D and $user_id
}

Sigma — Unsigned PE Writing screenshot.jpg

title: Unsigned PE Writing screenshot.jpg in User Profile
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '\screenshot.jpg'
        Image|startswith:
            - 'C:\Users\'
            - 'C:\ProgramData\'
    filter_signed:
        Signed: 'true'
    condition: selection and not filter_signed
falsepositives:
    - Legitimate remote-support tools
level: high

IOC List

Behavioral Fingerprint

This binary loads only KERNEL32 and USER32 via standard IAT, then enumerates %DESKTOP%, %DOWNLOADS%, %DOCUMENTS%, %MUSIC%, %VIDEOS%, and %PICTURES% using FindFirstFileW/FindNextFileW. It matches filenames against a hardcoded wallet-seed regex (*wallet*, *seed*, *mnemonic*, etc.), takes a screenshot saved as screenshot.jpg, reads the MachineGuid registry value, and builds a JSON-like string payload for exfiltration. No static C2 URL is present; network transport is inferred via a hardcoded Chrome User-Agent string and a Telegram-style user_ identifier, suggesting HTTPS-based exfil, possibly via Telegram Bot API. Process-injection APIs (CreateRemoteThread, WriteProcessMemory, VirtualAllocEx) are statically imported but their invocation path is not observed in the decompiled entry flow — they may be used for browser/memory process injection at runtime.

Detection Signatures

References

• unclassified-pe64-clipper — Entity page for this family cluster

Provenance

• file.txt — file 5.41
• pefile.txt — pefile Python library
• rabin2-info.txt — radare2 5.9.0
• strings.txt — strings -n 6
• exiftool.json — ExifTool 12.76
• Decompilation — radare2 pdc (auto-analysis level 3)
• dynamic-analysis.md — CAPE skipped (no Windows guest)