> Family · Unclassified PE64 Clipper — MinGW-w64 infostealer with wallet regex and Telegram user ID_

~/packetpursuit $ cat /intel/families/unclassified-pe64-clipper.md

typeentityconfidencelowcreated2026-06-16updated2026-06-16malware-familyinfostealerclipperpemingwc2discoverycollection

unclassified-pe64-clipper

Overview

Placeholder entity for a class of MinGW-w64 PE64 infostealers observed via URLhaus. First sample (af6e1f4644b2) is a 176 KB stripped console binary with hardcoded wallet-seed file regex, Telegram-style user identifier (user_1779580244692), screenshot capture, and directory traversal across user profile folders. No CAPE detonation available — all behavior inferred from static analysis and decompilation. Family remains unclassified pending additional siblings.

Build Stack

  • Language / Toolchain: C/C++ compiled with MinGW-w64 GCC, binutils 2.41 ^[sample af6e1f46/rabin2-info.txt] ^[sample af6e1f46/pefile.txt:43-46]
  • Arch: PE32+ x86-64, Windows console subsystem ^[sample af6e1f46/file.txt]
  • IAT: KERNEL32.dll (42 imports) + USER32.dll (13 imports) only. No WS2_32, WinInet, Crypt32. ^[sample af6e1f46/pefile.txt:228-309]
  • Signing: None ^[sample af6e1f46/rabin2-info.txt]
  • Exports: Zero-length export directory ^[sample af6e1f46/pefile.txt:179-181]
  • Resources: Zero-length resource directory ^[sample af6e1f46/pefile.txt:185-187]
  • Anti-analysis: None observed. No packed sections, no anti-VM, no anti-debug. .text entropy 6.32, .rdata 5.30. ^[sample af6e1f46/pefile.txt:91,131]

Capabilities

  • wallet-seed-regex-file-scanning
  • screenshot-jpg-capture
  • machineguid-system-fingerprinting
  • user-profile-directory-enumeration
  • json-like-payload-serialization
  • process-injection-api-imports
  • telegram-user-id-hardcoded
  • chrome-user-agent-masquerade
  • runtime-api-resolution-inferred

Deploy / TTPs

Technique ID Evidence
Data from Local System T1005 %DESKTOP%, %DOWNLOADS%, %DOCUMENTS% directory enumeration ^[sample af6e1f46/strings.txt:285-291]
Screen Capture T1113 screenshot.jpg string; .jpg path construction in decompiled function ^[sample af6e1f46/strings.txt:274]
Credentials in Files T1552.001 Wallet seed-phrase regex `wallet
Process Injection T1055 CreateRemoteThread, WriteProcessMemory, VirtualAllocEx imported ^[sample af6e1f46/pefile.txt:239,277,278]
Application Layer Protocol: Web Protocols T1071.001 Chrome UA string; Telegram user_ ID ^[sample af6e1f46/strings.txt:282,277]
System Information Discovery T1082 GetComputerNameA, GetLogicalDrives, MachineGuid ^[sample af6e1f46/pefile.txt:243,252]
Steal Crypto Wallet T1649 Hardcoded wallet regex ^[sample af6e1f46/strings.txt:279]
Clipboard Data T1115 browser: , [BLOB: fragments ^[sample af6e1f46/strings.txt:275-276]

Notable Analyses

  • /intel/analyses/af6e1f4644b2e1e2a9c269d3acbd2faa1ea3facb9b68829c6f6a93a34ddb9c44.html — af6e1f4644b2, MinGW-w64 PE64 clipper/infostealer, static-only
  • maskgramstealer — merged family page for this cluster; see sibling comparison at maskgramstealer-vs-unclassified-pe64-clipper