I am probably the last one who finally noticed that IceRat.exe and klip.exe are not only similar but in fact the same malware, despite the different hashes (but Vhash and Imphash are the same). They have almost identical sections (except .rsrc which differs only by hash and Chi2, but have the same Virtual Address - Virtual Size - Raw Size - Entropy). Furthermore they have identical Resources.
I am closing this thread now.
The analysis of related samples is done. With related I mean all samples that are actually downloading, dropping or creating each other. The relations are outlined, starting with the first part of the infection chain.
Most of the things that were posted in this thread recently don't seem to be related to IceRat except for the domain. Or there are other very loose connections like just the file name. Feel free to open a different thread for discussing speculations of that case.