Malware analysis JPHP IceRat analysis

Not open for further replies.


Level 20
Oct 16, 2020
I was browsing several dark, wrongly labelled as “ethic” forums and hackers seem to consider every credentials stealer a RAT. It’s possible they named it IceRat, when in reality it’s a downloader and installs backdoor/info-stealer. They may be just lost in translation or just couldn’t be bothered maintaining a classification of what they offer.

Update: I’ve just seen the 1.exe...
@struppigel I’ve pointed you to an ocean of malware 😄
I believe I saw in the forum somewhere that you work @ GData (if I didn’t read something wrong). If you keep browsing these domains, GData will have to develop streaming updates functionality to release all detections that will be coming😏
Again we can see malware with fairly old creation dates, detected by no more than 5 AVs...

BTW this is also downloaded by klient.exe, which I executed in Sandboxie.

This looks like a variant of ClipBanker and also another version of klip.exe.

However, this klip.exe is not the klip.exe we were originally on. This is the first historical version I discovered (Aug 2019), located here:
MD5: 05268896B3233F1B25702480DA337852
SHA-256: 793b19c7f819d8770af7338e79d3067d028d2179667d92249a2d0c68d8641e2d

There is another instance of RealtekSb.exe VirusTotal ||||||||||||| RealtekSb.exe (MD5: C94EBCABD3353BC7737407202E58A365) - Interactive analysis - ANY.RUN||||||
saved in
"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe" |||||| MD5: c94ebcabd3353bc7737407202e58a365
Company: Microsoft Corporation
Description: Windows Logon Application (Looks like spoofing winlogon is a common thing, as klip.exe downloads winlogin.exe. The usage of login instead of logon brings 1 less indicator to behavioural blockers that this file is malware)
Version: 10.0.18362.418 (WinBuild.160101.0800)
Creation Time: 2019-11-19 19:43:02 (NEWER VERSION)
First Submission: 2019-11-25 18:01:13
Last Submission: 2020-01-07 12:07:20
Last Analysis: 2020-08-26 20:31:19

There is another RealtekSb.exe dropper here: VirusTotal |||||||||| - Interactive analysis - ANY.RUN |||| saved in
"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe" |||| MD5: 82055391ce934d24fad1829cfd823488
Creation Time: 2019-04-05 19:15:25 (OLD VERSION)
First Submission: 2020-01-01 02:07:10
Last Submission: 2020-01-01 02:07:10
Last Analysis: 2020-01-09 05:41:44

Third version can be seen here: ||||| MD5: F7958823D5A3C0A2DF7974ADDE4028D0
Creation Time: 2019-09-16 23:26:01 (Created in between the other 2 versions)
Signature Date: 2020-07-25 02:59:00
First Submission: 2020-06-25 16:02:22 (Discovered a lot later)
Last Submission: 2020-06-25 16:02:22
Last Analysis: 2020-07-25 00:26:44
Related to RacoonStealer
IP analyses: VirusTotal
Again linked to AzoruIt

And contacting one more IP: VirusTotal
The analysed sample VVV.exe VirusTotal
contacts various servers in UA (suprise, surprise, US and NL again)
hxxp:// is one of the URLs which is an active malware repository.
It hosts amongst others, the winrings0x64 driver as well as xmrig_cuda.dll, which is probably hardware accelerator for coinminers.

hxxp:// hosts the same content.

The offending IP address behind the second one, was involved in coinmining malware.
I am sure they are related. URLhaus | VirusTotal

Upon relationship inspection I saw this:

I’ve been analysing relations since morning today and I just keep seeing myfile.exe, and bild.exe, so I became suspicious and decided to check them out.
bild.exe has been distributed by several other IPs/domains: VirusTotal VirusTotal

Analysing relations of myfile.exe MD5: e05680e8f026f7effaafc7844961f666 VirusTotal

bild.exe appears again:


I found a historical version, abusing the WMI here: bild.exe (MD5: 6C8B8901F21D071914807F9B551C6818) - Interactive analysis - ANY.RUN
It's ransomware VirusTotal
User says:
Browsing thru the machine and can't find anything but found a file called bild.exe that exists on all folders containing encrypted files.
There is another version here, loader dropping update.exe, which can also be seen in relations above: bild.exe (MD5: 55E4CBAD055F48E5705B3C97D18FF2D6) - Interactive analysis - ANY.RUN |||| VirusTotal
One more version here: Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'bild.exe'
#Bild.exe is a very common and rather specific name. It seems to have a typo, just like browes.exe (instead of browse.exe or browser.exe).
Contacted/resolved IPs: VirusTotal <--- (Netherlands)

In an earlier post today, I mentioned (Netherlands), which distributed a sample klipper.exe ( as early as 2018.

myfile.exe appears again. It is a version of baldr stealer and the original file name is baldr.exe. Same group distributing klip.exe has distributed baldr stealer. They've also distributed GoGoogle Ransomware.
Last edited:


Level 20
Oct 16, 2020
I moved one step forward in my research now!
This is an analyses of the first klipper.exe:
PDB PathwayD:\Arkei\Release\Arkei.pdb <-- Arkei Loader calling to

Resolved IPs:
Date resolved IP

History and Timeline

Arkei Loader: Free Automated Malware Analysis Service - powered by Falcon Sandbox
Creation Time: 2018-03-21 10:57:51
First Submission: 2018-09-23 08:23:44 (discovered quite late)
Last Submission: 2018-12-20 00:07:54
Last Analysis: 2019-06-04 00:25:06
First distributed as setup.exe ||||| VirusTotal
Later distributed as klipper.exe and myfile.exe URLhaus | API
Calling to (now)
Classified end of 2018 Vidar | Malware Trends Tracker
Not too famous initially and no associated news until few months later
First write-up is in January 2019: Vidar and GandCrab: stealer and ransomware combo observed in the wild - Malwarebytes Labs


Baldr Stealer: VirusTotal
Creation Time: 2018-10-19 05:30:11 (7 months later)
First Submission: 2019-05-17 13:06:15 (undetected for 7 months)
Last Submission: 2019-11-21 16:11:49
Last Analysis: 2019-11-21 16:11:49
Calling to and
First writeup us in April 2019: New Info-stealer Baldr Emerges As a Reliable, Long-Term Player

Distributed as myfile.exe, baldr.exe and m.exe.

Towards the end of 2019, first klip.exe appears as a UPX-packed executable, replacing myfile.exe, as well as Arkei/Baldr: - Interactive analysis - ANY.RUN
Creation Time 2019-08-08 18:49:31 (10 months later)
First Submission: 2020-01-19 21:45:53 (remains undetected for quite some time)
Last Submission: 2020-02-03 05:13:32
Last Analysis: 2020-11-20 21:51:13
Calling to and -
This is either ClipBanker or Raccoon Stealer.
Later on distributed as RealtekSB.exe

IceRat.exe is next and successor, but instead of UPX-packed executable, switches to JPHP.
Creation Time: 2020-08-06 14:51:07 (almost a year later)
First Submission: 2020-08-05 16:02:26
Last Submission: 2020-08-05 16:02:26
Last Analysis: 2020-11-20 14:08:31
Calling to
A detection name Trojan: PHP/Stealer appears on the Microsoft Database in Aug 31, 2020 Trojan:PHP/Stealer threat description - Microsoft Security Intelligence -might be related.
The object itself is not a RAT, but part of a multi-components stealer.

The klip.exe I discovered is last, but very similar, almost unmodified:
Creation Time: 2020-11-05 19:28:34 (3 months after IceRat.exe)
First Submission: 2020-11-17 22:30:43 (remains undetected for 12 days, until I discovered it)
Last Submission: 2020-11-17 22:30:43
Last Analysis: 2020-11-21 02:54:36
Calling to and

Given that these are tools for sale, it's possible that some attackers use outdated tools, such as the Arkei/Vidar, though how effective this will be and whether they are still supported/updated by their author is not known. It's possible that the author might be behind other tools as well, though given how successful his loader-stealers have been in the past, this is highly unlikely. It might be that other attackers have purchased these tools and created a malware infusion (such as adding ransomware).
It remains unclear to why content downloaded by klient.exe and klip.exe is mediocre (not-stealthy) and why more common methods haven't been used.
The attack opens well with a sophisticated loader but then relies on executables, already well known, with no digital signature and suspicious to every normal AV today.
I am also baffled up why he needs such a multi-stage attack, using several droppers and downloaders in a matròska kind of way.
Last edited:


Staff member
Apr 9, 2020
I am closing this thread now.
The analysis of related samples is done. With related I mean all samples that are actually downloading, dropping or creating each other. The relations are outlined, starting with the first part of the infection chain.

Most of the things that were posted in this thread recently don't seem to be related to IceRat except for the domain. Or there are other very loose connections like just the file name. Feel free to open a different thread for discussing speculations of that case. 🤠
Not open for further replies.