MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d4f4f31713c95b98f1545c328c46799fc2aac1ca42eda4515f3c16416814185. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d4f4f31713c95b98f1545c328c46799fc2aac1ca42eda4515f3c16416814185
SHA3-384 hash: 6ae2be640b440a22cd568e2b20dbea0e60977299dd0ca781485b04b39f5d94bb215265bbc2e5b8ba3ce9efb1e2c58560
SHA1 hash: 4baea06735efab35e0046b41210bb8138ad750be
MD5 hash: 05241d363ebfa75f9a3388de5d4282d3
humanhash: fourteen-autumn-kitten-bacon
File name:file
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:3'295'122 bytes
First seen:2023-12-07 23:50:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 77f81ec12eacdb769388a8e410647817 (1 x NetSupport, 1 x PrivateLoader)
ssdeep 98304:yeRpGGIR4OBu2XqDIORqjev2if7TYF+Q8y:rrC2OBucORqilf7TYvN
Threatray 26 similar samples on MalwareBazaar
TLSH T1B7E5331C68989EE2FBC209F61EDFF03B60D9FC5162791EEB07FA6845190572439B2264
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 848c5454baf46e68 (1 x PrivateLoader)
Reporter andretavare5
Tags:exe PrivateLoader


Avatar
andretavare5
Sample downloaded from https://IOIOUOIUOUOUIYJGROUP.SBS/setup294.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463407/
Detection(s):
Win.Packed.Zenpak-10014145-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Launching a process
Searching for the window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed packed setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65725a6b3636548f37419e5d/reports/3c8a9239-d0fa-4dc4-acc2-eb3e156fc754/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1369061
Link:
https://www.hybrid-analysis.com/sample/1d4f4f31713c95b98f1545c328c46799fc2aac1ca42eda4515f3c16416814185
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raspberry Robin
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6998adc4-223f-48c2-9459-d56d8dba583a
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1355872
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1355872 Sample: file.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 68 27 Antivirus detection for dropped file 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Machine Learning detection for sample 2->31 33 2 other signatures 2->33 10 file.exe 4 2->10         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\...\9kg.cPL, PE32 10->25 dropped 13 cmd.exe 3 2 10->13         started        process5 process6 15 control.exe 1 13->15         started        17 conhost.exe 13->17         started        process7 19 rundll32.exe 15->19         started        process8 21 rundll32.exe 19->21         started        process9 23 rundll32.exe 21->23         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1d4f4f31713c95b98f1545c328c46799fc2aac1ca42eda4515f3c16416814185
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d4f4f31713c95b98f1545c328c46799fc2aac1ca42eda4515f3c16416814185/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-07 23:51:08 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvhu6mlrhsk3tdyvixbsrrdhth6cvla4uqxnuriv6pawifubigcq._file
Verdict:
unknown
Similar samples:
05c8155ca202fde24ee1867e9defa0866b61e6530390922390692f5631b40546
PrivateLoader
172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52
PrivateLoader
22335125fc0f3e079a587ead4f6b3aeabd6bb5552b877dd0315b3d04077df868
PrivateLoader
3c405151d59ea76d411aa6898792373cd563324fa3c19afd67f9a0236ab7358b
PrivateLoader
3e39dd8626cc0c86424a49a077a5d26a216b5d09311f363a5bee08e0aceb94df
PrivateLoader
45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7
PrivateLoader
5d10fb2c0111b965b922e476c0b54d418855eda85e71757c7a61e77cc2b39eba
PrivateLoader
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231207-3v5wxahe6s/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
ccded2dce4676850d41c7fba6759fe9b7d8c3691d90f51cdf48a017d0d0cc88c
MD5 hash:
ecb7dd231d03defcc3dc0298351ec772
SHA1 hash:
fcf04b03a389b3c681972a77a4a4d9912aa99601
Link:
https://www.unpac.me/results/c30a6b23-03c1-48c7-8956-e70080267897/
SH256 hash:
1d4f4f31713c95b98f1545c328c46799fc2aac1ca42eda4515f3c16416814185
MD5 hash:
05241d363ebfa75f9a3388de5d4282d3
SHA1 hash:
4baea06735efab35e0046b41210bb8138ad750be
Link:
https://www.unpac.me/results/c30a6b23-03c1-48c7-8956-e70080267897/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d4f4f31713c95b98f1545c328c46799fc2aac1ca42eda4515f3c16416814185

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/463407/

Comments