MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
SHA3-384 hash: f59019b2e23115316db5bef8b2435525c2b61aece8f86aa95fa55334b098921637a7380644f491093eaedd4e6e3d74fa
SHA1 hash: f9873fa92ae8b75e23e353f43ae1ba9087edebfc
MD5 hash: b9a096baebdf8e44368e9724da8e56dd
humanhash: chicken-black-cardinal-kansas
File name:b9a096baebdf8e44368e9724da8e56dd
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:4'185'600 bytes
First seen:2023-09-29 11:23:04 UTC
Last seen:2023-10-29 09:08:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a30456d356096db6c5256124ce90b11d (1 x PrivateLoader)
ssdeep 98304:OJhDwVgp97vYIP8nq5g88RzpufFdx37e5vQCxt2xWwESu:OYVgLs1qlYp0Ff37exTjJ
Threatray 13 similar samples on MalwareBazaar
TLSH T18516227363B4114AD0D1CC3AD233BED172F503578A86FC792ADD68C624318A6F613AA7
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0f6f2e0b89c9898 (1 x RedLineStealer, 1 x PrivateLoader, 1 x Phonk)
Reporter zbetcheckin
Tags:32 exe PrivateLoader

Intelligence

File Origin
# of uploads :
1'287
# of downloads :
253
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://171.22.28.226/download/Services.exe
Verdict:
Malicious activity
Analysis date:
2023-09-29 10:35:43 UTC
Tags:
opendir loader privateloader evasion
Link:
https://app.any.run/tasks/037fb776-9dc7-4707-a66e-21688b13b3fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451904/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1313948.16660.1585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Searching for analyzing tools
Modifying a system file
Replacing files
Reading critical registry keys
Launching a service
Sending a UDP request
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
78%
Tags:
anti-debug anti-vm control lolbin packed packed setupapi shell32 vmprotect
Link:
https://www.filescan.io/uploads/6516b3d5988a26b6d9720b11/reports/ce9aa5f9-0ced-4d68-8d6d-8fc37cbfcf4a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ec77951d-4a35-4c53-aff8-c20dfa787a3c
Result
Threat name:
Fabookie, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316400
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Fabookie
Yara detected PrivateLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316400 Sample: POWsPohDv9.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 164 Multi AV Scanner detection for domain / URL 2->164 166 Found malware configuration 2->166 168 Malicious sample detected (through community Yara rule) 2->168 170 20 other signatures 2->170 11 POWsPohDv9.exe 18 2->11         started        16 PowerControl_Svc.exe 15 2->16         started        18 PowerControl_Svc.exe 15 2->18         started        20 5 other processes 2->20 process3 dnsIp4 138 149.154.167.99 TELEGRAMRU United Kingdom 11->138 140 8.8.8.8 GOOGLEUS United States 11->140 142 3 other IPs or domains 11->142 98 C:\Users\...\viKtuPjLORobyRWJC_6gLYLZ.exe, PE32+ 11->98 dropped 100 C:\Users\user\AppData\...\WWW14_64[1].exe, PE32+ 11->100 dropped 102 C:\...\PowerControl_Svc.exe, PE32 11->102 dropped 192 Drops PE files to the document folder of the user 11->192 194 Uses schtasks.exe or at.exe to add and modify task schedules 11->194 22 viKtuPjLORobyRWJC_6gLYLZ.exe 11 40 11->22         started        27 schtasks.exe 1 11->27         started        29 schtasks.exe 1 11->29         started        104 C:\Users\...\uMhzz7gg29AEqefISsBEcisG.exe, PE32+ 16->104 dropped 106 C:\Users\user\AppData\...\WWW14_64[1].exe, PE32+ 16->106 dropped 31 uMhzz7gg29AEqefISsBEcisG.exe 10 36 16->31         started        33 schtasks.exe 16->33         started        35 schtasks.exe 16->35         started        108 C:\Users\user\AppData\...\WWW14_64[2].exe, PE32+ 18->108 dropped 37 uMhzz7gg29AEqefISsBEcisG.exe 18->37         started        39 schtasks.exe 18->39         started        41 schtasks.exe 18->41         started        file5 signatures6 process7 dnsIp8 124 87.240.190.89 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 22->124 126 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 22->126 134 9 other IPs or domains 22->134 80 C:\Users\...\wx8Ut3K6YcjsFdOG248CMmQB.exe, PE32+ 22->80 dropped 82 C:\Users\...\v4QljuGDv0HO3IAGKXTgOeAf.exe, PE32 22->82 dropped 84 C:\Users\...\pzQ3fTJ59l2T2XuJ4tGdtKxT.exe, PE32 22->84 dropped 92 12 other malicious files 22->92 dropped 172 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->172 174 Query firmware table information (likely to detect VMs) 22->174 176 Creates HTML files with .exe extension (expired dropper behavior) 22->176 190 2 other signatures 22->190 43 QAqVT_2Ti3uRP5vd70QhfRyK.exe 22->43         started        48 j2Xo7gDNrGzYaTvivqCmznqQ.exe 22->48         started        62 6 other processes 22->62 50 conhost.exe 27->50         started        52 conhost.exe 29->52         started        128 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 31->128 130 87.240.190.76 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 31->130 136 5 other IPs or domains 31->136 86 C:\Users\...\v9MSHrbpnmlSWygknKPpSk1T.exe, PE32 31->86 dropped 88 C:\Users\...\smOqDblgpFgfbymCROuHaGE7.exe, PE32 31->88 dropped 90 C:\Users\...\qQ3qEZs_0nATIMaZG9bJY7iC.exe, PE32 31->90 dropped 94 11 other malicious files 31->94 dropped 178 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->178 180 Disables Windows Defender (deletes autostart) 31->180 182 Tries to evade debugger and weak emulator (self modifying code) 31->182 54 conhost.exe 33->54         started        56 conhost.exe 35->56         started        132 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 37->132 96 13 other malicious files 37->96 dropped 184 Disable Windows Defender real time protection (registry) 37->184 186 Hides threads from debuggers 37->186 188 Tries to detect sandboxes / dynamic malware analysis system (registry check) 37->188 58 conhost.exe 39->58         started        60 conhost.exe 41->60         started        file9 signatures10 process11 dnsIp12 144 95.142.206.2 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 43->144 146 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 43->146 152 3 other IPs or domains 43->152 110 C:\Users\...\tPXSQ2dTfN4Hc6bXGZYEz2Bh.exe, PE32 43->110 dropped 112 C:\Users\...\lDmdeuHwIdWS5CDvEZbIKD6Q.exe, PE32 43->112 dropped 114 C:\Users\...\j9Ca8Wrr131AK6_XOnjK5pwR.exe, PE32 43->114 dropped 120 4 other malicious files 43->120 dropped 196 Disables Windows Defender (deletes autostart) 43->196 198 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->198 200 Disable Windows Defender real time protection (registry) 43->200 202 Writes to foreign memory regions 48->202 204 Allocates memory in foreign processes 48->204 206 Injects a PE file into a foreign processes 48->206 64 vbc.exe 48->64         started        68 conhost.exe 48->68         started        148 185.225.74.51 MAYAKBG Germany 62->148 150 185.225.73.32 MAYAKBG Germany 62->150 154 3 other IPs or domains 62->154 116 C:\Users\user\AppData\Local\Temp\...\Zk.kb, PE32 62->116 dropped 118 C:\Users\...\9c2eaf2b80b726cc30d2d923a8718caf, SQLite 62->118 dropped 208 Tries to harvest and steal browser information (history, passwords, etc) 62->208 210 Tries to steal Crypto Currency Wallets 62->210 70 cmd.exe 62->70         started        file13 signatures14 process15 dnsIp16 122 176.123.4.46 ALEXHOSTMD Moldova Republic of 64->122 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->156 158 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 64->158 160 Tries to harvest and steal browser information (history, passwords, etc) 64->160 162 Tries to steal Crypto Currency Wallets 64->162 72 control.exe 70->72         started        74 conhost.exe 70->74         started        signatures17 process18 process19 76 rundll32.exe 72->76         started        process20 78 rundll32.exe 76->78         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=efl5crvisdjsyw5et4y7ugca4wynk3sn2c57l6frjtcojaveppxq._file
Verdict:
malicious
Similar samples:
5708789b5fb5f47fa7a4f585344620ca294a6c8f3c26a5b27064ce9ddfd19803
PrivateLoader
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
PrivateLoader
69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13
PrivateLoader
7a650b7af16721e46686633a253c967184414183a7d2be0cb64978e4d8880ba6
PrivateLoader
7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
PrivateLoader
8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc
PrivateLoader
d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32
PrivateLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader spyware stealer themida trojan
Link:
https://tria.ge/reports/230929-nhqtwsbc92/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
PrivateLoader
Unpacked files
SH256 hash:
4dbae1c1d5038dfa40e3552c40a36a0d0cf7d5d6321dcb3febe5e971f37d8cc4
MD5 hash:
2e66192f0c4acef508ba86eb8a8c17c5
SHA1 hash:
cd8fe54a84c0808517f3df0c0d6b6c8216dcbc8c
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/71e03d18-76f3-4288-b6f7-764a8460f7fb/
SH256 hash:
2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
MD5 hash:
b9a096baebdf8e44368e9724da8e56dd
SHA1 hash:
f9873fa92ae8b75e23e353f43ae1ba9087edebfc
Link:
https://www.unpac.me/results/71e03d18-76f3-4288-b6f7-764a8460f7fb/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2157d146a890/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.22
Link:
https://yomi.yoroi.company/submissions/2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2714990/
Cape
Cape
https://www.capesandbox.com/analysis/451904/

Comments


Avatar
zbet commented on 2023-09-29 11:23:06 UTC

url : hxxp://171.22.28.226/download/Services.exe