MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786
SHA3-384 hash: f8fdd7cd3a1814dacff1f94100ea8c13b281154a926170527149efe67de42819ed3a751bb1dba69915a325b68e5f71cf
SHA1 hash: e92017c7673b82ef1c64c60a19e09307b902e73a
MD5 hash: db05c4ddd1c651561ce6b89e99a332f6
humanhash: friend-cup-pluto-winner
File name:file
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:1'153'896 bytes
First seen:2023-11-21 14:10:45 UTC
Last seen:2023-11-21 15:18:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:9W9bn2dEUp6TJAJJBq4hPCeQcby8MT+uzNS356vsVQxVH20GKYat7PKUboqGTh7l:9W1vJWBq4Amxuz03YvCQxZKK/50qGTh5
Threatray 4 similar samples on MalwareBazaar
TLSH T1CD35E08131D37752E4BBA37712C6EA9CC001F0E615D6AE870EE164C4151DDCAB9B3EAB
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET exe MSIL PrivateLoader signed

Code Signing Certificate

Organisation:ninja Inc
Issuer:ninja Inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-21T01:11:16Z
Valid to:2024-11-21T01:11:16Z
Serial number: be57427cc67fde56c5f3b81e76e72b79
Thumbprint Algorithm:SHA256
Thumbprint: 0af8ab2f40c8409847c3bd146dbf16bc3d6c983bfb6e12ce22116d257bd9cdaa
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
371
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459551/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13774.10475.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Searching for analyzing tools
Modifying a system file
Replacing files
Running batch commands
Blocking the User Account Control
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/655cba87572de6e10cb17771/reports/a29491d5-fb96-457a-ada9-cbc3daaa77c8/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/252d97e4-3943-4a4f-b952-a8568a959589
Result
Threat name:
PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1345843
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1345843 Sample: file.exe Startdate: 21/11/2023 Architecture: WINDOWS Score: 100 150 Multi AV Scanner detection for domain / URL 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 Antivirus detection for URL or domain 2->154 156 14 other signatures 2->156 12 file.exe 2 4 2->12         started        15 cmd.exe 2->15         started        17 powershell.exe 2->17         started        19 cmd.exe 2->19         started        process3 signatures4 198 Adds a directory exclusion to Windows Defender 12->198 200 Disables UAC (registry) 12->200 21 CasPol.exe 15 194 12->21         started        26 powershell.exe 21 12->26         started        28 6V2xKGSdzZOG2l67fqdIp9iJ.exe 15->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        34 conhost.exe 19->34         started        process5 dnsIp6 144 91.92.243.139 THEZONEBG Bulgaria 21->144 146 78.135.105.12 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 21->146 148 15 other IPs or domains 21->148 118 C:\Users\...\zuTkcDdNQ6MkLeAs0lGPxvRR.exe, PE32+ 21->118 dropped 120 C:\Users\...\yiUYZEb7lMWdy4BiiNcsQQJX.exe, PE32+ 21->120 dropped 122 C:\Users\...\yYAwgDWrkYJyyOGvYzyiJrxu.exe, PE32+ 21->122 dropped 124 195 other malicious files 21->124 dropped 182 Drops script or batch files to the startup folder 21->182 184 Creates HTML files with .exe extension (expired dropper behavior) 21->184 186 Modifies Windows Defender protection settings 21->186 188 Writes many files with high entropy 21->188 36 DU9aZfxw1xhKC4ykOgcxwHTl.exe 21->36         started        41 AdivwWrpQRED15lxH0DgRVgj.exe 21->41         started        43 BXuFYgf6xs2uEKGHPQsSTe25.exe 23 21->43         started        47 14 other processes 21->47 45 conhost.exe 26->45         started        190 Antivirus detection for dropped file 28->190 192 Multi AV Scanner detection for dropped file 28->192 194 Machine Learning detection for dropped file 28->194 file7 signatures8 process9 dnsIp10 130 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 36->130 132 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 36->132 140 15 other IPs or domains 36->140 100 C:\Users\...\ohQpGh89_DKtYLyMVbmJ3Rtn.exe, PE32+ 36->100 dropped 102 C:\Users\...\oImNnZUwq_S8lQXQ3JQ8PWfa.exe, PE32 36->102 dropped 104 C:\Users\...\mVd8JjiAeizZqfVE2Y07H3YG.exe, PE32 36->104 dropped 110 20 other malicious files 36->110 dropped 162 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 36->162 164 Query firmware table information (likely to detect VMs) 36->164 166 Creates HTML files with .exe extension (expired dropper behavior) 36->166 180 5 other signatures 36->180 112 2 other malicious files 41->112 dropped 168 Writes many files with high entropy 41->168 49 Install.exe 41->49         started        134 149.154.167.99 TELEGRAMRU United Kingdom 43->134 136 167.235.143.166 ALBERTSONSUS United States 43->136 114 11 other files (9 malicious) 43->114 dropped 170 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->170 172 Tries to harvest and steal browser information (history, passwords, etc) 43->172 138 107.167.110.218 OPERASOFTWAREUS United States 47->138 142 3 other IPs or domains 47->142 106 Opera_installer_2311211413039667704.dll, PE32 47->106 dropped 108 Opera_installer_2311211412517277356.dll, PE32 47->108 dropped 116 11 other malicious files 47->116 dropped 174 Tries to detect sandboxes and other dynamic analysis tools (window names) 47->174 176 Modifies the hosts file 47->176 178 Adds a directory exclusion to Windows Defender 47->178 52 r1O81gOTKkD0PfSdUigHGcl2.exe 47->52         started        54 r1O81gOTKkD0PfSdUigHGcl2.exe 47->54         started        56 r1O81gOTKkD0PfSdUigHGcl2.exe 47->56         started        58 2 other processes 47->58 file11 signatures12 process13 file14 88 C:\Users\user\AppData\Local\...\Install.exe, PE32 49->88 dropped 60 Install.exe 49->60         started        90 Opera_installer_2311211412344515864.dll, PE32 52->90 dropped 64 r1O81gOTKkD0PfSdUigHGcl2.exe 52->64         started        92 Opera_installer_2311211412307813128.dll, PE32 54->92 dropped 94 Opera_installer_2311211412316924080.dll, PE32 56->94 dropped 96 Opera_installer_2311211412549847716.dll, PE32 58->96 dropped 98 C:\Users\user\AppData\Local\...\Install.exe, PE32 58->98 dropped process15 file16 126 C:\Users\user\AppData\Local\...\flBIeyQ.exe, PE32 60->126 dropped 202 Uses schtasks.exe or at.exe to add and modify task schedules 60->202 204 Modifies Windows Defender protection settings 60->204 206 Adds extensions / path to Windows Defender exclusion list 60->206 66 forfiles.exe 60->66         started        69 forfiles.exe 60->69         started        71 schtasks.exe 60->71         started        128 Opera_installer_2311211412373835848.dll, PE32 64->128 dropped signatures17 process18 signatures19 158 Modifies Windows Defender protection settings 66->158 160 Adds extensions / path to Windows Defender exclusion list 66->160 73 cmd.exe 66->73         started        76 conhost.exe 66->76         started        78 cmd.exe 69->78         started        80 conhost.exe 69->80         started        82 conhost.exe 71->82         started        process20 signatures21 196 Uses cmd line tools excessively to alter registry or file data 73->196 84 reg.exe 73->84         started        86 reg.exe 78->86         started        process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-11-21 14:11:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
18 of 23 (78.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=efzgl6jhtaqaaxaqg7oqmzubngueciyiilo5kolbciqgnwp3m6da._file
Verdict:
malicious
Similar samples:
978708f8b2ce3fda82c9376420dc023396ee686d43962675dda5f18b3b749753
PrivateLoader
a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1
PrivateLoader
e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08
PrivateLoader
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader family:xmrig discovery dropper evasion loader miner persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/231121-rhaz8afa36/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Themida packer
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
PrivateLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
xmrig
Unpacked files
SH256 hash:
552cffdb6e4b1859854582d6564ecf498554fe2ebaeb4ab809cb845d1fd2ec9a
MD5 hash:
945a5783dbd8272f052095a14b3d4988
SHA1 hash:
b831fe3c2ac99e259fbc0da37b7e792d9daf6406
Link:
https://www.unpac.me/results/a45fd406-b330-428f-963d-59135c494021/
SH256 hash:
217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786
MD5 hash:
db05c4ddd1c651561ce6b89e99a332f6
SHA1 hash:
e92017c7673b82ef1c64c60a19e09307b902e73a
Link:
https://www.unpac.me/results/a45fd406-b330-428f-963d-59135c494021/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/217265f92798/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/459551/

Comments