MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421
SHA3-384 hash: 117d9498e2e57f12b1d3c770593c674f14b80dea8b10aef519d09ef9b3f52869c06ad7348db8bff97f1c0f80866067cf
SHA1 hash: 58f4f9222e359a99e4faa9589d4fdb5dab7e9272
MD5 hash: 154d362591590cd7de1fa3ee1c0e0989
humanhash: tango-mobile-lion-lima
File name:154d362591590cd7de1fa3ee1c0e0989.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:5'003'200 bytes
First seen:2022-09-09 06:55:14 UTC
Last seen:2022-09-09 07:43:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 225327f56d1256bcc0bf99d2ebb0a8f7 (1 x PrivateLoader)
ssdeep 98304:SoQYqKFaaj9oTAsEqMxBEKt/DGOUqd1j1/Isz3epgEf7Q/NBdsr:Pu4wAX90caOUqFIsKpR7IBK
TLSH T1D036233372E66248D4E9DC3AC523BDE936F1933B8683A8B904C97DC139761A1D643B53
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d9e0329fe6dadae2 (1 x RedLineStealer, 1 x PrivateLoader)
Reporter abuse_ch
Tags:exe PrivateLoader signed

Code Signing Certificate

Organisation:jbl Słuchawki nauszne JBL student's WEEKLY Dybai
Issuer:jbl Słuchawki nauszne JBL student's WEEKLY Dybai
Algorithm:sha1WithRSAEncryption
Valid from:2022-09-05T14:00:00Z
Valid to:2032-09-06T14:00:00Z
Serial number: 17117bfe11315e9e43ffab13812dce4a
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 2f65fa8f488fd63d7d78a44d82f61af9d0a2eb0110656d419f86a92254e7b483
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
PrivateLoader C2:
http://167.235.29.244/base/api/getData.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://167.235.29.244/base/api/getData.php https://threatfox.abuse.ch/ioc/848719/

Intelligence

File Origin
# of uploads :
2
# of downloads :
383
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
SmsCu7OoyF.exe
Verdict:
Malicious activity
Analysis date:
2022-09-08 16:13:44 UTC
Tags:
evasion trojan socelars stealer
Link:
https://app.any.run/tasks/24493040-addb-4272-bd6a-64aec13081c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308933/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.43955.20775.31718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
DNS request
Replacing files
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP POST request
Launching a service
Launching a process
Creating a file
Sending an HTTP GET request
Sending a UDP request
Forced system process termination
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37169/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/631ae3fe55480bd187d7bc7f/reports/2ae7e374-0f5e-4dea-9243-384e59e4a6f4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e71f8dd-5991-4e9a-a105-f09113b41b89
Result
Threat name:
Djvu, ManusCrypt, Nymaim, PrivateLoader,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067602
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 700134 Sample: IyAui5XATb.exe Startdate: 09/09/2022 Architecture: WINDOWS Score: 100 63 208.67.104.97 GRAYSON-COLLIN-COMMUNICATIONSUS United States 2->63 85 Multi AV Scanner detection for domain / URL 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 24 other signatures 2->91 9 IyAui5XATb.exe 10 64 2->9         started        14 svchost.exe 3 2->14         started        16 svchost.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 65 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 9->65 67 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 9->67 75 20 other IPs or domains 9->75 47 C:\Users\...\vTeCnrjaODL4MXPWGwU1u0B3.exe, PE32 9->47 dropped 49 C:\Users\...\uCnhqLcBPDniIkmNUICfKicc.exe, PE32 9->49 dropped 51 C:\Users\...\s0Tq523QTzPh4suyvSl837Wg.exe, PE32 9->51 dropped 53 30 other files (22 malicious) 9->53 dropped 113 Creates HTML files with .exe extension (expired dropper behavior) 9->113 115 Disables Windows Defender (deletes autostart) 9->115 117 Modifies Group Policy settings 9->117 123 2 other signatures 9->123 20 5rTexmFlXegSR23N8zjSqvNL.exe 9->20         started        23 dzyBCRY_oy4Q2i_rnitQOJs9.exe 9->23         started        25 DuVPeEF2Gv2Z6NTxLPP5iBGz.exe 9->25         started        27 17 other processes 9->27 119 Query firmware table information (likely to detect VMs) 14->119 121 Changes security center settings (notifications, updates, antivirus, firewall) 16->121 69 23.50.105.163 AKAMAI-ASUS United States 18->69 71 127.0.0.1 unknown unknown 18->71 73 192.168.2.1 unknown unknown 18->73 file6 signatures7 process8 dnsIp9 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->95 97 Maps a DLL or memory area into another process 20->97 99 Checks if the current machine is a virtual machine (disk enumeration) 20->99 101 Creates a thread in another existing process (thread injection) 20->101 103 Writes to foreign memory regions 23->103 105 Allocates memory in foreign processes 23->105 107 Injects a PE file into a foreign processes 23->107 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        77 149.154.167.99 TELEGRAMRU United Kingdom 27->77 79 212.193.30.115 SPD-NETTR Russian Federation 27->79 81 2 other IPs or domains 27->81 55 C:\Users\...\g0pyWiSX8VWaYKY5rb40OhhF.exe, PE32 27->55 dropped 57 C:\Users\user\AppData\Local\Temp\zwpd.cpl, PE32 27->57 dropped 59 C:\Users\user\AppData\Local\...\dlizfjkv.exe, PE32 27->59 dropped 61 2 other malicious files 27->61 dropped 109 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->109 111 Tries to harvest and steal browser information (history, passwords, etc) 27->111 35 0g6u5sw3fV_xc5K5tMTIyRT0.exe 27->35         started        38 conhost.exe 27->38         started        40 conhost.exe 27->40         started        42 2 other processes 27->42 file10 signatures11 process12 signatures13 93 Injects a PE file into a foreign processes 35->93 44 0g6u5sw3fV_xc5K5tMTIyRT0.exe 35->44         started        process14 dnsIp15 83 94.26.226.51 PTC-YEMENNETYE Russian Federation 44->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 22:05:38 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ehheofjhybi5e3naj2lmfau7iufqgf3hhgpkiamsbk4limay4qqq._file
Verdict:
malicious
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:raccoon botnet:80cbdb8d66d1a00e163a1094a224c8cf loader spyware stealer vmprotect
Link:
https://tria.ge/reports/220909-hqcz4sgfd6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
VMProtect packed file
PrivateLoader
Raccoon
Malware Config
C2 Extraction:
http://89.185.85.53/
Unpacked files
SH256 hash:
21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421
MD5 hash:
154d362591590cd7de1fa3ee1c0e0989
SHA1 hash:
58f4f9222e359a99e4faa9589d4fdb5dab7e9272
Link:
https://www.unpac.me/results/af8ec8fe-9dce-4a32-96df-e3a236fb5ec6/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21ce471527c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308933/

Comments