MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bf5be8c9b5e84d6eef09d6de968796a277ead7885cd96855f7637ddba987288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bf5be8c9b5e84d6eef09d6de968796a277ead7885cd96855f7637ddba987288
SHA3-384 hash: 4399f5d8ed21db7e2ae62b74ee6eb7585c863c8a461887f30cd040c702d2babcc8335adc9cb97e9ff34191653587b448
SHA1 hash: f9252a5702dbbffc82f9b6d9f133cdc2d1a91355
MD5 hash: 50e028cead5a613978c91ced2d48c6c8
humanhash: lithium-london-sweet-bulldog
File name:50e028cead5a613978c91ced2d48c6c8.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:410'112 bytes
First seen:2022-09-06 00:10:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9734ba8626408cec04bb8fa7d8bb6e83 (4 x PrivateLoader, 3 x GCleaner, 2 x RedLineStealer)
ssdeep 6144:Nv0kF315GTFcbCW+Tnc5tjhAUcGIx0qa0Hv0CA02d0OyQR1N4GVU6M8qdS2vnTtz:Nv0a1j2Wj51lcK53U6CdSc2DLw
TLSH T1FF945B35E601B027F4E20071D41D97FAA4286B30639548EFF7D85E6AABB66C2D334B17
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe PrivateLoader


Avatar
abuse_ch
PrivateLoader C2:
49.12.190.6:40909

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
49.12.190.6:40909 https://threatfox.abuse.ch/ioc/848031/

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
50e028cead5a613978c91ced2d48c6c8.exe
Verdict:
No threats detected
Analysis date:
2022-09-06 00:13:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b47bf770-a0e9-4536-9310-1c1353c43bb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308005/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint greyware setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/631690532021c816b88f199f/reports/58cbe255-6f43-4505-ac1d-21a3b1107828/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19e724ee-d853-4b66-b6fb-a9cb0b1842bf
Result
Threat name:
Nymaim, Panda Stealer, Phoenix Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065321
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected Panda Stealer
Yara detected Phoenix Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 697847 Sample: d4fRfxjqgN.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 100 97 208.67.104.97 GRAYSON-COLLIN-COMMUNICATIONSUS United States 2->97 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for URL or domain 2->125 127 Antivirus detection for dropped file 2->127 129 18 other signatures 2->129 9 d4fRfxjqgN.exe 19 2->9         started        14 PowerControl_Svc.exe 16 2->14         started        16 PowerControl_Svc.exe 15 2->16         started        signatures3 process4 dnsIp5 111 149.154.167.99 TELEGRAMRU United Kingdom 9->111 113 212.193.30.115 SPD-NETTR Russian Federation 9->113 121 4 other IPs or domains 9->121 83 C:\Users\...\sVAhKIxM2E1UDc5himC7zp9A.exe, PE32 9->83 dropped 85 C:\Users\user\AppData\Local\...\WW14[1].exe, PE32 9->85 dropped 87 C:\...\PowerControl_Svc.exe, PE32 9->87 dropped 89 C:\...\PowerControl_Svc.exe:Zone.Identifier, ASCII 9->89 dropped 143 Drops PE files to the document folder of the user 9->143 145 Uses schtasks.exe or at.exe to add and modify task schedules 9->145 18 sVAhKIxM2E1UDc5himC7zp9A.exe 5 48 9->18         started        23 schtasks.exe 1 9->23         started        25 schtasks.exe 1 9->25         started        91 C:\Users\...\ytcMHSTeSr4YAxAmVB6gYfe0.exe, PE32 14->91 dropped 93 C:\Users\user\AppData\Local\...\WW14[1].exe, PE32 14->93 dropped 27 ytcMHSTeSr4YAxAmVB6gYfe0.exe 48 14->27         started        29 schtasks.exe 14->29         started        31 schtasks.exe 14->31         started        115 104.26.5.15 CLOUDFLARENETUS United States 16->115 117 172.67.75.166 CLOUDFLARENETUS United States 16->117 119 192.168.2.1 unknown unknown 16->119 95 C:\Users\...\m9QbiS6smly2U1_05MPRMQ5t.exe, PE32 16->95 dropped 33 m9QbiS6smly2U1_05MPRMQ5t.exe 16->33         started        35 schtasks.exe 16->35         started        37 schtasks.exe 16->37         started        file6 signatures7 process8 dnsIp9 99 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 18->99 101 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 18->101 107 11 other IPs or domains 18->107 63 C:\Users\...\w7o4jBCzsb_vVo6o71dE0HUf.exe, PE32 18->63 dropped 65 C:\Users\...\sVihhDDeY5PaAaiC9sUR6fFy.exe, PE32 18->65 dropped 67 C:\Users\...\XwVoZlnS4b4OnznmdRTHZdmz.exe, PE32 18->67 dropped 75 17 other files (6 malicious) 18->75 dropped 131 Antivirus detection for dropped file 18->131 133 Multi AV Scanner detection for dropped file 18->133 135 Machine Learning detection for dropped file 18->135 137 Disable Windows Defender real time protection (registry) 18->137 39 w7o4jBCzsb_vVo6o71dE0HUf.exe 18->39         started        54 12 other processes 18->54 42 conhost.exe 23->42         started        44 conhost.exe 25->44         started        103 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 27->103 105 104.26.2.25 CLOUDFLARENETUS United States 27->105 109 4 other IPs or domains 27->109 69 C:\Users\...\ZLSyegCZdk9QHPc5mChLzr9d.exe, PE32 27->69 dropped 71 C:\Users\...\2mOLMG36Lr_BO8Zl5iUQA5tW.exe, PE32 27->71 dropped 73 C:\Users\...\1US9_b3WdD8oJ5TaJlk0WLsy.exe, PE32 27->73 dropped 77 17 other files (6 malicious) 27->77 dropped 57 2 other processes 27->57 46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        139 Tries to harvest and steal browser information (history, passwords, etc) 33->139 50 conhost.exe 35->50         started        52 conhost.exe 37->52         started        file10 signatures11 process12 file13 141 Checks if the current machine is a virtual machine (disk enumeration) 39->141 79 C:\Users\user\AppData\Local\...\l6TU146d.cpl, PE32 54->79 dropped 81 C:\Users\user\AppData\Local\...\Install.exe, PE32 54->81 dropped 59 conhost.exe 54->59         started        61 conhost.exe 54->61         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bf5be8c9b5e84d6eef09d6de968796a277ead7885cd96855f7637ddba987288/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-04 15:01:49 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fp235de3l2cnn3xqtvw6s2dznitx5llyqxgznbk7oy353ouyokea._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:nymaim family:privateloader family:redline family:smokeloader botnet:clients botnet:nam8 backdoor discovery evasion infostealer loader main persistence spyware stealer trojan
Link:
https://tria.ge/reports/220906-agla5acbc9/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Enumerates system info in registry
Gathers network information
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Detects Smokeloader packer
Modifies Windows Defender Real-time Protection settings
NyMaim
PrivateLoader
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
103.89.90.61:34589
18.130.38.218:42474
Dropper Extraction:
http://microsoftdownload.ddns.net:8808/downloader/WinSecurityUpdate
Unpacked files
SH256 hash:
2bf5be8c9b5e84d6eef09d6de968796a277ead7885cd96855f7637ddba987288
MD5 hash:
50e028cead5a613978c91ced2d48c6c8
SHA1 hash:
f9252a5702dbbffc82f9b6d9f133cdc2d1a91355
Detections:
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/7e746b8c-0dc2-4305-96d1-35975a2e0dff/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2bf5be8c9b5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bf5be8c9b5e84d6eef09d6de968796a277ead7885cd96855f7637ddba987288

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308005/

Comments