MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SHA3-384 hash: 8f4b7dc9f1fcdd34554995accbd8698ec26cfec04f2540d79b546fee9484e2b9b48414961c1a81be952e2f8170b8571d
SHA1 hash: 6d0cf1d6aadd77bf16251551f1a00a76fca395e9
MD5 hash: df36b8a03f1c4100ccea6a79116c1bda
humanhash: football-saturn-cat-avocado
File name:32AC0624A534A2C40FB8EBA41E80BB1D31B99CD118D42.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:3'499'573 bytes
First seen:2023-03-27 07:15:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:Ubjn1zQyFximOATdA8xd4svk3upL/ZWt/LcMJ:UPnVxHOATdA8YsvkuLBics
TLSH T1DFF533417A8196B1D53A1D354A756B11983DBC200F34CBDF63F4266D9A3A1C2EF32BA3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe PrivateLoader


Avatar
abuse_ch
PrivateLoader C2:
193.233.20.33:4125

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
32AC0624A534A2C40FB8EBA41E80BB1D31B99CD118D42.exe
Verdict:
Malicious activity
Analysis date:
2023-03-27 07:16:49 UTC
Tags:
evasion loader smoke trojan socelars stealer rat redline miner tofsee opendir amadey
Link:
https://app.any.run/tasks/6ff4ad06-a545-4081-9394-ca6eb4426f0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/377754/
Detection(s):
Win.Malware.Generic-9874384-0
Create hunting rule

Win.Malware.Chapak-9878126-0
Create hunting rule

Win.Malware.Chapak-9879189-0
Create hunting rule

Win.Malware.Nymeria-9879208-0
Create hunting rule

Win.Malware.Chapak-9879386-0
Create hunting rule

Win.Malware.Chapak-9879387-0
Create hunting rule

Win.Malware.Chapak-9879388-0
Create hunting rule

Win.Malware.SmokeLoader-9879409-1
Create hunting rule

Win.Malware.Chapak-9880885-0
Create hunting rule

Win.Malware.Chapak-9880894-0
Create hunting rule

Win.Malware.Passteal-9882272-0
Create hunting rule

Win.Malware.Passteal-9882333-0
Create hunting rule

Win.Malware.Chapak-9883695-0
Create hunting rule

Win.Malware.SmokeLoader-9883696-1
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for the browser window
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Changing a file
Reading critical registry keys
Sending a UDP request
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Launching a tool to kill processes
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75142/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker cmd.exe exploit explorer.exe fingerprint fingerprint greyware makop overlay packed packed setupapi.dll shdocvw.dll shell32.dll spybanker vidar
Link:
https://www.filescan.io/uploads/642142b423f92296f1f0caf6/reports/3f4313bf-e5ff-4588-9d3d-660aa0ecfc2f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/100a66d0-c761-4d80-8d60-afa2ae7f75f6
Result
Threat name:
FFDroider, ManusCrypt, Nitol, PrivateLoa
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1202470
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected FFDroider
Yara detected Generic Downloader
Yara detected ManusCrypt
Yara detected Nitol
Yara detected PrivateLoader
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 835373 Sample: 32AC0624A534A2C40FB8EBA41E8... Startdate: 27/03/2023 Architecture: WINDOWS Score: 100 130 Snort IDS alert for network traffic 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for URL or domain 2->134 136 19 other signatures 2->136 8 32AC0624A534A2C40FB8EBA41E80BB1D31B99CD118D42.exe 1 27 2->8         started        11 rundll32.exe 2->11         started        13 svchost.exe 2->13         started        16 8 other processes 2->16 process3 file4 80 C:\Users\user\Desktop\pub2.exe, PE32 8->80 dropped 82 C:\Users\user\Desktop\jg3_3uag.exe, PE32 8->82 dropped 84 C:\Users\user\Desktop\KRSetp.exe, PE32 8->84 dropped 86 4 other malicious files 8->86 dropped 18 Info.exe 8->18         started        23 pub2.exe 8->23         started        25 Files.exe 10 8->25         started        29 5 other processes 8->29 27 rundll32.exe 11->27         started        166 System process connects to network (likely due to code injection or exploit) 13->166 168 Query firmware table information (likely to detect VMs) 16->168 170 Changes security center settings (notifications, updates, antivirus, firewall) 16->170 signatures5 process6 dnsIp7 88 212.193.30.115 SPD-NETTR Russian Federation 18->88 90 136.144.41.201 WORLDSTREAMNL Netherlands 18->90 96 17 other IPs or domains 18->96 66 C:\Users\...\wYRgKkJwaLEV45ybgMzP7fSi.exe, PE32 18->66 dropped 68 C:\Users\...\tTqfgVlG3Sp8D3PdDraUWIbE.exe, PE32 18->68 dropped 70 C:\Users\...\peQUQ7NsyIzC7RMz23xRKggY.exe, PE32 18->70 dropped 78 19 other malicious files 18->78 dropped 138 Multi AV Scanner detection for dropped file 18->138 140 Drops PE files to the document folder of the user 18->140 142 Creates HTML files with .exe extension (expired dropper behavior) 18->142 144 Disable Windows Defender real time protection (registry) 18->144 72 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 23->72 dropped 146 DLL reload attack detected 23->146 148 Detected unpacking (changes PE section rights) 23->148 162 3 other signatures 23->162 31 explorer.exe 23->31 injected 74 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 25->74 dropped 36 File.exe 25->36         started        150 Writes to foreign memory regions 27->150 152 Allocates memory in foreign processes 27->152 154 Creates a thread in another existing process (thread injection) 27->154 38 svchost.exe 27->38 injected 40 svchost.exe 27->40 injected 50 13 other processes 27->50 92 101.36.107.74, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 29->92 94 www.listincode.com 103.224.212.220, 443, 49709 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 29->94 98 4 other IPs or domains 29->98 76 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 29->76 dropped 156 Tries to harvest and steal browser information (history, passwords, etc) 29->156 158 Suspicious execution chain found 29->158 160 Creates processes via WMI 29->160 42 Folder.exe 29->42         started        44 chrome.exe 29->44         started        46 WerFault.exe 29->46         started        48 conhost.exe 29->48         started        file8 signatures9 process10 dnsIp11 102 172.104.187.4 LINODE-APLinodeLLCUS United States 31->102 104 199.115.116.43 LEASEWEB-USA-WDCUS United States 31->104 106 188.114.97.7 CLOUDFLARENETUS European Union 31->106 58 C:\Users\user\AppData\Roaming\dgghrii, PE32 31->58 dropped 116 System process connects to network (likely due to code injection or exploit) 31->116 118 Benign windows process drops PE files 31->118 120 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->120 108 newja.webtm.ru 36->108 122 Antivirus detection for dropped file 36->122 124 Multi AV Scanner detection for dropped file 36->124 126 Sets debug register (to hijack the execution of another thread) 38->126 128 Modifies the context of a thread in another process (thread injection) 38->128 52 svchost.exe 38->52         started        60 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 42->60 dropped 62 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 42->62 dropped 64 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 42->64 dropped 56 conhost.exe 42->56         started        110 iplogger.org 148.251.234.83, 443, 49703, 49706 HETZNER-ASDE Germany 44->110 114 5 other IPs or domains 44->114 112 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 46->112 file12 signatures13 process14 dnsIp15 100 google.vrthcobj.com 185.116.193.219 HOSTER-KZ Kazakhstan 52->100 164 Query firmware table information (likely to detect VMs) 52->164 signatures16
Detection:
tofsee
Create hunting rule
Link:
https://mwdb.cert.pl/sample/32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 22:56:00 UTC
File Type:
PE (Exe)
Extracted files:
141
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkwamjffgsrmid5y5osb5af3duy3thgrddkcecgisiuqpfuz66bq._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:ffdroider family:privateloader family:smokeloader family:socelars botnet:pub2 backdoor discovery evasion loader spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/230327-h3sw4acc29/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
VMProtect packed file
FFDroider
Modifies Windows Defender Real-time Protection settings
PrivateLoader
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
http://101.36.107.74
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
fa8e9649c3ea2415dd1da245b280766263f1344fe8a980944e30fdd4e159bf33
MD5 hash:
155ba44ad55ed22b1b377b42b1928ff6
SHA1 hash:
c5432f0bbb9e6703b8dc490132975c02ba77b203
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
f78cafdf504a8dbc642063f10fad6604919bebbb457621acf9fd12cd9cb8a8d2
MD5 hash:
546ec8e29b9563c6b5f31ebda05dab92
SHA1 hash:
b21d335a6e4468dc57eb3a4368019788b1b4489b
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
ef741c122ea840d444c718852b75da0b27f202e1d8bc0d08fb2227c7d3065ab4
MD5 hash:
b6e0ef10bbdbfc8646c9ffe5e079aa5c
SHA1 hash:
01ec8b37b9a82f31aebe54decf0e926640d302c2
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
afe1dfcef13db3a1a1cb7e489ea77802bc86bdc77c145137d81dc9f87e098961
MD5 hash:
d8113ea00aa9597d6721f4f04c9fb66b
SHA1 hash:
c8d7c74137682483591c7627430ce1dacbfc229d
Detections:
Socelars
Create hunting rule
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
62ffe88c2050546dab366779ec105d53459038da569729d272093508f9db466c
MD5 hash:
279aa2f85e1ccf5181925f30bfdca742
SHA1 hash:
db5b53db21c7ea00cc6480307271d9339d710c8e
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
4e9ea1036ad2e8e9f5d1b3d04d167805c3c3ca9202b68cba111eb4693282e7ec
MD5 hash:
935747fce21503c654bf083301d43d4f
SHA1 hash:
9b97353951e664486b2968a35e50b6290ffb65e6
Detections:
win_ffdroider_w0
Create hunting rule
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
716cdff79650c6fe3fafddaf256252e5de218cf94309c30a85502643706fb0db
MD5 hash:
34bfd87bf8ccd2c70d815c5dc41c612b
SHA1 hash:
983cc2eba0b4a77d9b9870e247d36993d4a7c4d3
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
5a33ca0ea2e764698514d8817d5c38cb3b256c920b9d358571fecb47078034e9
MD5 hash:
db5fe930d4e9c0eedb0c4d7392b52e90
SHA1 hash:
8bac95b5cd96bb5bb824962c0e2a55efb5d57460
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
74f68ed10c950ff1a3f3aeddfd7f3f2be37c6ed0bcd7e9f383d5d7c438a44539
MD5 hash:
246a10a8e63bd504ec91f8d9b821ac22
SHA1 hash:
d4a719854f48dad434c7f11af8f45c5a1a1bec46
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
SH256 hash:
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
MD5 hash:
df36b8a03f1c4100ccea6a79116c1bda
SHA1 hash:
6d0cf1d6aadd77bf16251551f1a00a76fca395e9
Link:
https://www.unpac.me/results/68f5fb07-ddda-41b9-aec0-7fc45703b9e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/377754/

Comments