MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42b10f1ff71839a9882ae5ac43aa18bb3e98319bc80a1db1162131353fc6e7d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42b10f1ff71839a9882ae5ac43aa18bb3e98319bc80a1db1162131353fc6e7d0
SHA3-384 hash: 945fe8485f6c957331d034a229b0ce8c910f363ca12fafaeb73e940f79f559e27f00111c6e2728f5daf3bd688c3387d7
SHA1 hash: e0be294997e37bd703fab948f0ede9f3ab9ec1b1
MD5 hash: 00128af5dec98d72bb68e7bcd14cf614
humanhash: nineteen-october-illinois-yellow
File name:42b10f1ff71839a9882ae5ac43aa18bb3e98319bc80a1db1162131353fc6e7d0
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:2'556'944 bytes
First seen:2022-09-02 11:41:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f8f2e00d999086252b5800628a1de68c (2 x PrivateLoader)
ssdeep 49152:6Qo/qgSfVFQgBB9qJszGMasq4JkgM9MydGyBYsia/CrgL:Cq5fDvqJsz1pqrjsyvia/Ce
TLSH T1F1C53368E6004A53D2894CF0D72FF730ABAA9959DA4801D5F65F2B1C18A7D0D4FE1F8B
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f4c1c0c0c0c0c102 (1 x PrivateLoader)
Reporter JAMESWT_WT
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
File.zip
Verdict:
Malicious activity
Analysis date:
2022-08-24 20:12:34 UTC
Tags:
evasion trojan socelars stealer loader opendir
Link:
https://app.any.run/tasks/6a0264dc-7c7b-4bf3-ab8d-ea5e29c0a1d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307409/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
DNS request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP POST request
Creating a file
Sending an HTTP GET request
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Launching a process
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6311ec925e025f2e7b077eed/reports/776ba55b-a16a-4ef3-be5b-e4ece67f446e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/409319f3-ffd3-481e-ad7b-2581adb2eb6a
Result
Threat name:
Clipboard Hijacker, DarkTortilla, Fabook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1064014
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected DarkTortilla Crypter
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected YTStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 696538 Sample: 9A7cFpND1m.exe Startdate: 02/09/2022 Architecture: WINDOWS Score: 100 136 Snort IDS alert for network traffic 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 Antivirus detection for URL or domain 2->140 142 28 other signatures 2->142 10 9A7cFpND1m.exe 4 40 2->10         started        15 rundll32.exe 2->15         started        process3 dnsIp4 130 116.203.105.117, 49718, 49779, 80 HETZNER-ASDE Germany 10->130 132 vk.com 87.240.132.67, 443, 49729, 49730 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->132 134 11 other IPs or domains 10->134 100 C:\Users\...\wJW9dGxAtAhGjkYzqWnOslKl.exe, PE32+ 10->100 dropped 102 C:\Users\...\uHsgnCoIX0ESaeVl7aEfBs7I.exe, PE32 10->102 dropped 104 C:\Users\...\teM0Zu0eoZOm_dZwF8A6VyRr.exe, PE32 10->104 dropped 106 12 other files (6 malicious) 10->106 dropped 170 Query firmware table information (likely to detect VMs) 10->170 172 May check the online IP address of the machine 10->172 174 Creates HTML files with .exe extension (expired dropper behavior) 10->174 176 4 other signatures 10->176 17 KvXqWItE1LtUGWyzxAHGrBnx.exe 10->17         started        22 VNyUIy4OGrX3UjaHXIBqVLvW.exe 15 3 10->22         started        24 teM0Zu0eoZOm_dZwF8A6VyRr.exe 10->24         started        28 6 other processes 10->28 26 rundll32.exe 15->26         started        file5 signatures6 process7 dnsIp8 108 5.252.118.33 QRATORRU Russian Federation 17->108 110 89.208.104.172 PSKSET-ASRU Russian Federation 17->110 112 89.185.85.53, 49786, 80 OLIMP-SVYAZ-ASRU Russian Federation 17->112 74 C:\Users\user\AppData\Roaming\ytY0lUHc.exe, PE32 17->74 dropped 76 C:\Users\user\AppData\Roaming\Bn5M1h91.exe, PE32+ 17->76 dropped 78 C:\Users\user\AppData\...\vcruntime140.dll, PE32 17->78 dropped 84 6 other files (none is malicious) 17->84 dropped 144 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->144 146 Query firmware table information (likely to detect VMs) 17->146 148 Tries to harvest and steal browser information (history, passwords, etc) 17->148 150 Tries to steal Crypto Currency Wallets 17->150 30 ytY0lUHc.exe 17->30         started        33 Bn5M1h91.exe 17->33         started        114 www.google.com 172.217.168.36, 443, 49788 GOOGLEUS United States 22->114 152 Hides threads from debuggers 22->152 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->154 156 Injects a PE file into a foreign processes 22->156 158 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->158 116 94.228.116.72 ASTRALUSDE Russian Federation 24->116 160 Writes to foreign memory regions 26->160 162 Allocates memory in foreign processes 26->162 164 Creates a thread in another existing process (thread injection) 26->164 36 svchost.exe 26->36 injected 38 svchost.exe 26->38 injected 47 2 other processes 26->47 118 ip-api.com 208.95.112.1, 49784, 80 TUT-ASUS United States 28->118 120 5 other IPs or domains 28->120 80 C:\Users\user\AppData\Local\...\is-9TG05.tmp, PE32 28->80 dropped 82 C:\Users\user\AppData\Local\...\dJ9D2LWf.S5p, PE32 28->82 dropped 40 is-9TG05.tmp 28->40         started        43 RPbtfaWvEGdfzCEU6jALZihl.exe 28->43         started        45 conhost.exe 28->45         started        49 2 other processes 28->49 file9 signatures10 process11 dnsIp12 178 Multi AV Scanner detection for dropped file 30->178 180 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->180 182 Query firmware table information (likely to detect VMs) 30->182 188 4 other signatures 30->188 51 schtasks.exe 30->51         started        53 schtasks.exe 30->53         started        122 104.21.84.12 CLOUDFLARENETUS United States 33->122 184 Tries to harvest and steal browser information (history, passwords, etc) 33->184 186 System process connects to network (likely due to code injection or exploit) 36->186 55 svchost.exe 36->55         started        86 C:\Program Files (x86)\...\ccsearcher.exe, PE32 40->86 dropped 88 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 40->88 dropped 90 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->90 dropped 94 4 other files (none is malicious) 40->94 dropped 60 ccsearcher.exe 40->60         started        124 v.xyzgamev.com 172.67.188.70, 443, 49787 CLOUDFLARENETUS United States 43->124 92 C:\Users\user\AppData\Local\Temp\db.dll, PE32 43->92 dropped 62 conhost.exe 43->62         started        file13 signatures14 process15 dnsIp16 64 conhost.exe 51->64         started        66 conhost.exe 53->66         started        126 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 55->126 96 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 55->96 dropped 98 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 55->98 dropped 166 Query firmware table information (likely to detect VMs) 55->166 168 Tries to harvest and steal browser information (history, passwords, etc) 55->168 128 208.67.104.97 GRAYSON-COLLIN-COMMUNICATIONSUS United States 60->128 68 cmd.exe 60->68         started        file17 signatures18 process19 process20 70 conhost.exe 68->70         started        72 taskkill.exe 68->72         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42b10f1ff71839a9882ae5ac43aa18bb3e98319bc80a1db1162131353fc6e7d0/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 04:49:00 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ikyq6h7xda42tcbk4wwehkqyxm7jqmm3zafb3miweeytkp6g47ia._file
Result
Malware family:
ytstealer
Create hunting rule
Score:
  10/10
Tags:
family:colibri family:nymaim family:privateloader family:raccoon family:redline family:ytstealer botnet:3108_ruzki botnet:8a83f2689674308992d5090432708aae botnet:ad82482251879b6e89002f532531462a botnet:build1 discovery evasion infostealer loader miner persistence spyware stealer themida trojan upx vmprotect
Link:
https://tria.ge/reports/220902-nt1hgaffb2/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Detectes Phoenix Miner Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Colibri Loader
Modifies Windows Defender Real-time Protection settings
NyMaim
PrivateLoader
Process spawned unexpected child process
Raccoon
RedLine
RedLine payload
YTStealer
YTStealer payload
Malware Config
C2 Extraction:
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://174.138.15.216/
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
http://89.185.85.53/
213.219.247.199:9452
Unpacked files
SH256 hash:
babdfc78ed936c413391fd2e7dbd41ce1e32b80bc1471e3467ade897a9ae4f06
MD5 hash:
904510aa343a5c1dea8264c41e836453
SHA1 hash:
2db108f72501cee79683962207553a3c1b62ad12
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/056d51d1-f532-4312-87d1-6379d167a654/
SH256 hash:
42b10f1ff71839a9882ae5ac43aa18bb3e98319bc80a1db1162131353fc6e7d0
MD5 hash:
00128af5dec98d72bb68e7bcd14cf614
SHA1 hash:
e0be294997e37bd703fab948f0ede9f3ab9ec1b1
Link:
https://www.unpac.me/results/056d51d1-f532-4312-87d1-6379d167a654/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/42b10f1ff71839a9882ae5ac43aa18bb3e98319bc80a1db1162131353fc6e7d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/307409/

Comments