MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48d531158fd3462c5760296fb78d808f103d7a619ee5a8e6200163d7aaf78de0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48d531158fd3462c5760296fb78d808f103d7a619ee5a8e6200163d7aaf78de0
SHA3-384 hash: b1a20405ff01dd612114dd0a5f04e0c800fdfcec510be9609be07ac08f818fb01b6123f49512d54e53e95c3bb78454df
SHA1 hash: 299d6679158b7a705b5e9043aea08703570f8daa
MD5 hash: 358e055b5c145bcce4d12806fff67639
humanhash: mobile-fillet-alaska-orange
File name:48d531158fd3462c5760296fb78d808f103d7a619ee5a8e6200163d7aaf78de0
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:2'828'304 bytes
First seen:2022-09-02 11:41:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a00837800ad7e54f9c0c0103e7562cb2 (2 x RedLineStealer, 2 x PrivateLoader)
ssdeep 49152:Af8a5Xoq179LsBTR4vmYsDh8vTDNAbDrOuqbw+J7nXVnGNDowA9dhbEGKz:Af8a5T9WyXR8Guql7nXNGZoXVVKz
TLSH T13ED53332B5A05F9AC17982715835B8C78B66B539CFAE5359B14F23684E3021C5F3F2B2
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 98ecfadcdcb0b2e6 (2 x RedLineStealer, 1 x RaccoonStealer, 1 x PrivateLoader)
Reporter JAMESWT_WT
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307410/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
DNS request
Sending a custom TCP request
Replacing files
Reading critical registry keys
Sending an HTTP POST request
Launching a service
Launching a process
Creating a file
Sending an HTTP GET request
Sending a UDP request
Forced system process termination
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6311ec94fbf1afa49280a0ff/reports/ab1f6da5-add3-42dd-a62d-7917c22963cf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c445ea6-c6e0-40bb-97a4-f3affa90fd6f
Result
Threat name:
Clipboard Hijacker, ManusCrypt, Nymaim,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1064013
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 696535 Sample: BLAoQPacf8.exe Startdate: 02/09/2022 Architecture: WINDOWS Score: 100 151 Multi AV Scanner detection for domain / URL 2->151 153 Malicious sample detected (through community Yara rule) 2->153 155 Antivirus detection for URL or domain 2->155 157 22 other signatures 2->157 10 BLAoQPacf8.exe 10 44 2->10         started        15 WmiPrvSE.exe 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 137 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->137 139 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->139 143 12 other IPs or domains 10->143 113 C:\Users\...\tCcv8lF4UYTMplGGrWDw5cWW.exe, PE32 10->113 dropped 115 C:\Users\...\c7rWZ6AD59zgrdOhi2rzdfQY.exe, PE32 10->115 dropped 117 C:\Users\...\Mvid01XiHg4mGe4qVGe0NVxb.exe, PE32 10->117 dropped 119 13 other files (6 malicious) 10->119 dropped 191 Query firmware table information (likely to detect VMs) 10->191 193 Creates HTML files with .exe extension (expired dropper behavior) 10->193 195 Disables Windows Defender (deletes autostart) 10->195 197 4 other signatures 10->197 21 38em7CPwWyzLEPAoMPchCiaK.exe 10->21         started        26 N2ANCtOGK6Q7WT1u6BEuU3DI.exe 10->26         started        28 tCcv8lF4UYTMplGGrWDw5cWW.exe 15 2 10->28         started        32 6 other processes 10->32 30 rundll32.exe 15->30         started        141 20.73.194.208 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->141 file5 signatures6 process7 dnsIp8 121 5.252.118.33 QRATORRU Russian Federation 21->121 123 89.208.104.172 PSKSET-ASRU Russian Federation 21->123 125 89.185.85.53 OLIMP-SVYAZ-ASRU Russian Federation 21->125 85 C:\Users\user\AppData\Roaming\dIo5PnRp.exe, PE32 21->85 dropped 87 C:\Users\user\AppData\Roaming\6Z9UYZuB.exe, PE32+ 21->87 dropped 89 C:\Users\user\AppData\...\vcruntime140.dll, PE32 21->89 dropped 101 6 other files (none is malicious) 21->101 dropped 177 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->177 179 Query firmware table information (likely to detect VMs) 21->179 181 Tries to harvest and steal browser information (history, passwords, etc) 21->181 183 Tries to steal Crypto Currency Wallets 21->183 34 dIo5PnRp.exe 21->34         started        37 6Z9UYZuB.exe 21->37         started        91 C:\Users\user\AppData\Local\...\is-SL6OH.tmp, PE32 26->91 dropped 39 is-SL6OH.tmp 26->39         started        127 172.217.168.36 GOOGLEUS United States 28->127 185 Hides threads from debuggers 28->185 187 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->187 189 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->189 42 rundll32.exe 30->42         started        129 208.95.112.1 TUT-ASUS United States 32->129 131 149.154.167.99 TELEGRAMRU United Kingdom 32->131 133 5 other IPs or domains 32->133 93 C:\Users\...\4yIhH87Es5hVNHcV28YUa6Ea.exe, PE32 32->93 dropped 95 C:\...\PowerControl_Svc.exe, PE32 32->95 dropped 97 C:\Users\user\AppData\Local\...\dJ9D2LWf.S5p, PE32 32->97 dropped 99 C:\Users\user\AppData\...\Service[1].exe, PE32 32->99 dropped 44 Mvid01XiHg4mGe4qVGe0NVxb.exe 32->44         started        47 conhost.exe 32->47         started        49 conhost.exe 32->49         started        51 regsvr32.exe 32->51         started        file9 signatures10 process11 dnsIp12 159 Multi AV Scanner detection for dropped file 34->159 161 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->161 163 Query firmware table information (likely to detect VMs) 34->163 175 4 other signatures 34->175 53 schtasks.exe 34->53         started        55 schtasks.exe 34->55         started        103 C:\Program Files (x86)\...\ccsearcher.exe, PE32 39->103 dropped 105 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->105 dropped 107 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->107 dropped 111 4 other files (none is malicious) 39->111 dropped 165 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->165 167 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->167 57 ccsearcher.exe 39->57         started        169 Writes to foreign memory regions 42->169 171 Allocates memory in foreign processes 42->171 173 Creates a thread in another existing process (thread injection) 42->173 60 svchost.exe 42->60 injected 63 svchost.exe 42->63 injected 65 svchost.exe 42->65 injected 69 2 other processes 42->69 145 104.21.40.196 CLOUDFLARENETUS United States 44->145 147 172.67.188.70 CLOUDFLARENETUS United States 44->147 109 C:\Users\user\AppData\Local\Temp\db.dll, PE32 44->109 dropped 67 conhost.exe 44->67         started        file13 signatures14 process15 dnsIp16 71 conhost.exe 53->71         started        73 conhost.exe 55->73         started        135 208.67.104.97 GRAYSON-COLLIN-COMMUNICATIONSUS United States 57->135 75 cmd.exe 57->75         started        199 Sets debug register (to hijack the execution of another thread) 60->199 201 Modifies the context of a thread in another process (thread injection) 60->201 77 svchost.exe 60->77         started        signatures17 process18 dnsIp19 81 conhost.exe 75->81         started        83 taskkill.exe 75->83         started        149 34.142.181.181 ATGS-MMD-ASUS United States 77->149 203 Query firmware table information (likely to detect VMs) 77->203 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48d531158fd3462c5760296fb78d808f103d7a619ee5a8e6200163d7aaf78de0/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-08-26 22:04:46 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
27 of 40 (67.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdktcfmp2ndcyv3affx3pdmar4id26tbt3s2rzraafr5pkxxrxqa._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:nymaim family:privateloader family:raccoon family:redline botnet:3108_ruzki botnet:8a83f2689674308992d5090432708aae botnet:ad82482251879b6e89002f532531462a discovery evasion infostealer loader spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/220902-nt1hgaffb3/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Unexpected DNS network traffic destination
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NyMaim
PrivateLoader
Process spawned unexpected child process
Raccoon
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://89.185.85.53/
213.219.247.199:9452
http://174.138.15.216/
Unpacked files
SH256 hash:
3c71f6ae6bcdce3b4299629bf2dabe02bbe30b28835d25dc76afc9dd23d852f1
MD5 hash:
dd3e13f6b78d67496b193e52d30546d2
SHA1 hash:
13d3a16d51f361c2849af105daf289d7a0aa4e12
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/8208161b-be21-4a8d-b354-9298daf5a63a/
SH256 hash:
48d531158fd3462c5760296fb78d808f103d7a619ee5a8e6200163d7aaf78de0
MD5 hash:
358e055b5c145bcce4d12806fff67639
SHA1 hash:
299d6679158b7a705b5e9043aea08703570f8daa
Link:
https://www.unpac.me/results/8208161b-be21-4a8d-b354-9298daf5a63a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48d531158fd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/48d531158fd3462c5760296fb78d808f103d7a619ee5a8e6200163d7aaf78de0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/307410/

Comments