MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 17


Intelligence 17 IOCs 4 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
SHA3-384 hash: 3de4774b64a12e05e3a50dff88921435075732852957ded852cb86368b31db25bf648c5c6197dea290d708292e7fb5e4
SHA1 hash: d7c345b12e55778385d406ad8c12457f3ce3355d
MD5 hash: db11b0f4fce0a897a83b9d733ebc104d
humanhash: maine-shade-massachusetts-foxtrot
File name:6AA0D341CEE633C2783960687C79D951BF270924DF527.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:6'220'895 bytes
First seen:2022-09-13 09:55:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xCCvLUBsgY78h5YKpxbJ3ZRvG40QYLu9ygnOnLvgEEc3a+Vr85:xzLUCgYO5YKB3ZJYLucgnOTggB85
TLSH T197563310FEF1C0FAE8614430A958B7FDEDDC97A10F33C54B9724AA4B667D197A41B882
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe PrivateLoader


Avatar
abuse_ch
PrivateLoader C2:
45.153.186.222:14478

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.153.186.222:14478 https://threatfox.abuse.ch/ioc/849467/
http://82.180.132.54/ https://threatfox.abuse.ch/ioc/849468/
45.153.241.174:18253 https://threatfox.abuse.ch/ioc/849469/
http://88.119.161.159/ https://threatfox.abuse.ch/ioc/849470/

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Arechclient2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/309694/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
DNS request
Creating a window
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37545/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/632055846da26524a13bc148/reports/1af17d27-eac9-4bc7-bc59-4aed2bdfde91/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72e01712-f1f8-4670-a153-8fb0af5dbb29
Result
Threat name:
ManusCrypt, Nymaim, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069455
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Copy itself to suspicious location via type command
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 701989 Sample: 6AA0D341CEE633C2783960687C7... Startdate: 13/09/2022 Architecture: WINDOWS Score: 100 135 Snort IDS alert for network traffic 2->135 137 Multi AV Scanner detection for domain / URL 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 23 other signatures 2->141 11 6AA0D341CEE633C2783960687C79D951BF270924DF527.exe 23 2->11         started        14 rundll32.exe 2->14         started        16 WmiPrvSE.exe 2->16         started        process3 file4 99 C:\Users\user\AppData\...\setup_install.exe, PE32 11->99 dropped 101 C:\Users\user\AppData\...\Mon00ff4fc12aa.exe, PE32 11->101 dropped 103 C:\Users\user\...\Mon00f649208d1420.exe, PE32+ 11->103 dropped 105 18 other files (13 malicious) 11->105 dropped 18 setup_install.exe 1 11->18         started        22 rundll32.exe 14->22         started        process5 dnsIp6 109 hsiens.xyz 18->109 111 127.0.0.1 unknown unknown 18->111 143 Multi AV Scanner detection for dropped file 18->143 145 Performs DNS queries to domains with low reputation 18->145 147 Adds a directory exclusion to Windows Defender 18->147 24 cmd.exe 1 18->24         started        26 cmd.exe 18->26         started        28 cmd.exe 18->28         started        33 16 other processes 18->33 149 Writes to foreign memory regions 22->149 151 Allocates memory in foreign processes 22->151 153 Creates a thread in another existing process (thread injection) 22->153 30 svchost.exe 22->30 injected signatures7 process8 dnsIp9 36 Mon00e6caef058a.exe 24->36         started        39 Mon00ff4fc12aa.exe 26->39         started        42 Mon003592a9c9.exe 28->42         started        181 Sets debug register (to hijack the execution of another thread) 30->181 183 Modifies the context of a thread in another process (thread injection) 30->183 107 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->107 185 Adds a directory exclusion to Windows Defender 33->185 44 Mon00a8ddd6cbd.exe 12 33->44         started        46 Mon001b59f8accf32131.exe 33->46         started        48 Mon00d2c24efd1c9e2c.exe 33->48         started        51 10 other processes 33->51 signatures10 process11 dnsIp12 155 Antivirus detection for dropped file 36->155 157 Multi AV Scanner detection for dropped file 36->157 159 Detected unpacking (changes PE section rights) 36->159 175 4 other signatures 36->175 53 explorer.exe 36->53 injected 121 topniemannpickshop.cc 39->121 123 buy-fantasy-football.com.sg 39->123 129 2 other IPs or domains 39->129 161 May check the online IP address of the machine 39->161 163 Machine Learning detection for dropped file 39->163 165 Sample uses process hollowing technique 42->165 167 Injects a PE file into a foreign processes 42->167 125 ww25.listincode.com 44->125 131 4 other IPs or domains 44->131 58 WerFault.exe 44->58         started        60 WerFault.exe 44->60         started        127 45.9.20.13 DEDIPATH-LLCUS Russian Federation 46->127 169 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 46->169 62 WerFault.exe 46->62         started        81 C:\Users\user\...\Mon00d2c24efd1c9e2c.tmp, PE32 48->81 dropped 171 Obfuscated command line found 48->171 64 Mon00d2c24efd1c9e2c.tmp 48->64         started        133 10 other IPs or domains 51->133 83 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 51->83 dropped 173 Creates processes via WMI 51->173 66 mshta.exe 51->66         started        68 mshta.exe 51->68         started        70 WerFault.exe 51->70         started        file13 signatures14 process15 dnsIp16 113 91.195.240.101 SEDO-ASDE Germany 53->113 115 127.0.0.127 unknown unknown 53->115 85 C:\Users\user\AppData\Roaming\wwjbsbw, PE32 53->85 dropped 177 Benign windows process drops PE files 53->177 179 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->179 117 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 58->117 87 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 64->87 dropped 89 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 64->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 64->91 dropped 72 Mon00d2c24efd1c9e2c.exe 64->72         started        75 cmd.exe 66->75         started        77 cmd.exe 68->77         started        119 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 70->119 file17 signatures18 process19 file20 93 C:\Users\user\...\Mon00d2c24efd1c9e2c.tmp, PE32 72->93 dropped 95 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 75->95 dropped 97 C:\Users\user\AppData\...SYZ4xAO6IJ.eXE, PE32 77->97 dropped 79 conhost.exe 77->79         started        process21
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 16:45:32 UTC
File Type:
PE (Exe)
Extracted files:
155
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkqngqoo4yz4e6bzmbuhy6ozkg7socje35jhvrfjtnv7vpzi2sxa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:fabookie family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:vidar botnet:5 botnet:916 botnet:ani botnet:media17 botnet:nam6.2 aspackv2 backdoor discovery evasion infostealer loader main ransomware spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/220913-lyck4abaep/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
OnlyLogger payload
Vidar Stealer
Detect Fabookie payload
Detects Smokeloader packer
Djvu Ransomware
Fabookie
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
https://mas.to/@sslam
194.104.136.5:46013
91.121.67.60:2151
103.89.90.61:34589
79.110.62.196:26277
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1dadf3d3-1b41-43a9-becc-da8496fb0020
Unpacked files
SH256 hash:
a3105fa467202e8db5083789211f7eff93c00e98d7b920ca54603afcceb7aa8d
MD5 hash:
10afc080415ab7684c680c10b3a428ca
SHA1 hash:
b074f2767838e42e2d8f379086ba1168581d766c
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
a96e486b8fce8777c47b8cb34e7cc24708b3728c785775a0f3ce73b4045b690d
MD5 hash:
d02319bd2818d7362ff9e83282cbd7bc
SHA1 hash:
2729e315497fce193fe9f8045ad6a133bd8fd87f
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597
MD5 hash:
1651d2eee32c15f79fd5f2e42551f4dc
SHA1 hash:
f254b220184e991792401f4818bcae33ac37ad4f
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54
MD5 hash:
cbbdd5a549a37602019203e20a21866a
SHA1 hash:
50c80b98548b24565decfa94c034b43b753a197a
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
31cecfe7868d9d7872ec9d3558b519af628c60164da45dab40dbddfc87d05182
MD5 hash:
4bb825cf68fc3c9be3f1b240b2273537
SHA1 hash:
fc0a9198f81a9f133c88df5d3019c08dbd905f1f
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
af1dda407b41fb18159466bfa484a08d1a812fdd175111b86c0d82ede44d5b69
MD5 hash:
9101342faa9380fdcaaf8a1c4e092edb
SHA1 hash:
c037b898768b59f7529f18c4854db752a27104bc
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
dfdee8a4b23e17d1e5ee73e381aef33e00c7230cae2bd8fe3a333c9d7a54a9ca
MD5 hash:
380d3c2f9e7a9d712bbd6b160a00ea71
SHA1 hash:
bc465e91b51c32b3b55bac47f8eede129a191c5e
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
86304ad674049058df626b6a0a6cab631af6f2466ffd727def5e06533b1f08b6
MD5 hash:
74164e8cc1686262b17efdeaf5847b29
SHA1 hash:
b21fd54ec6670299f91a9fc502605dce7e0ee4b1
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
aa7adc7d449c2469654346742baf86f7c49f935810080e20a5226867639b7549
MD5 hash:
dfb7ebf319cb5451c7d21ac58fae47da
SHA1 hash:
a0b5b612f988cdfd975e3835e6b2e16d520c922f
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
a35c57c48ea797dc9f1a891aed4b2cef9f4bbacbf24fe317164dbaa02c43bcb8
MD5 hash:
57d5ff3df107c648b937d9a9f2b2913a
SHA1 hash:
976981fdecd8a4eba69470e48515e1dfb8183d19
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
a27b5ef4dcab3686963107ed23d481aeea84a9008888e4c8f3727ea8f2b2bf54
MD5 hash:
7ff4333ba60c010d335f96aa453f601b
SHA1 hash:
8daa168ec8a3c47c7d108d59223c70fc4a7d0a86
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
227f5dd30ee227b3fcf8eb8074fdf7500e8f0f7cd672cdf2faeec9126dece67e
MD5 hash:
06cd100a1897e01eb00a3c9e095ad9b3
SHA1 hash:
497c031d9771de67c2c66c110964c17bd8bb0650
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
b255788e6e73d19176b5c905fcbaa93cd46daa1d14aab8ffa6983503101f7445
MD5 hash:
caaed03adf12fc0ce3a4f61e2c522309
SHA1 hash:
3fa81280c12aabd9a1605ef9c84668947a69e112
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
f7bd20f20b99c00dc5a59cd715dadc81febb6e3966f49da21fda7c1b08a84ad4
MD5 hash:
8f54c1adeae8ee1f05f9e4b69726de9b
SHA1 hash:
3525571bc3a4b55493ea309594e080b1c6905868
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
6525d30654a1a8255ac9a366035d841b991648e442f3a802f919726d604e9ce4
MD5 hash:
799f15cb784fe1bd6922939d46426c20
SHA1 hash:
43cc59cf651dca1208271ab740a7820054df8ba0
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
35d23ebd8608350a4dfdf3ba98ca69c5b779d7b27310362cb12694ebf1ff3f1f
MD5 hash:
a7b5651d25cb157da61e17dd2d75f393
SHA1 hash:
0f02a720fa29ca16d16cb5d506fb7e1f725bb7c9
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
9f3099ba923e92f967f561f6f862d20deb6a2f01a5b84154dfe6ef3559a6c1ee
MD5 hash:
578b8cd5b4c2327b29125fe397969309
SHA1 hash:
d24ae64f4e29a3acdd82454bd4b376f567dc8d08
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
4112775b5b9cc3ff8d07318095529ef481bc7c584790b92f2797c7abdffa5b1f
MD5 hash:
dea2c2b0db9eb885f4bdc9ffcbc7a1d7
SHA1 hash:
c4da1646f1ad346c470d23ace699d16d5592f250
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
9cb82abafdd9e4e5e6eac2f2a89d0f0e293bf97f776431f05071fda7f091a463
MD5 hash:
58042156fdc9ead191e2e768648e3cf2
SHA1 hash:
b12dcdd107ca4c189beabee53dd866251cf1e864
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
SH256 hash:
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
MD5 hash:
db11b0f4fce0a897a83b9d733ebc104d
SHA1 hash:
d7c345b12e55778385d406ad8c12457f3ce3355d
Link:
https://www.unpac.me/results/b4384118-f112-4110-8f73-cb93837f2fae/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6aa0d341cee6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:Privateloader_Main_Component
Create hunting rule
Description:Detects PrivateLoader Main Component
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.privateloader.
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309694/

Comments