MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b21a42824ae2bda24f29a05bb973d5edd721a398fedc0812bab408fec73a379. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	6b21a42824ae2bda24f29a05bb973d5edd721a398fedc0812bab408fec73a379
SHA3-384 hash:	2a28a0400a232b70ba23c77ea931b11382a80e49113b40d03c901498c2d896d6153f82c5c11939d7f23b346d721025c2
SHA1 hash:	0bdbfc683acd5512c356fefad998ee9ba9276e97
MD5 hash:	5ddf3627e4653db4f2f8d2fd9c0afc97
humanhash:	rugby-apart-pip-artist
File name:	file
Download:	download sample
File size:	5'326'848 bytes
First seen:	2022-10-18 17:09:09 UTC
Last seen:	2022-10-19 09:12:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:DLAeiIcgOVV7aqMwX3yhK0UKBoZVSNdsz:PAefcgoZayXimHv
Threatray	43 similar samples on MalwareBazaar
TLSH	T105363353D9B89216EE0ACDA9D5D28218713370997CD6DC879083F066DFC4FAD6C029AE
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from http://185.216.71.144/ed2fa/d2777.exe

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321457/

Detection(s):

SecuriteInfo.com.Heuristic.HEUR.AGEN.1216915.16520.5699.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/634eddecfdf6478a15af805b/reports/fdab2f1e-3a54-411a-b308-0cef62e80d14/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/13217165-22d9-4d2e-8cc4-6504c3768e37

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad.spyw

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1092926

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b21a42824ae2bda24f29a05bb973d5edd721a398fedc0812bab408fec73a379/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-18 17:16:56 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nmq2ikbevyv5ujhstic3xfz5l3oxegrzr7w4bajlvnai73dtun4q._file

Verdict:

unknown

313f623a348593e28c62e89f2ffec407ef4cc9a92ddaf88b0eb1eb5756e423a9

58e1eecd96750405a47327b00330180e4fc8aae4b0e6f89616d8d3cc9021fc9b

5d72a8ffcefedd15f16a8ac752b0e09fef6d9359c0019fa1627be76581358152

6375c2e53e3dc7c6bfb8a0c0b83f8e3c7490d1067804479e991dfcd2c900ece8

7fa5971fde4364c32e47c5a8e6b189fc214ffd019077f30c14fbfb4e240909e1

8b03872c981e72aa24fd680e3d8f49768341f2c86fdabe51f4e5302c41b194a7

928377073c45f7fb59591af49620d5afc581ce27c4727f7aa77fd23af85b0145

b68aac66f4d1490eef02edd08bd9a7d58ea388f0fe601ace2e3c15cbf4bfe215

d06077790fb260d6c3ed4af601b5322446d2a0621eb8edf14af8438dc2c02a63

+ 33 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer upx

Link:

https://tria.ge/reports/221018-vppczaggen/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

UPX packed file

Gathering data

Unpacked files

SH256 hash:

40b1e923e7dc84b9a5c01a164f0049d511bac436792a10094824afb27c0d9b1c

MD5 hash:

a28ba90614c832c70a69d3ab47d2e797

SHA1 hash:

9fbe33e54b2f6176d95be5b752c5ebbefc9cd2c9

Link:

https://www.unpac.me/results/e535fb67-7d72-4a41-966d-a9d534151478/

SH256 hash:

6b21a42824ae2bda24f29a05bb973d5edd721a398fedc0812bab408fec73a379

MD5 hash:

5ddf3627e4653db4f2f8d2fd9c0afc97

SHA1 hash:

0bdbfc683acd5512c356fefad998ee9ba9276e97

Link:

https://www.unpac.me/results/e535fb67-7d72-4a41-966d-a9d534151478/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b21a42824ae2bda24f29a05bb973d5edd721a398fedc0812bab408fec73a379

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/321457/

URLhaus

https://urlhaus.abuse.ch/url/2377114/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample