MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a3596ed161aef538caafdb1f3f33c63a45731b3d396ccc3f4bb40924c2395e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a3596ed161aef538caafdb1f3f33c63a45731b3d396ccc3f4bb40924c2395e0
SHA3-384 hash: a4c4732644c6e7b81a7e42ace1a19e38f77888bcc75d77869a683312dfac49e5ee634d5ef280a6650e263afc24b27a2e
SHA1 hash: 991ad98c04141d10fc376f5f47d6f39218c7de8c
MD5 hash: e1828ff619684f20535726edd51f4751
humanhash: mars-double-eight-may
File name:SecuriteInfo.com.Riskware.Yandex.5580.5774
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:362'656 bytes
First seen:2024-05-09 23:23:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8671a3d963861aab61fe1391c7d8536a (2 x PrivateLoader)
ssdeep 6144:0fp18znPaTavhPvnenut3drPAFl3oAOYk22zVstTtsOkz:0fp18wihPvncK3iYmkXqhsO
Threatray 2 similar samples on MalwareBazaar
TLSH T133747B117E81C432D1721532CA7AE2F549BD7D206D20865F63E87E2FFE72590AA31F62
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 4d6d6545e1e14565 (2 x PrivateLoader)
Reporter SecuriteInfoCom
Tags:exe PrivateLoader signed

Code Signing Certificate

Organisation:YANDEX LLC
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-06T08:44:54Z
Valid to:2024-05-06T08:44:54Z
Serial number: 7904d32e74fc472b66c08a38
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 1561ae150e66f6d2b3bceda46d46525edcaf8697d3bc94485150865dc40ef888
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7a3596ed161aef538caafdb1f3f33c63a45731b3d396ccc3f4bb40924c2395e0.exe
Verdict:
Malicious activity
Analysis date:
2024-05-09 23:25:44 UTC
Tags:
loader
Link:
https://app.any.run/tasks/c27d257f-dc0b-4759-9183-2df25cdc9544

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Riskware.Yandex.5580.5774.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Delayed writing of the file
Сreating synchronization primitives
Creating a process from a recently created file
Restart of the analyzed sample
Searching for synchronization primitives
Creating a file
Modifying a system file
Creating a file in the %AppData% subdirectories
Creating a file in the Windows subdirectories
Launching a service
Reading critical registry keys
Changing a file
Moving a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Changing critical settings of the Internet Explorer browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/663d5adf11114a9ab5e66396/reports/c00b919e-cb84-48f1-830c-8bb2944c99d1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7a3596ed161aef538caafdb1f3f33c63a45731b3d396ccc3f4bb40924c2395e0
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8272347f-00f8-4be2-9b57-97cb8ce55703
Result
Threat name:
PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1439242
Signature
Drops PE files with benign system names
Found suspicious ZIP file
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected Powershell download and execute
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1439242 Sample: SecuriteInfo.com.Riskware.Y... Startdate: 10/05/2024 Architecture: WINDOWS Score: 78 159 Multi AV Scanner detection for submitted file 2->159 161 Yara detected PrivateLoader 2->161 163 Yara detected Powershell download and execute 2->163 165 6 other signatures 2->165 9 msiexec.exe 10 45 2->9         started        12 browser.exe 2->12         started        16 {3548A954-F1D9-45E7-922C-AD02409E6591}.exe 2->16         started        18 SecuriteInfo.com.Riskware.Yandex.5580.5774.exe 22 2->18         started        process3 dnsIp4 113 C:\Windows\Installer\MSID783.tmp, PE32 9->113 dropped 115 C:\Windows\Installer\MSID762.tmp, PE32 9->115 dropped 117 C:\Windows\Installer\MSID638.tmp, PE32 9->117 dropped 123 9 other malicious files 9->123 dropped 20 msiexec.exe 14 9->20         started        143 192.168.2.6 unknown unknown 12->143 145 239.255.255.250 unknown Reserved 12->145 119 C:\Users\user\AppData\...\widevinecdm.dll, PE32 12->119 dropped 125 16 other malicious files 12->125 dropped 179 Tries to harvest and steal browser information (history, passwords, etc) 12->179 181 Writes many files with high entropy 12->181 23 browser.exe 12->23         started        26 browser.exe 12->26         started        29 browser.exe 12->29         started        37 10 other processes 12->37 147 213.180.193.234 YANDEXRU Russian Federation 16->147 149 5.45.205.244 YANDEXRU Russian Federation 16->149 155 3 other IPs or domains 16->155 121 C:\Users\user\AppData\Local\Temp\yb20E6.tmp, PE32 16->121 dropped 127 2 other malicious files 16->127 dropped 31 yb20E6.tmp 16->31         started        151 5.45.205.242 YANDEXRU Russian Federation 18->151 153 5.45.247.51 YANDEXRU Russian Federation 18->153 129 2 other malicious files 18->129 dropped 33 YandexPackSetup.exe 3 18->33         started        35 SecuriteInfo.com.Riskware.Yandex.5580.5774.exe 8 18->35         started        file5 signatures6 process7 dnsIp8 79 C:\Users\user\AppData\Local\...\seederexe.exe, PE32 20->79 dropped 81 C:\Users\user\AppData\Local\...\sender.exe, PE32 20->81 dropped 83 C:\Users\user\AppData\...\lite_installer.exe, PE32 20->83 dropped 39 seederexe.exe 20 164 20->39         started        43 lite_installer.exe 15 20->43         started        167 Tries to harvest and steal browser information (history, passwords, etc) 23->167 133 178.154.131.215 YANDEXRU Russian Federation 26->133 135 213.180.204.158 YANDEXRU Russian Federation 26->135 139 21 other IPs or domains 26->139 85 C:\Users\user\AppData\Local\...\setup.exe, PE32 31->85 dropped 87 C:\Users\user\AppData\Local\...\SETUP.EX_, Microsoft 31->87 dropped 89 C:\Users\user\AppData\...\BROWSER.PACKED.7Z, 7-zip 31->89 dropped 93 5 other malicious files 31->93 dropped 169 Writes many files with high entropy 31->169 46 setup.exe 31->46         started        91 C:\Users\user\AppData\...\YandexSearch.msi, Composite 33->91 dropped 171 Machine Learning detection for dropped file 33->171 137 77.88.21.14 YANDEXRU Russian Federation 35->137 file9 signatures10 process11 dnsIp12 95 C:\Users\user\AppData\...\xulstore.json, JSON 39->95 dropped 97 search.json.mozlz4...32429.388062.backup, Mozilla 39->97 dropped 109 39 other malicious files 39->109 dropped 173 Overwrites Mozilla Firefox settings 39->173 175 Tries to harvest and steal browser information (history, passwords, etc) 39->175 177 Writes many files with high entropy 39->177 48 Yandex.exe 39->48         started        52 Yandex.exe 39->52         started        54 sender.exe 39->54         started        141 5.45.192.185 YANDEXRU Russian Federation 43->141 99 {3548A954-F1D9-45E...C-AD02409E6591}.exe, PE32 43->99 dropped 101 C:\Users\user\AppData\Local\...\Yandex[1].exe, PE32 43->101 dropped 103 C:\Users\user\AppData\Local\...\browser.dll, PE32 46->103 dropped 105 C:\Users\user\AppData\Local\...\brodef.dll, PE32 46->105 dropped 107 C:\Users\user\AppData\...\abt-bindings.dll, PE32 46->107 dropped 111 2 other malicious files 46->111 dropped 57 clidmgr.exe 46->57         started        59 clidmgr.exe 46->59         started        61 setup.exe 46->61         started        file13 signatures14 process15 dnsIp16 71 C:\Users\user\AppData\...\YandexWorking.exe, PE32 48->71 dropped 73 C:\Users\user\AppData\Local\...\explorer.exe, PE32 48->73 dropped 75 C:\Users\user\AppData\Local\...\Yandex.lnk, MS 48->75 dropped 157 Drops PE files with benign system names 48->157 63 explorer.exe 48->63         started        77 C:\Users\user\AppData\Local\...\2AE68B04.exe, PE32 52->77 dropped 65 explorer.exe 52->65         started        131 87.250.254.20 YANDEXRU Russian Federation 54->131 67 conhost.exe 57->67         started        69 conhost.exe 59->69         started        file17 signatures18 process19
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/7a3596ed161aef538caafdb1f3f33c63a45731b3d396ccc3f4bb40924c2395e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a3596ed161aef538caafdb1f3f33c63a45731b3d396ccc3f4bb40924c2395e0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pi2zn3iwdlxvhdfk7wy7h4z4mosfomnt2olmzq7uxnajetbdsxqa._file
Verdict:
unknown
Similar samples:
a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609
PrivateLoader
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/240509-3c6qgsch8w/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks system information in the registry
Drops file in System32 directory
Adds Run key to start application
Blocklisted process makes network request
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
7a3596ed161aef538caafdb1f3f33c63a45731b3d396ccc3f4bb40924c2395e0
MD5 hash:
e1828ff619684f20535726edd51f4751
SHA1 hash:
991ad98c04141d10fc376f5f47d6f39218c7de8c
Link:
https://www.unpac.me/results/1201c8cf-b34e-41d5-b695-757b7f4482b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a3596ed161aef538caafdb1f3f33c63a45731b3d396ccc3f4bb40924c2395e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::CopySid
ADVAPI32.dll::GetLengthSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLOpenBlockingStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
WININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesSHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileW
VERSION.dll::GetFileVersionInfoSizeW
VERSION.dll::GetFileVersionInfoW
WIN_TRUST_APIUses Windows Trust APIWINTRUST.dll::WinVerifyTrust

Comments