MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7caaf81df0b6ddb32e5d0478ba9502d7b3c3f426f21acb887c328cbd1727c02a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7caaf81df0b6ddb32e5d0478ba9502d7b3c3f426f21acb887c328cbd1727c02a
SHA3-384 hash: f3544a5aa9e992a311e438e42b29e66a5e2ba43e2abccb0530cf2b05c7439636fc1d559df1155a5dbd5a7dc37d42673b
SHA1 hash: adfcde7fc236b997f6a04b9118d230bcde3b888a
MD5 hash: e0b1d3a0c6826487f39902c8c1a6e536
humanhash: bulldog-william-arkansas-orange
File name:file
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:4'858'008 bytes
First seen:2023-10-29 12:28:03 UTC
Last seen:2023-11-02 01:38:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cfe760c06b22b6db5c101a2583bf54c5 (1 x PrivateLoader)
ssdeep 98304:rBz1XlpgybFcKwwy5ICedbsGLEBWOlvcXyy3ozuKtIaLn9Ptk:Nz1Aybqf5OZsVHmt3Gu6LZtk
TLSH T13D2633D6DAA955ACCC4EB2F48445BF3DB5F11E2D02208E0978A8BECFFD67551483812B
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0e8d4aa8e8e8896 (1 x PrivateLoader)
Reporter andretavare5
Tags:exe PrivateLoader signed

Code Signing Certificate

Organisation:Sony SEL-55210 55-210mm F4.5-6.3
Issuer:Sony SEL-55210 55-210mm F4.5-6.3
Algorithm:sha1WithRSAEncryption
Valid from:2021-07-23T12:06:15Z
Valid to:2031-07-24T12:06:15Z
Serial number: 527c4d0212391b8b4cfa569e4b332891
Intelligence: 10 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 44dd50e6e9fe834612ab620dabc6b0cb097bffccc0d23ba44102b072f0a0dac7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://171.22.28.226/download/Services.exe

Intelligence

File Origin
# of uploads :
83
# of downloads :
338
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://baramode.com/wp-content/server/File.7z
Verdict:
Malicious activity
Analysis date:
2023-10-29 12:49:11 UTC
Tags:
sinkhole privateloader evasion opendir loader risepro stealer stealc redline amadey botnet trojan ransomware stop smoke arkei vidar miner onlylogger teamspy remote g0njxa
Link:
https://app.any.run/tasks/49084422-f429-4943-9aff-cbaab397e6cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456891/
Detection(s):
SecuriteInfo.com.Win32.AdwareX-gen.28944.29818.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Modifying a system file
Replacing files
Reading critical registry keys
Launching a service
Sending a UDP request
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin overlay packed packed setupapi shell32 vmprotect
Link:
https://www.filescan.io/uploads/653e500ea6fa5eab936a09af/reports/61f8cc3b-091c-44a9-a0e6-b794f9f73188/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/7caaf81df0b6ddb32e5d0478ba9502d7b3c3f426f21acb887c328cbd1727c02a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9a734d72-b354-4f88-a9c6-95fafb43f85e
Result
Threat name:
PrivateLoader, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333818
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1333818 Sample: file.exe Startdate: 29/10/2023 Architecture: WINDOWS Score: 100 198 Multi AV Scanner detection for domain / URL 2->198 200 Malicious sample detected (through community Yara rule) 2->200 202 Antivirus detection for URL or domain 2->202 204 18 other signatures 2->204 9 file.exe 18 2->9         started        14 PowerControl_Svc.exe 15 2->14         started        16 PowerControl_Svc.exe 15 2->16         started        18 6 other processes 2->18 process3 dnsIp4 176 149.154.167.99 TELEGRAMRU United Kingdom 9->176 178 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 9->178 180 2 other IPs or domains 9->180 120 C:\Users\...\UFqXB7XZhfy5WNlH_atSlR7y.exe, PE32+ 9->120 dropped 122 C:\Users\user\AppData\...\WWW14_64[1].exe, PE32+ 9->122 dropped 124 C:\...\PowerControl_Svc.exe, PE32 9->124 dropped 240 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->240 242 Drops PE files to the document folder of the user 9->242 244 Uses schtasks.exe or at.exe to add and modify task schedules 9->244 20 UFqXB7XZhfy5WNlH_atSlR7y.exe 11 37 9->20         started        25 schtasks.exe 1 9->25         started        27 schtasks.exe 1 9->27         started        126 C:\Users\user\AppData\...\WWW14_64[2].exe, PE32+ 14->126 dropped 29 o61yp1geofNJoNyZIbg5L9ra.exe 10 32 14->29         started        31 schtasks.exe 14->31         started        33 schtasks.exe 14->33         started        128 C:\Users\...\o61yp1geofNJoNyZIbg5L9ra.exe, PE32+ 16->128 dropped 130 C:\Users\user\AppData\...\WWW14_64[1].exe, PE32+ 16->130 dropped 35 o61yp1geofNJoNyZIbg5L9ra.exe 16->35         started        37 schtasks.exe 16->37         started        file5 signatures6 process7 dnsIp8 154 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 20->154 156 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 20->156 164 10 other IPs or domains 20->164 84 C:\Users\...\xzO9jBNHIvSv1qZv5B581SEn.exe, PE32+ 20->84 dropped 86 C:\Users\...\tzFCIcopzK8QZluuo3SK8D8Y.exe, PE32 20->86 dropped 96 14 other malicious files 20->96 dropped 206 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->206 208 Creates HTML files with .exe extension (expired dropper behavior) 20->208 210 Disables Windows Defender (deletes autostart) 20->210 212 Modifies Group Policy settings 20->212 39 xzO9jBNHIvSv1qZv5B581SEn.exe 20->39         started        42 RuPxlxmETSvwXrW4uQcNXVDh.exe 20->42         started        46 W58Y2qjX7j6wkCSNTy_qMNcG.exe 20->46         started        58 7 other processes 20->58 48 conhost.exe 25->48         started        50 conhost.exe 27->50         started        158 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 29->158 160 104.21.21.189 CLOUDFLARENETUS United States 29->160 88 C:\Users\...\wlGG_nG2dmwesVOIBeZc5z5k.exe, PE32 29->88 dropped 90 C:\Users\...\pDLJdXRa44mkigL7ztwMaMMv.exe, PE32 29->90 dropped 92 C:\Users\...\n3UhSRXowtk0fiC7YG9mXxTj.exe, PE32+ 29->92 dropped 98 12 other malicious files 29->98 dropped 214 Disable Windows Defender real time protection (registry) 29->214 216 Writes many files with high entropy 29->216 52 conhost.exe 31->52         started        54 conhost.exe 33->54         started        162 94.142.138.131 IHOR-ASRU Russian Federation 35->162 166 2 other IPs or domains 35->166 94 C:\Users\...\rEBjCD4OXtiHCqJjTMWzvt32.exe, PE32+ 35->94 dropped 100 14 other malicious files 35->100 dropped 56 conhost.exe 37->56         started        file9 signatures10 process11 dnsIp12 218 Writes to foreign memory regions 39->218 220 Allocates memory in foreign processes 39->220 222 Injects a PE file into a foreign processes 39->222 60 InstallUtil.exe 39->60         started        182 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 42->182 184 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 42->184 186 185.172.128.69 NADYMSS-ASRU Russian Federation 42->186 132 C:\Users\...\yse2GQOnrxiXsNq_XClumvXp.exe, PE32 42->132 dropped 134 C:\Users\...\KfcSf7Je13dARt3EfyyDxG1G.exe, PE32+ 42->134 dropped 136 C:\Users\user\AppData\...\newumma[1].exe, PE32 42->136 dropped 224 Disables Windows Defender (deletes autostart) 42->224 226 Disable Windows Defender real time protection (registry) 42->226 138 C:\Users\user\AppData\Local\...\Install.exe, PE32 46->138 dropped 140 C:\Users\user\AppData\Local\...\config.txt, data 46->140 dropped 65 Install.exe 46->65         started        188 185.225.75.171 MAYAKBG Germany 58->188 190 194.169.175.220 CLOUDCOMPUTINGDE Germany 58->190 142 C:\Users\user\AppData\Local\Temp\...\Ze~D.c, PE32 58->142 dropped 228 Tries to harvest and steal browser information (history, passwords, etc) 58->228 230 Tries to steal Crypto Currency Wallets 58->230 67 cmd.exe 58->67         started        file13 signatures14 process15 dnsIp16 192 85.217.144.143 WS171-ASRU Bulgaria 60->192 194 176.57.208.22 TIMEWEB-ASRU Russian Federation 60->194 196 19 other IPs or domains 60->196 144 C:\Users\...\zD9NVVp3KJ5lBhH0S183Xvet.exe, PE32 60->144 dropped 146 C:\Users\...\z4K9AJBAf5IxFyBlTTGlZGet.exe, PE32 60->146 dropped 148 C:\Users\...\yl39tblivenReGD7T0n1X5bu.exe, PE32 60->148 dropped 152 207 other malicious files 60->152 dropped 246 Drops script or batch files to the startup folder 60->246 248 Creates HTML files with .exe extension (expired dropper behavior) 60->248 250 Writes many files with high entropy 60->250 69 myfq1LoznlUGRRlpo9Z3FLyf.exe 60->69         started        74 wGMZEyAC4qdsqGpCrADdY7cl.exe 60->74         started        76 1IaoxJKW2YGmuUmHIMzm1Cnu.exe 60->76         started        82 5 other processes 60->82 150 C:\Users\user\AppData\Local\...\Install.exe, PE32 65->150 dropped 78 conhost.exe 67->78         started        80 control.exe 67->80         started        file17 signatures18 process19 dnsIp20 168 5.75.188.83 HETZNER-ASDE Germany 69->168 102 C:\ProgramData\softokn3.dll, PE32 69->102 dropped 118 5 other files (3 malicious) 69->118 dropped 232 Tries to harvest and steal browser information (history, passwords, etc) 69->232 170 107.167.110.217 OPERASOFTWAREUS United States 74->170 172 107.167.125.189 OPERASOFTWAREUS United States 74->172 174 2 other IPs or domains 74->174 104 Opera_installer_2310291229347845388.dll, PE32 74->104 dropped 106 C:\Users\...\wGMZEyAC4qdsqGpCrADdY7cl.exe, PE32 74->106 dropped 108 C:\Users\user\AppData\Local\...\opera_package, PE32 74->108 dropped 110 Opera_104.0.4944.3...toupdate_x64[1].exe, PE32 74->110 dropped 234 Writes many files with high entropy 74->234 112 C:\Users\user\AppData\Local\...\Install.exe, PE32 76->112 dropped 114 C:\Users\user\AppData\Local\...\config.txt, data 76->114 dropped 116 C:\Users\...\Tcexcfg6KJcd7dvTRe1rguw0.tmp, PE32 82->116 dropped 236 Sample uses process hollowing technique 82->236 238 Injects a PE file into a foreign processes 82->238 file21 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7caaf81df0b6ddb32e5d0478ba9502d7b3c3f426f21acb887c328cbd1727c02a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7caaf81df0b6ddb32e5d0478ba9502d7b3c3f426f21acb887c328cbd1727c02a/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-29 12:29:05 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psvpqhpqw3o3gls5ar4lvfic26z4h5bg6inmxcd4gkgl2fzhyava._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/231029-pnc1nafg51/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
PrivateLoader
Unpacked files
SH256 hash:
8e5a3056538b93a4557d2352ea55c2fbeafc181ac897c63940246977d2ce6964
MD5 hash:
073cea9f95678b7c90743773dfd7ac7d
SHA1 hash:
8b5c4025a5ee91a41acb6f7b714fd908b06d495f
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/99498439-0c1e-4e03-8872-53b73cae7faa/
SH256 hash:
7caaf81df0b6ddb32e5d0478ba9502d7b3c3f426f21acb887c328cbd1727c02a
MD5 hash:
e0b1d3a0c6826487f39902c8c1a6e536
SHA1 hash:
adfcde7fc236b997f6a04b9118d230bcde3b888a
Link:
https://www.unpac.me/results/99498439-0c1e-4e03-8872-53b73cae7faa/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7caaf81df0b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/7caaf81df0b6ddb32e5d0478ba9502d7b3c3f426f21acb887c328cbd1727c02a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2714990/
Cape
Cape
https://www.capesandbox.com/analysis/456891/

Comments