MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8413dd146625dc09556e13564f315de5fac738fdd753791982f9657a9553ed2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8413dd146625dc09556e13564f315de5fac738fdd753791982f9657a9553ed2a
SHA3-384 hash: f86c9d1d690d2b2f90134fd4aaf37181b73fef74a4bafe9ea4ba9a72662bd25cbd577e93b04f2868d6221d15162102d4
SHA1 hash: cf20e35b20957fef33fe5fee583dbb9ff0c8ffb5
MD5 hash: 7e81c21129dd300692af865c711d7bcb
humanhash: six-red-burger-ink
File name:file
Download: download sample
File size:4'483'584 bytes
First seen:2022-11-07 20:16:38 UTC
Last seen:2022-11-08 08:33:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (270 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:4elcvV0hMdTkghrJ/WI5Vzs94oJmwMhO6eWva4m+qUIlFhuyduGFPEQzbyrSVGxw:pxho4GJ/FVg9MWoZIdXduAdyraKAj8TO
Threatray 3'152 similar samples on MalwareBazaar
TLSH T14A26332AC48322F261D56E38176EEAD1E59F3053AE8431B91C83CAF1D9778D382DB513
TrID 86.3% (.EXE) UPX compressed Win64 Executable (70117/5/12)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
2.4% (.EXE) Generic Win/DOS Executable (2002/3)
2.4% (.EXE) DOS Executable Generic (2000/1)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_655597989?hash=7FGCtiPQCM8Ff8Cs7yGJXIndGAQ7QwPDKwgFkIZties&dl=G43DANZVGAYDSNY:1667851299:u6NTSSbON5jrC0J08M7Uvrz0ZaA0EX4619pIiEu0QZs&api=1&no_preview=1#san1401

Intelligence

File Origin
# of uploads :
20
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-07 20:20:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39327273-b9f7-46fb-aa22-84f195cd722b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330200/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a window
Сreating synchronization primitives
Creating a service
Searching for the window
Searching for synchronization primitives
Transferring files using the Background Intelligent Transfer Service (BITS)
Sending an HTTP GET request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636967bf1b78baadf87f9164/reports/26c4a626-5ada-45c4-b0ae-964a55cf6d08/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ngrok-server
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c693cefd-d506-43ea-869d-d35b3edd1ffb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1107660
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740323 Sample: file.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 52 57 Antivirus / Scanner detection for submitted sample 2->57 59 Machine Learning detection for sample 2->59 7 file.exe 1 4 2->7         started        11 hellaracing3d.exe 2->11         started        13 hellaracing3d.exe 2->13         started        process3 dnsIp4 45 136.244.97.206, 1337, 49715 AS-CHOOPAUS United States 7->45 43 C:\Users\user\AppData\...\hellaracing3d.exe, PE32+ 7->43 dropped 15 chrome.exe 11 262 7->15         started        18 cmd.exe 1 7->18         started        20 cmd.exe 11->20         started        22 cmd.exe 11->22         started        24 cmd.exe 13->24         started        26 cmd.exe 13->26         started        file5 process6 dnsIp7 53 192.168.2.1 unknown unknown 15->53 55 239.255.255.250 unknown Reserved 15->55 28 chrome.exe 12 15->28         started        31 conhost.exe 18->31         started        33 tskill.exe 1 18->33         started        35 conhost.exe 20->35         started        37 tskill.exe 1 20->37         started        39 conhost.exe 24->39         started        41 tskill.exe 1 24->41         started        process8 dnsIp9 47 www.google.com 142.250.102.147, 443, 49714, 49730 GOOGLEUS United States 28->47 49 accounts.google.com 142.250.102.84, 443, 49713 GOOGLEUS United States 28->49 51 4 other IPs or domains 28->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8413dd146625dc09556e13564f315de5fac738fdd753791982f9657a9553ed2a/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 20:33:06 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqj52fdgexoasvlocnle6mk54x5mooh525jxsgmc7fsxvfkt5uva._file
Verdict:
unknown
Similar samples:
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
28a4fc89b3ecdce491137e550252749c41c1ab97cebfb5241b8910de6aeb11fe
3561c1061b28eb2a567d63c11e6dc5241f2f0cbcda3f5d0c03652a42423c8865
3e6471fe0cd370a3fa47ffa76664525b9e190aeadd9a0446f3f2647471be84e5
4b6d9156081ce2b9cc4818f5b03e347c0965f874929f03e427c0407a51f12eb3
6a4b9c18783615adb849fdf2951023243f4a7e70d050a912c9dfad60a537fe28
85e9c2683e21ac4ede85dd17040a376b59e2ec1e1064a9930e269413c11abfb8
89bc05a18db73de6b19390bc0ef32711e4e357ebb89a9aa915c5d2d15da3a33c
aecee48e77885753fef3b48411fd1093f2f3da937ef0dab744530bbf452586ef
ffc311faa60a3952e30c1e72997d8c58bd64b40ba5ebd710af68616b9e96ac7e
+ 3'142 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/221107-y2n5hsfhd3/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Adds Run key to start application
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d0158860-fe15-4e2a-a58a-4875ae662ba0
Unpacked files
SH256 hash:
b2a620433ed905d11cc25c94345e00bf32cdeb4c08043897d5411f71dc0b7b36
MD5 hash:
e9c94c0850f057a52818711a36c4cd9e
SHA1 hash:
c78986ec79d0805a50330b5562cf4ed4ecf727fc
Link:
https://www.unpac.me/results/e287537c-62ee-4266-a579-64643a83b067/
SH256 hash:
8413dd146625dc09556e13564f315de5fac738fdd753791982f9657a9553ed2a
MD5 hash:
7e81c21129dd300692af865c711d7bcb
SHA1 hash:
cf20e35b20957fef33fe5fee583dbb9ff0c8ffb5
Link:
https://www.unpac.me/results/e287537c-62ee-4266-a579-64643a83b067/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8413dd146625dc09556e13564f315de5fac738fdd753791982f9657a9553ed2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/330200/

Comments