MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
SHA3-384 hash: 1a65c4e3d7ac940991302384d5c6e7754a749330c405cea0cb088f18cf7c5eac292e607c27f8e6da0875f4e327f0c8a9
SHA1 hash: 545359cd68d0ee37f4b15e1a22c2c9a5fda69e22
MD5 hash: a1f6923e771b4ff0df9fec9555f97c65
humanhash: steak-magnesium-eighteen-finch
File name:SecuriteInfo.com.Riskware.IncompleteUninstallLightshotWithYandex.17196.19139
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:2'786'328 bytes
First seen:2024-06-05 22:22:20 UTC
Last seen:2025-10-24 21:29:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 5 x Adware.IObit, 5 x LummaStealer)
ssdeep 49152:/i85nVhfVnQiGmEwZbyVKf3tOOr/o2rm0mMXgT11rNjiG0C+0LRzasw:a85nVZarmEwZecPzJWDLN+GwOnw
Threatray 11 similar samples on MalwareBazaar
TLSH T1A2D512C1A1A550B1E9A8B8F1B966D4112CF63CA84DC3544D3EF9F23E0472A87DD3A91F
TrID 74.1% (.EXE) Inno Setup installer (107240/4/30)
9.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.2% (.EXE) Win64 Executable (generic) (10523/12/4)
3.1% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon 090d141563496d3f (19 x RedLineStealer, 2 x RaccoonStealer, 2 x CoinMiner)
Reporter SecuriteInfoCom
Tags:exe PrivateLoader signed

Code Signing Certificate

Organisation:Kilonova LLC
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2019-05-30T00:39:46Z
Valid to:2022-05-30T00:39:46Z
Serial number: c93423ce0c606667
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 450898f0278e753151c321ff1a5c4cf37b7ae36b03a8214447a486d4d41a27e1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
387
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup-lightshot.exe
Verdict:
No threats detected
Analysis date:
2024-03-07 16:29:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff4f8a68-dd0d-46ff-bf8a-dd2b4fd1714f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Riskware.IncompleteUninstallLightshotWithYandex.17196.19139.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6661d43cc3ac776627b950f4win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Static Stealth Yandex Dexter
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6660e5496b8dba248b3d5db2/reports/5fa3d3c7-f13b-4908-bc09-def476584d61/overview
Verdict:
Unknown
Labled as:
Win32_Yandex_K_potentially_unwanted
Link:
https://www.hybrid-analysis.com/sample/928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/faa2beb6-f2dd-4017-930b-8e5bf3d74572
Result
Threat name:
PrivateLoader
Create hunting rule
Detection:
suspicious
Classification:
troj
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1441339
Signature
Multi AV Scanner detection for submitted file
Yara detected PrivateLoader
Behaviour
Behavior Graph:
n/a
Score:
6%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=skgcqcccdx6uq772nfzxsvemxzucydqtv22zl24js452trivxcqq._file
Verdict:
suspicious
Similar samples:
1184e49148bacb2652d94849149ba98650ce30fb381d65a3b0b1c1a194115651
PrivateLoader
134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d
PrivateLoader
2b208f4e3d4c5988d3da88af00e69270ec291f647fc01fdb1f03ddb76b4c9654
PrivateLoader
4766be0783b2512c3301909586bc8b5b97afb848cf0bc99df91151d6f56bc5d5
PrivateLoader
6b5c5163edae524314762a092cec99048c13d4ead9d990e901d17dade365bbeb
PrivateLoader
b486159228630e0fea177062ce127b00be242e7afe55d7a2fca2edcda81100f4
PrivateLoader
b61ac8b8fabd1b494f4d22e5a1f0b920da55e5827e588361a77c135909387dc3
PrivateLoader
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/240605-2asv6sbf28/
Behaviour
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
45611a569cabfdcfe0c2d733225b4c589e0c76bdf0b2b0ee36a9137ade25cd13
MD5 hash:
e8b3bb86283a357b1639db563afdb1e3
SHA1 hash:
f07f7828b0467eec89a3c1bdd8c014986d59ad42
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
e8a81cccadc6496d2c6656b69644937b8e190767d155d06ae705a9b45dce9bc2
MD5 hash:
63a3c1efce6eb3e424289ce135ebe897
SHA1 hash:
b803ce66f0b5ba5f1e4e02f5197312b836e18d54
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
3db44d0d4c91f61ba40f967e7831e0ba4a46ea675b59dd504c1230e53c008bb6
MD5 hash:
bf1aa049e20b44381cefe7f3dfcd128a
SHA1 hash:
a6c2018479cffedbd40e5e52a393809c91b5b5d4
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
ae12ecc0233d293e8e275c9ec0654f111427ebafb1596a69520ef3c438df5811
MD5 hash:
d1af260073911f84088ceab2b176f8f8
SHA1 hash:
80d68d58725b87a35d2edc6a089494d783994124
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
92d5dd2fcbdf3c9053facf95ee10a422f68a531f7a09899da2384c9a9240a06b
MD5 hash:
565c9af2e5901511cbdcfdae97d14450
SHA1 hash:
805bb9ac7b93244a4872c74e45b32df17cdb8d1a
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
022371f474ecae38c2bb3e0b36f53827d9b7c27520d8b269bcc98fe2f820e96e
MD5 hash:
94e647a4e6684e482bea03a2f9bfd325
SHA1 hash:
117bbfa15e3ce2e98602adf4465e4ffe24c93726
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
b78217e16c4f5b3a91b9cc968e3f51a53c2dd7b0620b40f0030c77a0da3e3135
MD5 hash:
e58366a4547862f9ec39c9d23ca18814
SHA1 hash:
004fadb18a007f9031105c956c0268218132b2c5
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
SH256 hash:
928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
MD5 hash:
a1f6923e771b4ff0df9fec9555f97c65
SHA1 hash:
545359cd68d0ee37f4b15e1a22c2c9a5fda69e22
Link:
https://www.unpac.me/results/ea2559d7-0e5d-4c09-99c3-8de3a193e513/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Floxif
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2876271/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceW
kernel32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments