MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 971725f4443df9cf72b74a296e54352bd0f91bf74517fb28980a1916f89d56e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 971725f4443df9cf72b74a296e54352bd0f91bf74517fb28980a1916f89d56e2
SHA3-384 hash: 80eb1ee7c87b8cdc619018524303504f14a87b0dd003dd153bcc8a6b0a174e3d8c0b6b09db8744600c8f433b4e16a41e
SHA1 hash: f81569935a37d0d94847e1c36b78b3ec23dfe591
MD5 hash: 2f8bf74492ee6477081af13d01018c64
humanhash: california-mango-fillet-four
File name:2f8bf74492ee6477081af13d01018c64.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:7'022'607 bytes
First seen:2022-08-28 06:32:38 UTC
Last seen:2022-08-28 07:44:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f8b3c8d3b81ee0a1bcb782d69039ec2 (2 x RedLineStealer, 1 x RecordBreaker, 1 x PrivateLoader)
ssdeep 196608:JAXLvDMrH4m10LPkwOmkn6gCVr9zZnlGe:1Ym16Omkn0
TLSH T18A66F115A7F54DAFDA962B7784FF233523369E244B3BCBEA84488739DE432919C16301
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe PrivateLoader Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2f8bf74492ee6477081af13d01018c64.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-28 06:40:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be1bf48f-eaa7-420c-9b71-53b1a6fe53ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301795/
Detection(s):
SecuriteInfo.com.UDS.Trojan.Win32.Bingoml.44.10864.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30475/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye
Link:
https://www.filescan.io/uploads/630b0ca905c43eeee23cae0a/reports/ee592174-127b-4850-b8dd-004d09776e26/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e426c2a5-870e-4246-b96d-d3c9cdc37e7a
Result
Threat name:
PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1059155
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 691672 Sample: 40rU4ITu9b.exe Startdate: 28/08/2022 Architecture: WINDOWS Score: 88 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected PrivateLoader 2->66 68 .NET source code contains very large array initializations 2->68 70 2 other signatures 2->70 9 40rU4ITu9b.exe 1 2->9         started        process3 signatures4 74 Contains functionality to inject code into remote processes 9->74 76 Writes to foreign memory regions 9->76 78 Allocates memory in foreign processes 9->78 80 Injects a PE file into a foreign processes 9->80 12 AppLaunch.exe 15 13 9->12         started        15 WerFault.exe 23 9 9->15         started        17 conhost.exe 9->17         started        process5 file6 48 C:\Users\user\AppData\...\chromedriver.exe, PE32 12->48 dropped 50 C:\Users\user\AppData\...\chromedriver.exe, PE32 12->50 dropped 19 chromedriver.exe 2 12->19         started        24 cmd.exe 1 12->24         started        52 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->52 dropped process7 dnsIp8 54 127.0.0.1 unknown unknown 19->54 46 C:\Users\user\AppData\Local\...\Preferences, ASCII 19->46 dropped 72 Tries to harvest and steal browser information (history, passwords, etc) 19->72 26 chrome.exe 1 19->26         started        29 conhost.exe 19->29         started        31 taskkill.exe 1 24->31         started        33 conhost.exe 24->33         started        35 timeout.exe 1 24->35         started        37 chcp.com 1 24->37         started        file9 signatures10 process11 dnsIp12 62 192.168.2.1 unknown unknown 26->62 39 chrome.exe 1 26->39         started        42 chrome.exe 1 26->42         started        44 chrome.exe 1 7 26->44         started        process13 dnsIp14 56 play.google.com 142.250.203.110, 443, 49763, 49764 GOOGLEUS United States 39->56 58 gstaticadssl.l.google.com 172.217.168.35, 443, 49756, 49757 GOOGLEUS United States 39->58 60 3 other IPs or domains 39->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/971725f4443df9cf72b74a296e54352bd0f91bf74517fb28980a1916f89d56e2/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-08-28 06:33:15 UTC
File Type:
PE (Exe)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4lsl5cehx4464vxjiuw4vbvfpipsg7xiul7wkeybimrn6e5k3ra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220828-ha7jsadfek/
Unpacked files
SH256 hash:
99ace416cfa00a9d3ecf14c1a25924870c0e6780927f5e2e64903b0bb78245cd
MD5 hash:
a830144ea2865178e8e2b33440f72235
SHA1 hash:
b902dbe39b1b86fec0599f0cc87a428edb875c07
Link:
https://www.unpac.me/results/08e37a21-458e-423d-ad3c-aeae97f80ec1/
SH256 hash:
777472c616b474a367a43b88b5d3139c39c087e5f8a2504ab013a51f744b9cf2
MD5 hash:
dfad2f8cfcff9fd3006ad9ec984c8f91
SHA1 hash:
9b7bf8783cfbf77761612b5d437bd24572b27fe3
Link:
https://www.unpac.me/results/08e37a21-458e-423d-ad3c-aeae97f80ec1/
SH256 hash:
b434193a2240a3375e09122b96c7589f8a51d0cd5ffc6d5206cbb8b189ea7ea8
MD5 hash:
9fd2805b276f7faea4801a84799d0855
SHA1 hash:
a3c390dfa3b36fae40e371fea1da2171e54dc510
Link:
https://www.unpac.me/results/08e37a21-458e-423d-ad3c-aeae97f80ec1/
SH256 hash:
971725f4443df9cf72b74a296e54352bd0f91bf74517fb28980a1916f89d56e2
MD5 hash:
2f8bf74492ee6477081af13d01018c64
SHA1 hash:
f81569935a37d0d94847e1c36b78b3ec23dfe591
Link:
https://www.unpac.me/results/08e37a21-458e-423d-ad3c-aeae97f80ec1/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/971725f4443d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/971725f4443df9cf72b74a296e54352bd0f91bf74517fb28980a1916f89d56e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301795/

Comments