MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609
SHA3-384 hash: 452eab6fc578b795bdd440893228270e15b8e72935d55c9e7e6a7e44aeeaee7f5ac4c1ecfe6aa4664f2ca5e3f1dbfc9f
SHA1 hash: 996189be3e54435087d7fc55c7da6ef0251d3d81
MD5 hash: 5e7ca0360b76151f03435e414b5b39b3
humanhash: fruit-football-undress-washington
File name:SecuriteInfo.com.Riskware.Yandex.12786.6213
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:362'656 bytes
First seen:2024-05-09 23:22:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8671a3d963861aab61fe1391c7d8536a (2 x PrivateLoader)
ssdeep 6144:0fp18znPaTavhPvnenut3drPAFl3oAOYk22zVstTtsOkz:0fp18wihPvncK3iYmkXqhsO
TLSH T161747B117E81C432D1721532CA7AE2F549BD7D206D20865F63E87E2FFE72590AA31F62
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 4d6d6545e1e14565 (2 x PrivateLoader)
Reporter SecuriteInfoCom
Tags:exe PrivateLoader signed

Code Signing Certificate

Organisation:YANDEX LLC
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-06T08:44:54Z
Valid to:2024-05-06T08:44:54Z
Serial number: 7904d32e74fc472b66c08a38
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 1561ae150e66f6d2b3bceda46d46525edcaf8697d3bc94485150865dc40ef888
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609.exe
Verdict:
Malicious activity
Analysis date:
2024-05-09 23:30:44 UTC
Tags:
loader
Link:
https://app.any.run/tasks/cc9bf46f-aa92-4d0a-b8bf-52ec232e59a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Riskware.Yandex.12786.6213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Delayed writing of the file
Сreating synchronization primitives
Creating a process from a recently created file
Restart of the analyzed sample
Searching for synchronization primitives
Creating a file
Modifying a system file
Creating a file in the %AppData% subdirectories
Creating a file in the Windows subdirectories
Launching a service
Reading critical registry keys
Changing a file
Searching for the window
Moving a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Changing critical settings of the Internet Explorer browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/663d5ada11114a9ab5e6638c/reports/35205f6b-aa97-4ae7-96a0-96d39a29e299/overview
Verdict:
Malicious
Labled as:
Yandex.K potentially unwanted application
Link:
https://www.hybrid-analysis.com/sample/a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/459c05c5-c377-4ff8-af9b-0259f13e322e
Result
Threat name:
PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1439246
Signature
Drops PE files with benign system names
Found suspicious ZIP file
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected Powershell download and execute
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1439246 Sample: SecuriteInfo.com.Riskware.Y... Startdate: 10/05/2024 Architecture: WINDOWS Score: 78 156 Multi AV Scanner detection for submitted file 2->156 158 Yara detected PrivateLoader 2->158 160 Yara detected Powershell download and execute 2->160 162 6 other signatures 2->162 9 msiexec.exe 10 45 2->9         started        12 browser.exe 2->12         started        16 {9FB1CB61-F715-4226-BD6C-5A7D6C0A374E}.exe 2->16         started        18 SecuriteInfo.com.Riskware.Yandex.12786.6213.exe 22 2->18         started        process3 dnsIp4 114 C:\Windows\Installer\MSIA31B.tmp, PE32 9->114 dropped 116 C:\Windows\Installer\MSIA2EB.tmp, PE32 9->116 dropped 118 C:\Windows\Installer\MSIA21F.tmp, PE32 9->118 dropped 124 9 other malicious files 9->124 dropped 20 msiexec.exe 14 9->20         started        150 2 other IPs or domains 12->150 120 C:\Users\user\AppData\...\widevinecdm.dll, PE32 12->120 dropped 126 16 other malicious files 12->126 dropped 178 Tries to harvest and steal browser information (history, passwords, etc) 12->178 180 Writes many files with high entropy 12->180 23 browser.exe 12->23         started        26 browser.exe 12->26         started        29 browser.exe 12->29         started        37 10 other processes 12->37 142 213.180.193.234 YANDEXRU Russian Federation 16->142 144 5.45.247.52 YANDEXRU Russian Federation 16->144 152 2 other IPs or domains 16->152 122 C:\Users\user\AppData\Local\Temp\ybDBD5.tmp, PE32 16->122 dropped 128 2 other malicious files 16->128 dropped 31 ybDBD5.tmp 16->31         started        146 5.45.192.185 YANDEXRU Russian Federation 18->146 148 5.45.205.242 YANDEXRU Russian Federation 18->148 154 2 other IPs or domains 18->154 130 2 other malicious files 18->130 dropped 33 YandexPackSetup.exe 3 18->33         started        35 SecuriteInfo.com.Riskware.Yandex.12786.6213.exe 8 18->35         started        file5 signatures6 process7 dnsIp8 80 C:\Users\user\AppData\Local\...\seederexe.exe, PE32 20->80 dropped 82 C:\Users\user\AppData\Local\...\sender.exe, PE32 20->82 dropped 84 C:\Users\user\AppData\...\lite_installer.exe, PE32 20->84 dropped 39 seederexe.exe 20 164 20->39         started        43 lite_installer.exe 15 20->43         started        166 Tries to harvest and steal browser information (history, passwords, etc) 23->166 134 178.154.131.217 YANDEXRU Russian Federation 26->134 136 213.180.204.158 YANDEXRU Russian Federation 26->136 140 21 other IPs or domains 26->140 45 dllhost.exe 29->45         started        86 C:\Users\user\AppData\Local\...\setup.exe, PE32 31->86 dropped 88 C:\Users\user\AppData\Local\...\SETUP.EX_, Microsoft 31->88 dropped 90 C:\Users\user\AppData\...\BROWSER.PACKED.7Z, 7-zip 31->90 dropped 94 5 other malicious files 31->94 dropped 168 Writes many files with high entropy 31->168 47 setup.exe 31->47         started        92 C:\Users\user\AppData\...\YandexSearch.msi, Composite 33->92 dropped 170 Machine Learning detection for dropped file 33->170 138 77.88.21.14 YANDEXRU Russian Federation 35->138 file9 signatures10 process11 file12 96 C:\Users\user\AppData\...\xulstore.json, JSON 39->96 dropped 98 C:\Users\user\...\yandex.ru-20242409.xml, Unicode 39->98 dropped 110 37 other malicious files 39->110 dropped 172 Overwrites Mozilla Firefox settings 39->172 174 Tries to harvest and steal browser information (history, passwords, etc) 39->174 176 Writes many files with high entropy 39->176 49 Yandex.exe 39->49         started        53 Yandex.exe 39->53         started        55 sender.exe 39->55         started        100 {9FB1CB61-F715-422...C-5A7D6C0A374E}.exe, PE32 43->100 dropped 102 C:\Users\user\AppData\Local\...\Yandex[1].exe, PE32 43->102 dropped 104 C:\Users\user\AppData\Local\...\browser.dll, PE32 47->104 dropped 106 C:\Users\user\AppData\Local\...\brodef.dll, PE32 47->106 dropped 108 C:\Users\user\AppData\...\abt-bindings.dll, PE32 47->108 dropped 112 2 other malicious files 47->112 dropped 58 clidmgr.exe 47->58         started        60 clidmgr.exe 47->60         started        62 setup.exe 47->62         started        signatures13 process14 dnsIp15 72 C:\Users\user\AppData\...\YandexWorking.exe, PE32 49->72 dropped 74 C:\Users\user\AppData\Local\...\explorer.exe, PE32 49->74 dropped 76 C:\Users\user\AppData\Local\...\Yandex.lnk, MS 49->76 dropped 164 Drops PE files with benign system names 49->164 64 explorer.exe 49->64         started        78 C:\Users\user\AppData\Local\...\2AE68B04.exe, PE32 53->78 dropped 66 explorer.exe 53->66         started        132 87.250.254.20 YANDEXRU Russian Federation 55->132 68 conhost.exe 58->68         started        70 conhost.exe 60->70         started        file16 signatures17 process18
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u65sdp455tegvhwkt2rp6f5xpsgy524x24eaiqwkxe6h6rbkuyeq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/240509-3c47nach7z/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks system information in the registry
Drops file in System32 directory
Adds Run key to start application
Blocklisted process makes network request
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609
MD5 hash:
5e7ca0360b76151f03435e414b5b39b3
SHA1 hash:
996189be3e54435087d7fc55c7da6ef0251d3d81
Link:
https://www.unpac.me/results/8bb14966-b0ea-45cf-960d-8f6496db8c9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7bb21bf9decc86a9eca9ea2ff17b77c8d8eeb97d7080442cab93c7f442aa609

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::CopySid
ADVAPI32.dll::GetLengthSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLOpenBlockingStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
WININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesSHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileW
VERSION.dll::GetFileVersionInfoSizeW
VERSION.dll::GetFileVersionInfoW
WIN_TRUST_APIUses Windows Trust APIWINTRUST.dll::WinVerifyTrust

Comments