MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b52165d1dff358f826708910f6b025e710bc1ba9c975597e38acdecc0b9eff28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PrivateLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	b52165d1dff358f826708910f6b025e710bc1ba9c975597e38acdecc0b9eff28
SHA3-384 hash:	a9e69b95ac124dce0ec7e2077e1a93497085dec320d439a07d596d556703a91d8eb3bbdda3a471768f586d0c26be9e8c
SHA1 hash:	2090a3600d2b579f04afdf16f509c6f853a82eaa
MD5 hash:	3625925a9ec138bf267c97c7f2af4b76
humanhash:	paris-football-maryland-shade
File name:	file
Download:	download sample
Signature	PrivateLoader Create hunting rule
File size:	57'856 bytes
First seen:	2022-08-23 10:29:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e3891a82d4b659d9d18cd5c106347ce5 (1 x PrivateLoader)
ssdeep	1536:IKo8o1VCrFoUKxb/Js39hvrEtuLOV+Nm0Hucglt:IKoHVqFRKxbONhjEt5V+Nmtcglt
Threatray	4'164 similar samples on MalwareBazaar
TLSH	T18643D812AA01623AF9F70573CEFE294EC25DEA61130E54D7B39C6C8E43556E23B31297
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe PrivateLoader

andretavare5

Sample downloaded from https://cdn.discordapp.com/attachments/1011550874335715335/1011582328700682261/admin.bmp

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-08-23 10:32:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9544b5ae-9a5d-4bdd-853d-2dac7bd17a73

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300444/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Reading critical registry keys

Creating a window

Creating a file in the system32 subdirectories

Searching for the window

DNS request

Sending a custom TCP request

Creating a file

Stealing user critical data

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/29756/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6304ac67393b1c8c470832a2/reports/934c5618-5ebc-49d7-b9f8-26346042104f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Zapchast

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5b0891e8-5360-47f2-bd91-8d1343c5d89f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1056137

Signature

Detected unpacking (creates a PE file in dynamic memory)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b52165d1dff358f826708910f6b025e710bc1ba9c975597e38acdecc0b9eff28/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-08-23 10:30:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wuqwluo76nmpqjtqreipnmbf44ilyg5jzf2vs7ryvtpmyc4674ua._file

Verdict:

malicious

PrivateLoader

0e45e4518520737de10107dd9f0ef027bc21e3579ded4f3e38e8f92f1e2dd32d

PrivateLoader

2478438ca47c4cd97263a6382359146e9db261300f0495cfb50a51f2833c7f60

PrivateLoader

367f9b98835a1c98ee8542f2009ccb23b4ef42ff7117e5774968196cfb43ac3e

PrivateLoader

4a9579d10dc37c2010e162741e19938e25d10e90a3de0d7632504cb6b9ed13e2

PrivateLoader

8d5110fd0bc9f090eb6458635f425ea4ae8bb0505ad19852310d0160a6ce1a4b

PrivateLoader

a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e

PrivateLoader

c3c42af61eaeb76c2a3ea4712a4fda9d25e83e91f4fa2b5f1236c5d76688fc43

PrivateLoader

e0579dc3a1e48845194d9cd9415ae492d375fd59cea0e1adf21866afde152f89

PrivateLoader

+ 4'154 additional samples on MalwareBazaar

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader

Link:

https://tria.ge/reports/220823-mjs5zadcgm/

Behaviour

Looks up external IP address via web service

PrivateLoader

Unpacked files

SH256 hash:

b52165d1dff358f826708910f6b025e710bc1ba9c975597e38acdecc0b9eff28

MD5 hash:

3625925a9ec138bf267c97c7f2af4b76

SHA1 hash:

2090a3600d2b579f04afdf16f509c6f853a82eaa

Link:

https://www.unpac.me/results/7cec1145-76c4-47e2-8648-fc5754c9b38e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b52165d1dff3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b52165d1dff358f826708910f6b025e710bc1ba9c975597e38acdecc0b9eff28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	privateloader Create hunting rule
Author:	andre@tavares.re
Description:	PrivateLoader pay-per-install malware

Rule name:	win_privateloader_w0 Create hunting rule
Author:	andretavare5
Reference:	https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300444/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample