MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6838c7c0ee74c331e1c7ef8e0fa34bad89943e607b927ff4d0ddd0415758670. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6838c7c0ee74c331e1c7ef8e0fa34bad89943e607b927ff4d0ddd0415758670
SHA3-384 hash: d6b008f55f904e17e2ae92396b9493ff7a9a20e480c4b551a0f9d934853ecae6770740a2c718cbce841ae4e407fc656c
SHA1 hash: 225adee3b8fdd5f0315cb6060402e9429b6e4d2b
MD5 hash: 1e14c62ccbc51112c2c395252e7654bc
humanhash: georgia-bacon-mango-avocado
File name:po.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:16'384 bytes
First seen:2022-08-27 08:06:01 UTC
Last seen:2022-08-27 08:41:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 384:eKBtLQ4WZA6h5H8LUtbhNJpTvD2pj6bNBc:tBBQNXkGN3TviQbr
Threatray 828 similar samples on MalwareBazaar
TLSH T163726BAD255FB720D028823FF4D6D2888EEFDA611C53CB1FB94523492E2379ECA64645
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter 0xToxin
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
434
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
po.exe
Verdict:
Malicious activity
Analysis date:
2022-08-27 08:07:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bef62268-8522-4a29-8476-f67d57d57578

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301572/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.5770.1757.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6309d07f3cbb13868a895d01/reports/0585ffbf-ec9f-4eb2-be92-37cc702a9662/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/155bac6b-2e22-41ed-8697-15a684de5579
Result
Threat name:
AsyncRAT, PrivateLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058837
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 691351 Sample: po.exe Startdate: 27/08/2022 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 13 other signatures 2->63 9 po.exe 15 7 2->9         started        14 rem.exe 1 2->14         started        16 rem.exe 1 2->16         started        18 rem.exe 2->18         started        process3 dnsIp4 55 fullline.com.my 15.235.144.173, 443, 49721, 49724 HP-INTERNET-ASUS United States 9->55 49 C:\Users\user\AppData\Roaming\...\cloud.exe, PE32 9->49 dropped 51 C:\Users\user\...\cloud.exe:Zone.Identifier, ASCII 9->51 dropped 53 C:\Users\user\AppData\Local\...\po.exe.log, ASCII 9->53 dropped 65 Creates an undocumented autostart registry key 9->65 67 Encrypted powershell cmdline option found 9->67 69 Writes to foreign memory regions 9->69 71 2 other signatures 9->71 20 MSBuild.exe 5 4 9->20         started        23 powershell.exe 16 9->23         started        25 BackgroundTransferHost.exe 13 9->25         started        33 2 other processes 9->33 27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        file5 signatures6 process7 file8 45 C:\Users\user\AppData\Local\...\install.vbs, data 20->45 dropped 47 C:\ProgramData\Remcos\rem.exe, PE32 20->47 dropped 35 wscript.exe 1 20->35         started        37 conhost.exe 23->37         started        process9 process10 39 cmd.exe 1 35->39         started        process11 41 rem.exe 2 39->41         started        43 conhost.exe 39->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6838c7c0ee74c331e1c7ef8e0fa34bad89943e607b927ff4d0ddd0415758670/
Threat name:
ByteCode-MSIL.Trojan.Scar
Create hunting rule
Status:
Malicious
First seen:
2022-08-27 05:43:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2byy7ao45gdghq4p34ob6ruxlmjsq7ga64sp72nbxoqiflvqzya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
masslogger
Create hunting rule
Similar samples:
1c0d0b7350789ac3cd3aaac71175646d9f06f9240689be3b62293e94ffc12658
PrivateLoader
2149cec22f889cc1eed0485be3a4670b2f5b20a2f40eaa24633ed54b3b795da2
PrivateLoader
21717cdfec5b3e14e7493537a9ca67045929faa591dc041350bc29070ca65681
PrivateLoader
2cf1525cdb58ec9e5d47e5c66619b9cf2966155ece68a66e9bf935369971ccdc
PrivateLoader
326920546c2f54782c27ab6c8b53948b8b2cbb1efe709d322c84d4d7a0806911
PrivateLoader
3f4a92916d3f26c17475017df9881acb7a6bb11f3e684e548d166e46f6363bbd
PrivateLoader
519049c140f5a4f0d6d2115f921d105b1bd4bf46f2e9f66a45762ba5c9cda9e0
PrivateLoader
82ceaad56c8928f9d0bd09357499847ef059640db0689760b5bbab95f3068287
PrivateLoader
93ff00886c3dd4fda1ef90c88e79c5db775f667d33f941b7594e1751f9982474
PrivateLoader
9e9384a14b3cb6360a27e6f5b5d772332054c47ca8258f541d2095a815fd825a
PrivateLoader
+ 818 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220827-jzd47shbg6/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
b6838c7c0ee74c331e1c7ef8e0fa34bad89943e607b927ff4d0ddd0415758670
MD5 hash:
1e14c62ccbc51112c2c395252e7654bc
SHA1 hash:
225adee3b8fdd5f0315cb6060402e9429b6e4d2b
Link:
https://www.unpac.me/results/1e3ab091-b58e-4841-b502-6c8475420b73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b6838c7c0ee74c331e1c7ef8e0fa34bad89943e607b927ff4d0ddd0415758670

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PrivateLoader

Executable exe b6838c7c0ee74c331e1c7ef8e0fa34bad89943e607b927ff4d0ddd0415758670

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/301572/

Comments