MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b68aac66f4d1490eef02edd08bd9a7d58ea388f0fe601ace2e3c15cbf4bfe215. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b68aac66f4d1490eef02edd08bd9a7d58ea388f0fe601ace2e3c15cbf4bfe215
SHA3-384 hash: 36e66a73bb3c5b11300b5e6576118e6328e4763f8bdd5f99adf4ab83e3739bb43266e9fa2e8600c4cc7437e8c7593281
SHA1 hash: 25e333f6f262cfb41b6956b81c0f1e45905f4b18
MD5 hash: a6c151ae429a867ccfccd6792440710e
humanhash: mountain-virginia-carbon-kentucky
File name:file
Download: download sample
File size:5'331'456 bytes
First seen:2022-09-23 19:32:32 UTC
Last seen:2022-09-23 22:10:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:aWp74R+1AWxONQgXLuvfqu6b2RD4CYTG2lABSc62kttX/1bDI1aNC53HeCiUCX:aWp74R+1JSQg72fQbC3D2lA02+5D6SzJ
Threatray 22 similar samples on MalwareBazaar
TLSH T1DE3633780079A730DA6355BDD0C6D3376831125960CCEA13BA29DBF9F828D92276DEF1
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc594260791_643195653?hash=VynprSR1gmDSUzwXdhzPp3RdUzvp14SzozKYvnTCljz&dl=GU4TIMRWGA3TSMI:1663957929:fO8x8Yuk733jCnhKa0zAvQYn2kKx1Mfe5klbarLt4Z0&api=1&no_preview=1#12143

Intelligence

File Origin
# of uploads :
3
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
http://hardlyfind.com/viewpoints/funders.c3VwZXIgcG9zZSBib29rIGZyZWUgZG93bmxvYWQc3V/lazkao/malaria/ZG93bmxvYWR8Q045YTNBNVlueDhNVFkxT1RJM01EWTNPSHg4TWpVNU4zeDhLRTBwSUZkdmNtUndjbVZ6Y3lCYlVFOVRWRjA?transporting=&predictive=raymer
Verdict:
Malicious activity
Analysis date:
2022-09-23 23:17:03 UTC
Tags:
evasion trojan socelars stealer opendir loader rat redline ransomware stop raccoon recordbreaker
Link:
https://app.any.run/tasks/abea36d6-0e52-4fe8-8efb-6db819610607

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312644/
Detection(s):
SecuriteInfo.com.Win64.Trojan-gen.15638.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/632e0a11e64c53f047012d97/reports/1c55aca2-8768-4eb3-8f03-b9f96da68669/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/847266d3-b404-41dc-8311-a99b9f0d1ced
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1076100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708642 Sample: file.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 76 26 Multi AV Scanner detection for domain / URL 2->26 28 Antivirus detection for URL or domain 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 7 file.exe 2->7         started        process3 dnsIp4 24 goback.delivery 104.21.84.12, 443, 49704 CLOUDFLARENETUS United States 7->24 32 Tries to harvest and steal browser information (history, passwords, etc) 7->32 11 powershell.exe 11 7->11         started        14 powershell.exe 11 7->14         started        16 powershell.exe 11 7->16         started        signatures5 process6 signatures7 34 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->34 36 Queries memory information (via WMI often done to detect virtual machines) 11->36 18 conhost.exe 11->18         started        20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b68aac66f4d1490eef02edd08bd9a7d58ea388f0fe601ace2e3c15cbf4bfe215/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 19:33:26 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2fkyzxu2feq53yc5xiixwnh2whkhchq7zqbvtrohqk4x5f74ikq._file
Verdict:
unknown
Similar samples:
58e1eecd96750405a47327b00330180e4fc8aae4b0e6f89616d8d3cc9021fc9b
5d72a8ffcefedd15f16a8ac752b0e09fef6d9359c0019fa1627be76581358152
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
7235b9b0554815b59a73d9d2a99b1485ba3667655d8a983b4f2e67d5a8082812
7fa5971fde4364c32e47c5a8e6b189fc214ffd019077f30c14fbfb4e240909e1
82346f3a4b7e84f746f6242ff70265b1467ffdcd01954f71806f86c2989a9819
8b03872c981e72aa24fd680e3d8f49768341f2c86fdabe51f4e5302c41b194a7
cc81b5085ea098d0d117dfe38aa46b5513f66d34c23454c964cdd3f0864967e7
ef91b2a1887cb0fa13a3305220dfb78d4d7b041fe8177b5810772e0d27487f90
f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/220923-x9hf9shgb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/06c227ec-be13-40e7-ba16-b0b09ba83d2b
Unpacked files
SH256 hash:
92ebcdac9acaa37125869a099ae1bbffb8d8ce3a81bbd8aaa8c2e7b8c6c8fb6c
MD5 hash:
79805d3927ff4a07ecb59a91d535b25d
SHA1 hash:
60fe16c26a012361d51db83f3670ae47a3df37dc
Link:
https://www.unpac.me/results/532b1e2d-613b-4c98-964d-94da5568383b/
SH256 hash:
b68aac66f4d1490eef02edd08bd9a7d58ea388f0fe601ace2e3c15cbf4bfe215
MD5 hash:
a6c151ae429a867ccfccd6792440710e
SHA1 hash:
25e333f6f262cfb41b6956b81c0f1e45905f4b18
Link:
https://www.unpac.me/results/532b1e2d-613b-4c98-964d-94da5568383b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b68aac66f4d1490eef02edd08bd9a7d58ea388f0fe601ace2e3c15cbf4bfe215

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/312644/

Comments