MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PrivateLoader

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb
SHA3-384 hash:	ac12790d0829ba0053b99360a28cd03b4ae766d00b5498ac271354b5aaf4bfcd77cb5026aa4cda695479a3d454d8629c
SHA1 hash:	6754efe8281fb17677866277fc0a88a7852b0367
MD5 hash:	9f2721fbcc5f835a7dd623dc875937b7
humanhash:	three-fillet-nevada-hot
File name:	9f2721fbcc5f835a7dd623dc875937b7
Download:	download sample
Signature	PrivateLoader Create hunting rule
File size:	2'730'496 bytes
First seen:	2023-10-14 03:58:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5fd5c5a28970cfa1aef9750a101db08 (1 x PrivateLoader, 1 x Stealc)
ssdeep	49152:CMrd91qiYkCPQHPiKkqY91+O0qJPLpY2G72q+b6juHEUPObu4VWc3EBXVA:xh9giYkCIHPigYPPXdq2e2JejfUPOC47
TLSH	T1DCC512993F8621FFC19BC7358192688FB9973B93FE6274891789A1240E313F44FB9458
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	e48cb0f8d89ad898 (1 x PrivateLoader)
Reporter	zbetcheckin
Tags:	64 exe PrivateLoader

Intelligence

File Origin

# of uploads :

# of downloads :

308

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

9f2721fbcc5f835a7dd623dc875937b7

Verdict:

Malicious activity

Analysis date:

2023-10-14 04:01:21 UTC

Tags:

privateloader evasion opendir loader redline risepro stealer stealc amadey botnet trojan ransomware stop sinkhole smoke vidar arkei

Link:

https://app.any.run/tasks/6b527f0d-021c-42df-b85d-a32d81f9de86

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454261/

Detection(s):

SecuriteInfo.com.Win64.TrojanX-gen.31191.26397.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Modifying a system file

Сreating synchronization primitives

Replacing files

Launching a service

Launching a process

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Sending a UDP request

Creating a file

Forced system process termination

Blocking the Windows Defender launch

Adding exclusions to Windows Defender

Sending an HTTP GET request to an infection source

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm lolbin packed packed shell32 vmprotect

Link:

https://www.filescan.io/uploads/652a120828455aedec111fa2/reports/94be9438-a521-488d-b832-9c43df0ad6cb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5c2725bf-7c4c-42a3-9fab-73fd21174719

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-13 04:23:27 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 36 (36.11%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xp7isiqswvr7kuttqjpihrhhdhr72qep3rqjoybchuokkapr4pvq._file

Verdict:

malicious

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader spyware stealer vmprotect

Link:

https://tria.ge/reports/231014-ej3emshc89/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Drops file in System32 directory

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

VMProtect packed file

PrivateLoader

Unpacked files

SH256 hash:

bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb

MD5 hash:

9f2721fbcc5f835a7dd623dc875937b7

SHA1 hash:

6754efe8281fb17677866277fc0a88a7852b0367

Link:

https://www.unpac.me/results/b50f6ca6-0bc5-4c0d-8a14-72cfd38ee55e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bbfe892212b5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.