MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d06077790fb260d6c3ed4af601b5322446d2a0621eb8edf14af8438dc2c02a63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d06077790fb260d6c3ed4af601b5322446d2a0621eb8edf14af8438dc2c02a63
SHA3-384 hash: f1cebe6c33f1227aab4b6b64b279deeb0b5c0a93adb7047be339e76a9f5e8c8aba3fd09df22c8e4cea53bd64364c3db1
SHA1 hash: b53b49501de19e1b2023d0b865895a1e85da35ca
MD5 hash: 1acc4297a28e5ce6863e452a798f8159
humanhash: quebec-december-vermont-earth
File name:file
Download: download sample
File size:5'326'336 bytes
First seen:2022-09-27 20:37:18 UTC
Last seen:2022-10-08 17:43:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:sTELRA5lyFdlf+K3sMqMBZBBJW7ALRYRG/k5jaCv:sT6K5lWdlm4Om87ALRYRlmM
Threatray 21 similar samples on MalwareBazaar
TLSH T177363328E3FAD32CDC6B37BB1C402BC4BED1AEAC02925C11A6C6116751E59DD631BE13
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from http://45.155.165.132/dcd57/c5256.exe

Intelligence

File Origin
# of uploads :
239
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-09-27 23:07:03 UTC
Tags:
opendir loader redline evasion stealer ransomware stop clickhere downloader fake
Link:
https://app.any.run/tasks/92013b23-5af3-4d1c-a194-23cc7f5a0b9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314121/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.18384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the system32 subdirectories
Creating a file
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/63335f2f665fcdb8807a3c83/reports/c59ad955-d7c1-45b2-9dfd-52e5d24a76ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e00c5f5c-b08a-4ab4-8227-a895291312d4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1078621
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 711166 Sample: file.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 76 26 Multi AV Scanner detection for domain / URL 2->26 28 Antivirus detection for URL or domain 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 7 file.exe 2->7         started        process3 dnsIp4 24 goback.delivery 104.21.84.12, 443, 49704 CLOUDFLARENETUS United States 7->24 32 Tries to harvest and steal browser information (history, passwords, etc) 7->32 11 powershell.exe 11 7->11         started        14 powershell.exe 12 7->14         started        16 powershell.exe 11 7->16         started        signatures5 process6 signatures7 34 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->34 36 Queries memory information (via WMI often done to detect virtual machines) 11->36 18 conhost.exe 11->18         started        20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d06077790fb260d6c3ed4af601b5322446d2a0621eb8edf14af8438dc2c02a63/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 20:38:34 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 25 (48.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bqho6ipwjqnnq7njl3adnjserdnfidcd24o34kk7bby3qwafjrq._file
Verdict:
unknown
Similar samples:
58e1eecd96750405a47327b00330180e4fc8aae4b0e6f89616d8d3cc9021fc9b
5d72a8ffcefedd15f16a8ac752b0e09fef6d9359c0019fa1627be76581358152
7235b9b0554815b59a73d9d2a99b1485ba3667655d8a983b4f2e67d5a8082812
7fa5971fde4364c32e47c5a8e6b189fc214ffd019077f30c14fbfb4e240909e1
8b03872c981e72aa24fd680e3d8f49768341f2c86fdabe51f4e5302c41b194a7
b5ff5a9c19554d5531b7287615ce45e622ffc8d12b6c8d3f15e6c023e94bd452
b68aac66f4d1490eef02edd08bd9a7d58ea388f0fe601ace2e3c15cbf4bfe215
cc81b5085ea098d0d117dfe38aa46b5513f66d34c23454c964cdd3f0864967e7
ef91b2a1887cb0fa13a3305220dfb78d4d7b041fe8177b5810772e0d27487f90
f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/220927-zep9qseea6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
Gathering data
Unpacked files
SH256 hash:
8fa1d43e0476d4896efcba6a8d30a29fb4f79e789332c13cf1b3b9a20edd853d
MD5 hash:
3f53545d748131d8ba93227fe05a3184
SHA1 hash:
426f91e7859c95b622f83baf9a4acba73451441e
Link:
https://www.unpac.me/results/5619f5e1-d626-41a2-a22d-465e55af6150/
SH256 hash:
d06077790fb260d6c3ed4af601b5322446d2a0621eb8edf14af8438dc2c02a63
MD5 hash:
1acc4297a28e5ce6863e452a798f8159
SHA1 hash:
b53b49501de19e1b2023d0b865895a1e85da35ca
Link:
https://www.unpac.me/results/5619f5e1-d626-41a2-a22d-465e55af6150/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d06077790fb260d6c3ed4af601b5322446d2a0621eb8edf14af8438dc2c02a63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/314121/
  
URLhaus
https://urlhaus.abuse.ch/url/2315714/

Comments