MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06
SHA3-384 hash: 216d817f026bb0a86a2b307065ef1c147167de8902248b3aef2c2023daaf8930d9a8e92d8e877b7cdca26b22189b6b43
SHA1 hash: 25ff7bed93d5d89e711098288153a9c425c71c29
MD5 hash: aa7811688cb87b19d2ea4c77244e704a
humanhash: nevada-five-violet-october
File name:aa7811688cb87b19d2ea4c77244e704a
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:212'992 bytes
First seen:2022-06-17 21:20:31 UTC
Last seen:2022-07-15 03:21:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash acdcb3eeeb627a85bc10fa3bf256b492 (1 x Smoke Loader, 1 x PrivateLoader, 1 x Stop)
ssdeep 3072:NV19IIBk9qP4HnuxwA069VDFrXqsEPCVi+mgnzJD+brP9CdO5kFz9koLk:cIBnwHuJHD9qHYMEzskFJ/I
TLSH T1E7246C24B181F476E4A30035E4FAA3F05A6C69306BA449FFF7C44F2A5A352E2D535B27
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00cce8f0d0e871b2 (3 x Stop, 1 x Smoke Loader, 1 x TeamBot)
Reporter zbetcheckin
Tags:32 exe PrivateLoader

Intelligence

File Origin
# of uploads :
5
# of downloads :
359
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-06-16 08:53:19 UTC
Tags:
evasion trojan socelars stealer opendir loader rat redline ransomware stop setup adfly clickhere
Link:
https://app.any.run/tasks/84dd3f81-955c-40a1-9c0b-c0bc80519526

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281061/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.33366.11340.7880.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Searching for the window
Searching for synchronization primitives
Launching a process
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21766/overview
Behaviour
MalwareBazaar
CallSleep
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/62acf03eb0582adf05ae7f8a/reports/a8d86d78-392f-4182-8bbf-5399d72f95dc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ae43f67-c90b-4075-8ed2-cc82916efa22
Result
Threat name:
Nymaim, SmokeLoader, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015474
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Nymaim
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 647970 Sample: VuY7nOScWR Startdate: 17/06/2022 Architecture: WINDOWS Score: 100 116 Multi AV Scanner detection for domain / URL 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for URL or domain 2->120 122 14 other signatures 2->122 9 VuY7nOScWR.exe 5 34 2->9         started        14 rundll32.exe 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 dnsIp4 92 212.193.30.45 SPD-NETTR Russian Federation 9->92 94 193.233.185.125 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 9->94 98 10 other IPs or domains 9->98 80 C:\Users\...\upfvRvyXdNJEYUNsgq01iTK_.exe, PE32 9->80 dropped 82 C:\Users\...\V93rIySYVlfLyOaP8hZCmJ8j.exe, PE32 9->82 dropped 84 C:\Users\...\KtA3FUp85QaNjunpB8SSFqiA.exe, PE32 9->84 dropped 86 11 other files (6 malicious) 9->86 dropped 142 Tries to harvest and steal browser information (history, passwords, etc) 9->142 144 Disable Windows Defender real time protection (registry) 9->144 20 pg4kR9_1Sv2Sp33y7Vs_ZZ6t.exe 1 5 9->20         started        22 KtA3FUp85QaNjunpB8SSFqiA.exe 9->22         started        26 upfvRvyXdNJEYUNsgq01iTK_.exe 9->26         started        30 4 other processes 9->30 28 rundll32.exe 14->28         started        146 Changes security center settings (notifications, updates, antivirus, firewall) 16->146 96 192.168.2.1 unknown unknown 18->96 file5 signatures6 process7 dnsIp8 33 cmd.exe 1 20->33         started        36 dllhost.exe 20->36         started        66 C:\Users\user\AppData\Local\...\rtst1077.exe, PE32+ 22->66 dropped 68 C:\Users\user\AppData\Local\...\logger2.exe, PE32 22->68 dropped 70 C:\Users\user\AppData\Local\...\inst002.exe, PE32 22->70 dropped 74 7 other files (5 malicious) 22->74 dropped 124 Uses ping.exe to sleep 22->124 126 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->126 128 Maps a DLL or memory area into another process 26->128 130 Checks if the current machine is a virtual machine (disk enumeration) 26->130 38 explorer.exe 26->38 injected 132 Creates a thread in another existing process (thread injection) 28->132 100 37.0.8.39 WKD-ASIE Netherlands 30->100 102 208.95.112.1 TUT-ASUS United States 30->102 72 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 30->72 dropped 40 V93rIySYVlfLyOaP8hZCmJ8j.exe 2 30->40         started        44 WerFault.exe 20 9 30->44         started        46 WerFault.exe 30->46         started        file9 signatures10 process11 dnsIp12 104 Obfuscated command line found 33->104 106 Uses ping.exe to sleep 33->106 108 Drops PE files with a suspicious file extension 33->108 110 Uses ping.exe to check the status of other devices and networks 33->110 48 cmd.exe 33->48         started        52 conhost.exe 33->52         started        88 104.21.40.196 CLOUDFLARENETUS United States 40->88 90 172.67.188.70 CLOUDFLARENETUS United States 40->90 78 C:\Users\user\AppData\Local\Temp\db.dll, PE32 40->78 dropped file13 signatures14 process15 file16 64 C:\Users\user\AppData\...64ostra.exe.pif, PE32 48->64 dropped 112 Obfuscated command line found 48->112 114 Uses ping.exe to sleep 48->114 54 Nostra.exe.pif 48->54         started        58 tasklist.exe 48->58         started        60 find.exe 48->60         started        62 2 other processes 48->62 signatures17 process18 file19 76 C:\Users\user\AppData\Local\Temp\...\FUyO.dll, PE32 54->76 dropped 134 DLL reload attack detected 54->134 136 Renames NTDLL to bypass HIPS 54->136 138 Sample uses process hollowing technique 54->138 140 Injects a PE file into a foreign processes 54->140 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 17:51:27 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25nh5ynhsgwbeyh2d2b6ntignxhrirxs2uvrg3jcnog6rquezuda._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:socelars family:xmrig discovery evasion exploit miner persistence spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/220617-z7apraddal/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates processes with tasklist
Enumerates system info in registry
Kills process with taskkill
Modifies registry key
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Launches sc.exe
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Possible privilege escalation attempt
Stops running service(s)
VMProtect packed file
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Socelars
Socelars Payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
xmrig
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/eurfrsa613/
Unpacked files
SH256 hash:
d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06
MD5 hash:
aa7811688cb87b19d2ea4c77244e704a
SHA1 hash:
25ff7bed93d5d89e711098288153a9c425c71c29
Link:
https://www.unpac.me/results/e40c4778-feda-4fa1-88fa-59cd8a5d0163/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:privateloader
Create hunting rule
Author:Andre Tavares
Description:Detects downloader PrivateLoader loader and core, based on string encryption and an http header used on C2 comms
Rule name:win_privateloader
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2242682/
Cape
Cape
https://www.capesandbox.com/analysis/281061/

Comments


Avatar
zbet commented on 2022-06-17 21:20:40 UTC

url : hxxp://2.56.57.65/ww14.exe