MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 16


Intelligence 16 IOCs 2 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
SHA3-384 hash: ea2df23284e94b4093d07b52ae219ae165785add24868dcd85720066e4daa4514d6665a901b0cbdb23a7453eae2dca99
SHA1 hash: da38282d697280bb3f631a0bc6e85aeb56e00f08
MD5 hash: 97c2afd93440d56cd68240e520ffae58
humanhash: table-juliet-winner-item
File name:DA3909EA1DFAA29DBD3F0EE74CBE629783826F97AE41E.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:5'484'721 bytes
First seen:2022-10-25 01:50:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:J38qb7jXbbH7Uwee9Rrlj8ASVaqLj5a1/4O/il6OqRzJ+lU33YSkq5ZAoWUp:Jsq/LPH79RyASYqLjg1/Til9yzJ0SzhT
TLSH T16A46339227A4A5F2E6500AB167BD31457B36933048372AEDFF8D5DD87A4A6960CCE3C0
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe PrivateLoader


Avatar
abuse_ch
PrivateLoader C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/
85.192.63.57:34210 https://threatfox.abuse.ch/ioc/930664/

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
DA3909EA1DFAA29DBD3F0EE74CBE629783826F97AE41E.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 01:53:58 UTC
Tags:
evasion trojan sinkhole redline opendir socelars stealer loader rat miner vidar tofsee
Link:
https://app.any.run/tasks/a9951121-d4b9-47d8-b12d-4999fa779bce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323726/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45215/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92e38a19-6dbd-4dca-9bf0-a216039ba462
Result
Threat name:
MedusaHTTP, Nymaim, Socelars, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097150
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Yara detected MedusaHTTP
Yara detected Nymaim
Yara detected onlyLogger
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729791 Sample: DA3909EA1DFAA29DBD3F0EE74CB... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 131 youtube4kdowloader.club 2->131 133 topniemannpickshop.cc 2->133 135 17 other IPs or domains 2->135 163 Snort IDS alert for network traffic 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 Antivirus detection for URL or domain 2->167 169 24 other signatures 2->169 15 DA3909EA1DFAA29DBD3F0EE74CBE629783826F97AE41E.exe 10 2->15         started        signatures3 process4 file5 121 C:\Users\user\AppData\...\setup_installer.exe, PE32 15->121 dropped 18 setup_installer.exe 23 15->18         started        21 Mon065abded91bf551.exe 15->21         started        process6 dnsIp7 93 C:\Users\user\AppData\...\setup_install.exe, PE32 18->93 dropped 95 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 18->95 dropped 97 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 18->97 dropped 99 18 other files (17 malicious) 18->99 dropped 25 setup_install.exe 1 18->25         started        137 www.listincode.com 213.227.149.234, 443, 49708, 49709 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 21->137 139 iplogger.org 148.251.234.83, 443, 49711, 49727 HETZNER-ASDE Germany 21->139 177 Antivirus detection for dropped file 21->177 179 May check the online IP address of the machine 21->179 181 Machine Learning detection for dropped file 21->181 29 WerFault.exe 21->29         started        file8 signatures9 process10 dnsIp11 155 127.0.0.1 unknown unknown 25->155 157 sayanu.xyz 25->157 183 Performs DNS queries to domains with low reputation 25->183 185 Adds a directory exclusion to Windows Defender 25->185 187 Disables Windows Defender (via service or powershell) 25->187 31 cmd.exe 25->31         started        33 cmd.exe 1 25->33         started        35 cmd.exe 25->35         started        37 16 other processes 25->37 signatures12 process13 signatures14 40 Mon06295419f3.exe 4 24 31->40         started        45 Mon06a340828b11750b.exe 33->45         started        47 Mon0610b38e64.exe 35->47         started        171 Adds a directory exclusion to Windows Defender 37->171 173 Disables Windows Defender (via service or powershell) 37->173 49 Mon0653be691ad8e1.exe 37->49         started        51 Mon061955db94a2805.exe 37->51         started        53 Mon0635fee6a5db6.exe 37->53         started        55 10 other processes 37->55 process15 dnsIp16 141 212.193.30.115, 49715, 49722, 49747 SPD-NETTR Russian Federation 40->141 143 vk.com 87.240.132.72, 49754, 49755, 49762 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 40->143 151 15 other IPs or domains 40->151 105 C:\Users\...\zmUohkEXn_ah3oN_9tsRBgO5.exe, PE32 40->105 dropped 107 C:\Users\...\UHShSUAWPxD6MjV2_A5RnmFk.exe, PE32 40->107 dropped 109 C:\Users\...\R0JbXMmzYvWQnrTiRoULyyEH.exe, PE32 40->109 dropped 113 19 other malicious files 40->113 dropped 189 Antivirus detection for dropped file 40->189 191 Multi AV Scanner detection for dropped file 40->191 193 May check the online IP address of the machine 40->193 195 Disable Windows Defender real time protection (registry) 40->195 111 C:\Users\user\...\Mon06a340828b11750b.tmp, PE32 45->111 dropped 197 Obfuscated command line found 45->197 57 Mon06a340828b11750b.tmp 45->57         started        145 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 47->145 199 Contains functionality to steal Chrome passwords or cookies 47->199 147 niemannbest.me 99.83.154.118, 443, 49707 AMAZON-02US United States 49->147 201 Machine Learning detection for dropped file 49->201 149 gcl-gb.biz 51->149 153 9 other IPs or domains 55->153 203 Creates HTML files with .exe extension (expired dropper behavior) 55->203 205 Tries to harvest and steal browser information (history, passwords, etc) 55->205 60 mshta.exe 55->60         started        62 cmd.exe 55->62         started        64 cmd.exe 55->64         started        66 explorer.exe 55->66 injected file17 signatures18 process19 file20 115 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 57->115 dropped 117 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->117 dropped 119 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 57->119 dropped 68 Mon06a340828b11750b.exe 57->68         started        72 cmd.exe 60->72         started        74 conhost.exe 62->74         started        76 conhost.exe 64->76         started        process21 file22 101 C:\Users\user\...\Mon06a340828b11750b.tmp, PE32 68->101 dropped 175 Obfuscated command line found 68->175 78 Mon06a340828b11750b.tmp 68->78         started        103 C:\Users\user\AppData\...\MN9RL3Hp4HY1J.eXe, PE32 72->103 dropped 83 MN9RL3Hp4HY1J.eXe 72->83         started        85 conhost.exe 72->85         started        87 taskkill.exe 72->87         started        signatures23 process24 dnsIp25 159 ppgggb.com 209.99.40.222, 49736, 49737, 80 CONFLUENCE-NETWORK-INCVG United States 78->159 123 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 78->123 dropped 125 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 78->125 dropped 127 C:\Program Files (x86)\...\is-A2ATG.tmp, PE32 78->127 dropped 129 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 78->129 dropped 161 Creates HTML files with .exe extension (expired dropper behavior) 78->161 89 mshta.exe 83->89         started        file26 signatures27 process28 process29 91 cmd.exe 89->91         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 10:41:28 UTC
File Type:
PE (Exe)
Extracted files:
140
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3i4qt2q57krj3pj7b3tuzptcs6bye34xvza6mbxw3m2ysdcz5raa._file
Verdict:
malicious
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:nullmixer family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:tofsee botnet:6.4 botnet:@noxycloud botnet:chrisnew botnet:logsdiller cloud (tg: @logsdillabot) botnet:media24 botnet:mr x aspackv2 backdoor discovery dropper evasion infostealer loader main persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/221025-b9tnmsbcbr/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
ASPack v2.12-2.42
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
OnlyLogger payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
Modifies Windows Defender Real-time Protection settings
NullMixer
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Tofsee
Malware Config
C2 Extraction:
http://sayanu.xyz/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
194.104.136.5:46013
91.121.67.60:23325
51.89.201.21:7161
103.89.90.61:34589
79.137.192.41:24746
svartalfheim.top
jotunheim.name
85.192.63.57:34210
Unpacked files
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
3a4537aa5b9e0d713b62e5b6345e281d46c00b74770b67f6acad520f2b9c1121
MD5 hash:
54ce3774fe6f4fff1c04a94794245ab2
SHA1 hash:
9cbe3c707b27cb58620de55b535ce8f841641535
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
6cd587ecdd136bd1fcba0693ca65c8217eef048350b9033278d0df0d71f7a309
MD5 hash:
a6f7a7ba19a4174ef29c87d6a68739e5
SHA1 hash:
ca4b8f9471997e8bee613d7f124d1dbfc1d105d3
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
ffb0fcede542fa2a31553073105b74f85e3a6d92987392dcce5e5e49743c878b
MD5 hash:
688bb186be4be7a4e668f4dff71ce220
SHA1 hash:
bc06b533f88e5260bdb9f63d19bac9fe71ee5c64
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
6ff28eadc08ed708cfb8cfbd244a7aac387ac3b629e086d99c4066c91aab7071
MD5 hash:
7fdc19fd5d28294b2e005e57261afc60
SHA1 hash:
f9fc75379d9a18130435697fa8b7aeaa758f0a26
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
4cc7bafdbf99b8f929c6937fe5085d89330f9bb18a4a044f59e4cf6fcca9847c
MD5 hash:
7698b56f96a338e693851d0130a65532
SHA1 hash:
f843d73084b0fdb6dc84189faaa9c37ae069e0b0
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
f7aba9aaa4d4a2e7a149c4a01346ca53b85f8a37a1751db44381b364847991bf
MD5 hash:
e15dfb2d5780acc9eb272272b658a520
SHA1 hash:
dc60e8f6bc63965018400aad2fb3a7f18569fa43
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
48bcf2492f3798e6c9065192f2f7b43b4bdd576745c57ef6291880f61bc9318f
MD5 hash:
b4dcca9eb41ae4a1eee4158cfb8fb75a
SHA1 hash:
d3e12754f1663b6ced425994b70f7532c85584fb
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
04092e0386b64fbfcd1c41807cf1b68c65257e73639bf669ec6a77d90140bc80
MD5 hash:
055a4e9f63665c4b93dec2927ba65a9e
SHA1 hash:
ce832e4d8edc0d5c639cdf3aeeed82205480a180
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
6bcca33a599532917b446f07952719fa7a70edf6646c14b13e64686ff2c6d44c
MD5 hash:
7af76a6cff6996241b9d85558848e6c8
SHA1 hash:
a8df8a22e003849550c2e6827bf17a5edbec5524
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
2a02760a7c946be153ef57430a29a502c9e1523445ee44d6bcb8375e0500b20d
MD5 hash:
022e41c175bc6c348ae2ade5f1e5c57f
SHA1 hash:
50039d199260b0148b8ec523546380dbfd3491f0
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
67f93efc4cd96a3f39fb676d57e8c6bcc1b8dd5bf37da0b0fd57bab8a3536eca
MD5 hash:
3f936130ab696859405eadc45c9fa0ae
SHA1 hash:
3674be1283586633c17a62a23b29bb28e90ce3f4
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
647b33c29f43fc27269434b98b91e4ef2fe2572bd3b41cab55475149f6c92f48
MD5 hash:
e11fc831e80b2ae905cd2391fc559f30
SHA1 hash:
0d9913e650c4e14ecdd90ec154d47677dfc9da07
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
d24399f03e81c420af5d64c3709f20b3240676a504d878676f06a78141f4f78b
MD5 hash:
1ef0932ea9b1fcb78d02c17896a08426
SHA1 hash:
03e964695d15a7f8198ccd294e07eefdc508e42b
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
b96206829dc95e7ed35e92aed225cf32a69dc60f8417b8489504083f9bfba083
MD5 hash:
a365430e938a0d9a3c020ac5fd18ebf7
SHA1 hash:
d637d8811a034085523a82ac1c5dc0b7caf92077
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
a37b7bc898830df917dc31b3addb9a0580e7ff0a3839d1bb3c827b7bbb6c7a7a
MD5 hash:
3b903d525d937cfd957787d809a3a5e1
SHA1 hash:
c8230090abcd659113c127d68d6070fd1c557ea3
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
7e6ce1a5ad46e39311ffe3448e0ccf6941b5d350920998d1334f8204b40a04e1
MD5 hash:
a7d1264b499d1b76ca0e1017a770d462
SHA1 hash:
3e658e15f134acc8c0e4990ad319e65e39ee5e77
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
097b7ceb41b1799da40aa2e38e8757260b66ad6530b2a7bc2f38b22cf24e5ed7
MD5 hash:
5c29b1b913cfad6c85a9a31778af6130
SHA1 hash:
dea36768439b95fd8e1243008dd83bbf233af636
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
SH256 hash:
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
MD5 hash:
97c2afd93440d56cd68240e520ffae58
SHA1 hash:
da38282d697280bb3f631a0bc6e85aeb56e00f08
Link:
https://www.unpac.me/results/fd5a1d4b-af22-437a-8c29-71ab32fe28f3/
Malware family:
RedLine.C
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da3909ea1dfa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:Privateloader_Main_Component
Create hunting rule
Description:Detects PrivateLoader Main Component
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.privateloader.
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323726/

Comments