MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
SHA3-384 hash: 912ec63233ee5be2b5160a9a62bbcdfa993c3338bf19f65e76317bb2b302cdbe2adf31c7fc5edfee970687c06c22b05a
SHA1 hash: 631d17a0d3e06fb456bd3d355f6e42ff5b452b53
MD5 hash: 560120f81f15301dac785e5d6fca9dbd
humanhash: spring-lake-william-queen
File name:E4FB39B3F6AA19028CCDD531437E7994A9B6F62B317AD.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:3'961'150 bytes
First seen:2022-09-28 17:16:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JVAUmf3bmus2gNdb19K3xQ+atlEiU7tqaOHBBO:JVQf34TNdbyO+OlZ4waOHBo
TLSH T16106337C455DF590E9B62634A91F2DCCA72ACA6625235FCBCF3CFA227220DD42868315
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe PrivateLoader


Avatar
abuse_ch
PrivateLoader C2:
51.89.201.21:7161

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
51.89.201.21:7161 https://threatfox.abuse.ch/ioc/852070/

Intelligence

File Origin
# of uploads :
1
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314463/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Launching cmd.exe command interpreter
Query of malicious DNS domain
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39787/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
arkeistealer barys overlay packed redline shell32.dll
Link:
https://www.filescan.io/uploads/6334818f49c58ce767c3f942/reports/78050ca3-0aee-4ab4-830d-812840bfb563/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4cf29a4-fd5a-42ed-a371-ab7ecae99338
Result
Threat name:
Nymaim, RedLine, Socelars, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079447
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Submitted sample is a known malware sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 712002 Sample: E4FB39B3F6AA19028CCDD531437... Startdate: 28/09/2022 Architecture: WINDOWS Score: 100 99 yarbiegishola.xyz 2->99 101 xv.yxzgamen.com 2->101 103 9 other IPs or domains 2->103 127 Snort IDS alert for network traffic 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 Antivirus detection for URL or domain 2->131 135 22 other signatures 2->135 15 E4FB39B3F6AA19028CCDD531437E7994A9B6F62B317AD.exe 10 2->15         started        signatures3 133 Performs DNS queries to domains with low reputation 99->133 process4 file5 95 C:\Users\user\AppData\...\setup_installer.exe, PE32 15->95 dropped 18 setup_installer.exe 18 15->18         started        process6 file7 79 C:\Users\user\AppData\...\setup_install.exe, PE32 18->79 dropped 81 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 18->81 dropped 83 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 18->83 dropped 85 13 other files (12 malicious) 18->85 dropped 21 setup_install.exe 1 18->21         started        process8 dnsIp9 119 127.0.0.1 unknown unknown 21->119 121 hsiens.xyz 21->121 147 Performs DNS queries to domains with low reputation 21->147 149 Adds a directory exclusion to Windows Defender 21->149 25 cmd.exe 21->25         started        27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        31 10 other processes 21->31 signatures10 process11 signatures12 34 Sun02683ecfb62e.exe 25->34         started        39 Sun02123b90af44.exe 7 27->39         started        41 Sun02dbc2eaf5751c.exe 12 29->41         started        151 Submitted sample is a known malware sample 31->151 153 Adds a directory exclusion to Windows Defender 31->153 43 Sun022b1ce9b1f4e.exe 31->43         started        45 Sun02c9d47b68397.exe 31->45         started        47 Sun0209876f3158630c.exe 31->47         started        49 5 other processes 31->49 process13 dnsIp14 105 212.193.30.115, 49745, 49752, 80 SPD-NETTR Russian Federation 34->105 109 16 other IPs or domains 34->109 87 C:\Users\...\uXh6Kv1wpNOsIb81aeoy7X6r.exe, PE32 34->87 dropped 89 C:\Users\...\rZP8c2TuCtT2GaLWNwJ0V3Mm.exe, PE32 34->89 dropped 91 C:\Users\...\VYzY3HLWUuhGi516UEySV_sv.exe, PE32 34->91 dropped 93 15 other malicious files 34->93 dropped 137 Antivirus detection for dropped file 34->137 139 May check the online IP address of the machine 34->139 141 Machine Learning detection for dropped file 34->141 145 2 other signatures 34->145 51 mshta.exe 39->51         started        111 5 other IPs or domains 41->111 53 WerFault.exe 41->53         started        55 WerFault.exe 41->55         started        113 2 other IPs or domains 43->113 143 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 43->143 57 WerFault.exe 43->57         started        59 WerFault.exe 43->59         started        115 4 other IPs or domains 45->115 107 cdn.discordapp.com 162.159.130.233, 443, 49714, 49718 CLOUDFLARENETUS United States 47->107 117 2 other IPs or domains 49->117 61 explorer.exe 49->61 injected file15 signatures16 process17 process18 63 cmd.exe 51->63         started        file19 97 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 63->97 dropped 66 09xU.exE 63->66         started        69 conhost.exe 63->69         started        71 taskkill.exe 63->71         started        process20 signatures21 123 Antivirus detection for dropped file 66->123 125 Machine Learning detection for dropped file 66->125 73 mshta.exe 66->73         started        75 mshta.exe 66->75         started        process22 process23 77 cmd.exe 75->77         started       
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-10 16:26:21 UTC
File Type:
PE (Exe)
Extracted files:
111
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4t5ttm7wvimqfdgn2uyug7tzssu3n5rlgf5n7i7nyfv2khsxvsyq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:fabookie family:onlylogger family:privateloader family:redline family:smokeloader family:socelars botnet:logsdiller cloud (sup: @mr_golds) botnet:nam6.5 botnet:she aspackv2 backdoor discovery evasion infostealer loader main ransomware spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/220928-vtn8rsgfe2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
OnlyLogger payload
Detect Fabookie payload
Detected Djvu ransomware
Detects Smokeloader packer
Djvu Ransomware
Fabookie
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
135.181.129.119:4805
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
103.89.90.61:34589
51.89.201.21:7161
http://winnlinne.com/test3/get.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aae5da7c-c11f-4080-a2c3-feb2b81fb4f0
Unpacked files
SH256 hash:
1efba74468b00def8150162945619e54ab506887c654008243d13d4228857754
MD5 hash:
b3b8a7bb0abe2b0c68c52cb5e8ebb47e
SHA1 hash:
5523c955b8b4b456b40f143148857fcb0261512a
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
451cf1703ad0bf82455a5048b43b4926e60d350855f60b099a401a4ddf64144c
MD5 hash:
28fcdce0e0f51a66b0c9d9ed92929c59
SHA1 hash:
b8cc43496e028344859228e1f1a1461a06b720b3
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b
MD5 hash:
69f0fe993f6e63c9e7a2b739ec956e82
SHA1 hash:
6f9a1b7a9fceac26722da17e204f57a47d7b66a5
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
4b24c24a3e8dc8a4584d23ad44f0bef741debb40e3ff115e9a8fb2728c2106a3
MD5 hash:
b2403f6f58f5df4596a39ee669dafc88
SHA1 hash:
10f23f71b869c90ae2d439c045d1914c8c58ab5f
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
f8485279dab08224debce487f055191fab123311f877dd2b667ad25fc8729271
MD5 hash:
70b5166c6a3024f930a934864b54c673
SHA1 hash:
0a58b452ea2df8df7bbeb1fd2c9ee8e47c728031
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
8efbacd9f787f65d2914dd1bc90a8e291a1fe710b1d084a6b4696354c6a0fafc
MD5 hash:
2c1906b5ccdd9fce9e07d2ebd71c95f4
SHA1 hash:
ee66d5232be9919c4ac3d0843111bce073d0afeb
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
88e4343fe21a03915c173bb4567a38a60a77b4d97fd1a083d03ce056b7a8a15b
MD5 hash:
a4507036bdf87683de0337600105d6fe
SHA1 hash:
2c8475df833ec7bd530fadb89f951c3e7b68eec4
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
92729ee5d4933cd146f9af8d547837ee6b69b86858e059d916c8aff157e2da6b
MD5 hash:
163f14afa44f0b242d2f1c992ce9b9b0
SHA1 hash:
52b2b7d452233885c805043bc41c1c7faa4cac12
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
SH256 hash:
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
MD5 hash:
560120f81f15301dac785e5d6fca9dbd
SHA1 hash:
631d17a0d3e06fb456bd3d355f6e42ff5b452b53
Link:
https://www.unpac.me/results/49067367-b36d-4d3b-afc9-b283be73695c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e4fb39b3f6aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314463/

Comments