MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PrivateLoader

Vendor detections: 13

Intelligence 13 IOCs 2 YARA File information Comments

SHA256 hash:	f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
SHA3-384 hash:	846b696abe20b685b555a5e174104a3dc059d322e4ed6296ac1af8dca5e602bad763ad911d39c622822aada9c173277a
SHA1 hash:	140d8e6b072b8bcd1ebf5b67ff3d7bc7a69762cc
MD5 hash:	769d7edd7924cc493c6b26dd96b68535
humanhash:	saturn-pennsylvania-washington-salami
File name:	F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe
Download:	download sample
Signature	PrivateLoader Create hunting rule
File size:	5'670'673 bytes
First seen:	2022-10-24 16:00:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:JbDgw1rDdDMwLzEBsrUwgM5J9M3+tub5XQSh5L8ydVybapTjlJ6Fk:JQ+r5MaEBsrUw5Jq3+sbB1HLHjybapTh
TLSH	T18846337CE74096B2E24432B02560EED7DBFECABE667C4C65F7102E839A90757A58CC05
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe PrivateLoader

abuse_ch

PrivateLoader C2:
91.212.166.17:47242

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://78.47.204.168/	https://threatfox.abuse.ch/ioc/891320/
91.212.166.17:47242	https://threatfox.abuse.ch/ioc/916215/

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe

Verdict:

Malicious activity

Analysis date:

2022-10-24 16:02:39 UTC

Tags:

trojan evasion arkei redline socelars stealer

Link:

https://app.any.run/tasks/b4d25e83-d4ae-4336-bffa-cdffc6413be6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/323489/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Running batch commands

Launching a process

Using the Windows Management Instrumentation requests

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/45060/overview

Behaviour

MalwareBazaar

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e0d8e41f-992d-4924-8929-86764d782178

Result

Threat name:

Nymaim, PrivateLoader, Socelars, Vidar,

Detection:

malicious

Classification:

spre.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096722

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates HTML files with .exe extension (expired dropper behavior)

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Disables Windows Defender (via service or powershell)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Sigma detected: Copy itself to suspicious location via type command

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Nymaim

Yara detected onlyLogger

Yara detected PrivateLoader

Yara detected Socelars

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166/

Threat name:

Win32.Trojan.Redlinestealer

Status:

Malicious

First seen:

2022-10-20 23:43:00 UTC

File Type:

PE (Exe)

Extracted files:

263

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6vjlgl4ivfiiugzriha7njf45i7qnryunsdxdamcwmokfm6eefta._file

Verdict:

unknown

Result

Malware family:

vidar

Score:

10/10

Tags:

family:nullmixer family:nymaim family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:tofsee family:vidar botnet:6.4 botnet:916 botnet:dozkey botnet:logsdiller cloud (tg: @logsdillabot) botnet:media0321 botnet:mr x botnet:newjust aspackv2 backdoor discovery dropper evasion infostealer loader main persistence spyware stealer trojan vmprotect

Link:

https://tria.ge/reports/221024-tf7yaahef8/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Enumerates processes with tasklist

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Launches sc.exe

Suspicious use of SetThreadContext

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Uses the VBS compiler for execution

ASPack v2.12-2.42

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

VMProtect packed file

OnlyLogger payload

Vidar Stealer

Detects Smokeloader packer

Modifies Windows Defender Real-time Protection settings

NullMixer

NyMaim

OnlyLogger

PrivateLoader

Process spawned unexpected child process

RedLine

RedLine payload

SmokeLoader

Socelars

Socelars payload

Tofsee

Vidar

Malware Config

C2 Extraction:

http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://www.hhgenice.top/
https://mas.to/@romashkin
91.121.67.60:23325
135.181.129.119:4805
91.212.166.17:47242
79.137.192.41:24746
51.89.201.21:7161
45.139.105.171
85.31.46.167
103.89.90.61:34589

Unpacked files

SH256 hash:

701f151ac7a870467880737a908fd35b0363f97d399d4b4e9f4ef0fee1625f9e

MD5 hash:

f59ef12c6785be332ad31cbcc0057257

SHA1 hash:

e2ab1acfda5dd9b046929ea9bc162b0f4ef853b2

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

d177c0a03a757c9bf0ba986b879f304615e687fb8513d5512171c5c372c95f3b

MD5 hash:

920b72252a11097cbcc51abc1df9f01b

SHA1 hash:

42d9ca4803eb8e0f02274dd585185db6ae0cab9d

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

83c6e5f937becb928c5a2e5bf475db8cc243d9ca4233a69dd70864f3a1faef11

MD5 hash:

12033e8b1b4b23ffb5897779f87ad37d

SHA1 hash:

dff3acd501a0fc4ab51c50e0a90e735c596fc2a0

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

5ae2de33b5c09fd0cc0c02a252b98dabad58724f64863638abf8debcdd95fa85

MD5 hash:

534f7ffd56fb35f49001e40c3538339b

SHA1 hash:

f805ea75ce2f26f5368ff4f631fc47cf262dd84b

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

48af3403c29607d883dfbf95f2ab6188b9f761dcd2f4a5fd745de7ea2db19942

MD5 hash:

d8ea1364bce8db87216e5b60d5d51f3f

SHA1 hash:

f18ecd87b52595c9bca8f97c353c624de34a1686

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

d04cdc308a856c63e0d83cb351be99265c602a495c4329694b5444f3670e2088

MD5 hash:

5a2af968e918f927cfab3b283039ed61

SHA1 hash:

eca6db60801e56ea48c9c3740106eca1f79d26cf

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

f22bee3756acf29c1fe0c7b3e3b578345c2ad751195d12f22039a207f7949b01

MD5 hash:

4be401fc00194dab26d987688139b84d

SHA1 hash:

b1fd19c5df16de67a2d30543c224484f21e6c0c9

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

42e3a98fe6e4aa225fd508d821ec43ac475ac6d4e2c8f9a714994c2fab2c15d6

MD5 hash:

4ee4204501895ff977b1580366880bb9

SHA1 hash:

98ec8d783980bec1bbcf6d2e6524d175d1b88d2d

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

0dbaa7b630b19dce0868c018f7e11d5ea1362e7c670a8e62adfe8fea9ea20a75

MD5 hash:

c170315c2e442a4df8f0f69b3ca90dc4

SHA1 hash:

8c839f41fb17bf5adff3d2a4f56f05290a3f1fd2

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

7ac4cc59bb66c43d7680ba930bf5c2c98f7ca08c591b9bf6556699f7a4fa2260

MD5 hash:

6617d0e761abcea3a66eb53243e85f34

SHA1 hash:

7e2ef58648d5e34bae9089e073e7fc5c87846bde

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

041b0014f630910ab7f8a03c8d65f1f391f2ba791632391302b606b0467fdca9

MD5 hash:

c617db1a41bca58864a680c2da043cb5

SHA1 hash:

76c328cf5c5cc64a035453a6d50628783133413f

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

dc1e63f48cfcdb7559672f68ea5f5bde1899868a38069b02b4b23ab2eb430ec7

MD5 hash:

979d3cb08568c72137339dc393175884

SHA1 hash:

0309f88bd58d22e3c9ec5ab2880022c20ced2d44

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09

MD5 hash:

3addf1aab7f2237dd61b6857f2832c9c

SHA1 hash:

2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4

Detections:

win_gcleaner_auto

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

382dc91dfdf466b6335b4c1c51ac8166cdb7b0a1b1f89c38579f04aafbf54e6c

MD5 hash:

19bfee1e23f5ce8adb83a0fee1eb6489

SHA1 hash:

c0e955dc5bd431669ffa0aa85adfd490c957138d

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

Parent samples :

d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e

SH256 hash:

292cd5748289c853c554fb76b5933dc4f78dc8a4e61dab0b2c035f4107bcdcb6

MD5 hash:

2861a063a41280464207dcb7e59c5340

SHA1 hash:

c0efb6722eeb5dc95cafb0c47670567df05d2da7

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

Parent samples :

d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166

SH256 hash:

8d5ddfbb05d69b8aed167882829da5d92d3940f322c9b1dfc90e9c2752722db1

MD5 hash:

2b69aa77d597067b2caf02f842137241

SHA1 hash:

9dd30bd80f0b17eb2779bb85b4d96d2dadd8c96f

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

7205c50737e4cc6d94dee92c96e4c4b18270db31473709eda15004aa0b1cedbe

MD5 hash:

dc45a2b6a955a5294ad8238628c11342

SHA1 hash:

f3f7b703203536b6c7753321356e08304e4a4920

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

d08c88ea3f2a75293c46d2c52ec161dd4786685b389a1b371d832c7cc2acf52a

MD5 hash:

2d8119436a43a89e3aed9aecbf695b10

SHA1 hash:

d06cc6d5c6631c148b288adc3472ad955893588f

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

72efc9c00ed4c825e6c19ec1dbaba907f49120b0f86f8774afbdba37f5fe7ff5

MD5 hash:

4c3f9df48d1fa68f5225c16a73305ec2

SHA1 hash:

98626c3e152843f2f93e7a35356df273106c7069

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

b8fd6da68ff34956355fed47dfc2c9451a7c2b9dc4815e1fceb59fdd57c93e81

MD5 hash:

12c66752711c34b38d7f6135d54ee666

SHA1 hash:

5c8bb8491ab2c5e47b74e20b9358aea8d67814f5

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

SH256 hash:

f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166

MD5 hash:

769d7edd7924cc493c6b26dd96b68535

SHA1 hash:

140d8e6b072b8bcd1ebf5b67ff3d7bc7a69762cc

Link:

https://www.unpac.me/results/5ca729dd-6c08-4f6e-b059-aa40ad30d208/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/323489/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample