MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b
SHA3-384 hash: 0188c55b610e59b71082691b3890143908c6ec0001c3c4b632de47a95348549f3c3a639dbda544697b5f7a02bb2a8033
SHA1 hash: 03cf8e81b1b8a96097c9e3da11f925e7dc6819b7
MD5 hash: 51e7f03ae54c977764c32b0dedf0b9ac
humanhash: nine-beryllium-lemon-five
File name:sotema_5.txt
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:792'064 bytes
First seen:2023-01-22 23:14:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9b239827ad94cf9e43aed2c8aec6e783 (3 x CryptBot, 2 x PrivateLoader, 1 x FickerStealer)
ssdeep 24576:Wu/phBzW6ZEaA9Wip9TPP+szWC7SORTwrGKcq:LhzJG6E3TCGVq
TLSH T1CEF47D10B783E071D8B204F558BABF6B587C7C1407249FEBA3D83E1D99791C15A32E9A
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter jstrosch
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-06-28 07:46:49 UTC
Tags:
trojan evasion stealer vidar rat redline phishing
Link:
https://app.any.run/tasks/5417bd25-4664-4af2-bbf4-f0e3af0c10e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Tofsee
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355719/
Detection(s):
Win.Ransomware.Ouroboros-9872525-0
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Connecting to a non-recommended domain
Creating a file in the %temp% subdirectories
Creating a window
Launching a process
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware ransomware redline
Link:
https://www.filescan.io/uploads/63cdc37c1c9cbf7d62517168/reports/9067ffda-6657-4d9d-bc4f-b7b981cafde4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/651b2f52-84ac-44e4-a381-d81837db505d
Result
Threat name:
Amadey, Fabookie, ManusCrypt, Nymaim, Pr
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156648
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789380 Sample: sotema_5.txt.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 164 Snort IDS alert for network traffic 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 Antivirus detection for URL or domain 2->168 170 21 other signatures 2->170 9 sotema_5.txt.exe 4 39 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 dnsIp4 158 212.193.30.115, 49702, 49750, 80 SPD-NETTR Russian Federation 9->158 160 136.144.41.133, 80 WORLDSTREAMNL Netherlands 9->160 162 14 other IPs or domains 9->162 128 C:\Users\...\x3wY10xhfUiWPNHFDet4k4Ed.exe, PE32 9->128 dropped 130 C:\Users\...\rGWZEVSJUkCwMuiOLxOMwkPm.exe, PE32 9->130 dropped 132 C:\Users\...\qBSsJOyApayVlIeefVLnn2nG.exe, PE32 9->132 dropped 134 13 other malicious files 9->134 dropped 210 Drops PE files to the document folder of the user 9->210 212 May check the online IP address of the machine 9->212 214 Creates HTML files with .exe extension (expired dropper behavior) 9->214 228 2 other signatures 9->228 20 W0BGIsF0dejfAEXIWsNr76sH.exe 9->20         started        24 rGWZEVSJUkCwMuiOLxOMwkPm.exe 9->24         started        26 l_piLmH8LZYScCQbSXs3eh4G.exe 9->26         started        32 7 other processes 9->32 216 Contains functionality to inject threads in other processes 14->216 218 Contains functionality to inject code into remote processes 14->218 220 Contains functionality to compare user and computer (likely to detect sandboxes) 14->220 222 Contains functionality to detect sleep reduction / modifications 14->222 224 Changes security center settings (notifications, updates, antivirus, firewall) 16->224 28 MpCmdRun.exe 16->28         started        226 Query firmware table information (likely to detect VMs) 18->226 30 WerFault.exe 18->30         started        file5 signatures6 process7 dnsIp8 90 C:\Users\user\AppData\Local\...\zhangfan.exe, PE32 20->90 dropped 104 2 other malicious files 20->104 dropped 172 Multi AV Scanner detection for dropped file 20->172 35 birge.exe 20->35         started        40 Player3.exe 20->40         started        92 C:\Windows\Temp\321.exe, PE32 24->92 dropped 94 C:\Windows\Temp\123.exe, PE32 24->94 dropped 42 123.exe 24->42         started        44 321.exe 24->44         started        96 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 26->96 dropped 46 nbveek.exe 26->46         started        48 conhost.exe 28->48         started        136 45.66.159.142 ENZUINC-US Russian Federation 32->136 138 157.240.253.35 FACEBOOKUS United States 32->138 140 2 other IPs or domains 32->140 98 C:\Users\user\AppData\...\svcupdater.exe, PE32 32->98 dropped 100 C:\Users\user\AppData\Local\...\yjfkbugv.exe, PE32 32->100 dropped 102 C:\Users\...\qBSsJOyApayVlIeefVLnn2nG.tmp, PE32 32->102 dropped 106 2 other malicious files 32->106 dropped 174 Detected unpacking (changes PE section rights) 32->174 176 Detected unpacking (overwrites its own PE header) 32->176 178 Obfuscated command line found 32->178 180 3 other signatures 32->180 50 qBSsJOyApayVlIeefVLnn2nG.tmp 32->50         started        52 cmd.exe 32->52         started        54 2 other processes 32->54 file9 signatures10 process11 dnsIp12 142 94.131.3.70 NASSIST-ASGI Ukraine 35->142 144 77.73.134.24 FIBEROPTIXDE Kazakhstan 35->144 146 77.73.134.35 FIBEROPTIXDE Kazakhstan 35->146 108 C:\Users\user\AppData\Roaming\OlMj0160.exe, PE32+ 35->108 dropped 110 C:\Users\user\AppData\Roaming\200H3qRp.exe, PE32+ 35->110 dropped 120 7 other files (5 malicious) 35->120 dropped 182 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->182 184 Query firmware table information (likely to detect VMs) 35->184 186 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->186 200 4 other signatures 35->200 112 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 40->112 dropped 188 Writes to foreign memory regions 42->188 190 Allocates memory in foreign processes 42->190 192 Injects a PE file into a foreign processes 42->192 56 vbc.exe 42->56         started        60 conhost.exe 42->60         started        148 62.204.41.242, 49753, 49754, 49755 TNNET-ASTNNetOyMainnetworkFI United Kingdom 46->148 114 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 46->114 dropped 116 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 46->116 dropped 122 2 other malicious files 46->122 dropped 194 Multi AV Scanner detection for dropped file 46->194 196 Creates an undocumented autostart registry key 46->196 198 Uses schtasks.exe or at.exe to add and modify task schedules 46->198 62 rundll32.exe 46->62         started        64 cmd.exe 46->64         started        66 schtasks.exe 46->66         started        68 rundll32.exe 46->68         started        124 9 other files (8 malicious) 50->124 dropped 70 finalrecovery.exe 50->70         started        118 C:\Windows\SysWOW64\...\yjfkbugv.exe (copy), PE32 52->118 dropped 73 conhost.exe 54->73         started        file13 signatures14 process15 dnsIp16 150 51.210.137.6 OVHFR France 56->150 202 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->202 204 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->204 206 Tries to harvest and steal browser information (history, passwords, etc) 56->206 208 Tries to steal Crypto Currency Wallets 56->208 75 rundll32.exe 62->75         started        78 conhost.exe 64->78         started        80 cmd.exe 64->80         started        82 cacls.exe 64->82         started        84 cacls.exe 64->84         started        86 conhost.exe 66->86         started        152 45.12.253.72, 49766, 80 CMCSUS Germany 70->152 154 45.12.253.56, 49762, 80 CMCSUS Germany 70->154 156 45.12.253.75, 49768, 80 CMCSUS Germany 70->156 126 C:\Users\user\AppData\...\Z08S8MlFk8f.exe, PE32 70->126 dropped 88 Z08S8MlFk8f.exe 70->88         started        file17 signatures18 process19 signatures20 230 System process connects to network (likely due to code injection or exploit) 75->230 232 Tries to steal Instant Messenger accounts or passwords 75->232 234 Tries to harvest and steal ftp login credentials 75->234 236 Tries to harvest and steal browser information (history, passwords, etc) 75->236 238 Multi AV Scanner detection for dropped file 88->238
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b/
Threat name:
Win32.Ransomware.Ouroboros
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 19:38:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=awagpd4b5gab4ntyyxkm6hh6m5fkklhjkcjom6ii22t5igjkiknq._file
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion trojan
Link:
https://tria.ge/reports/230122-28j1xsab49/
Behaviour
Modifies system certificate store
Looks up external IP address via web service
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b
MD5 hash:
51e7f03ae54c977764c32b0dedf0b9ac
SHA1 hash:
03cf8e81b1b8a96097c9e3da11f925e7dc6819b7
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/0341e9fd-4fd3-409b-a6e6-4ca5e9129251/
Parent samples :
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0580678f81e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.privateloader.
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355719/

Comments