MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
SHA3-384 hash: 7b19a30d7a96a19d80243bc2505c6eba9c2945ef9f1f969d3f6a2b6d8970b0fee54c501966b1188564ba7426ddae3fa2
SHA1 hash: b190039a7587a94d6ebf96415bd7bcf5d632b28e
MD5 hash: 496a327e9fd93b6db80bd14c4a719be3
humanhash: orange-iowa-glucose-don
File name:SecuriteInfo.com.Win64.Evo-gen.16085.20859
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:3'913'216 bytes
First seen:2024-01-23 16:26:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f7e9adabb08f758ed1accf0b8136028 (1 x PrivateLoader, 1 x XFilesStealer)
ssdeep 98304:V4MqoEwrHPzQ3eASj+yn49pqF+JE/vhU4pVQ:pqOrHPzQ3kto4qKpK
TLSH T16106127170EA41F2E688EBB05B0A90EE70DC3F79DC905609A1946F147EA27D50CAE35F
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon bab29a9aa48c8c8c (1 x PrivateLoader)
Reporter SecuriteInfoCom
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
9317179dc2c7aabc5092f39efeb13614de247aed1a11e9c9530ded9eaf75c6c3.exe
Verdict:
Malicious activity
Analysis date:
2024-01-23 10:30:32 UTC
Tags:
loader smoke smokeloader opendir
Link:
https://app.any.run/tasks/4d330d72-e6a9-49cb-a818-05b3d46b5cda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472539/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.16085.20859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
DNS request
Replacing files
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Changing a file
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed packed privateloader shell32 themidawinlicense vmprotect
Link:
https://www.filescan.io/uploads/65afe8d9eda27a7ac10013d1/reports/37f6b6b4-230a-44c6-943e-0c34eeef9cf5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2370115e-885e-436e-8407-95d1ffe140ae
Result
Threat name:
Amadey, AsyncRAT, Djvu, Fabookie, LummaC
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379669
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1379669 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 23/01/2024 Architecture: WINDOWS Score: 100 119 Found malware configuration 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for URL or domain 2->123 125 21 other signatures 2->125 8 SecuriteInfo.com.Win64.Evo-gen.16085.20859.exe 10 59 2->8         started        13 MPGPH131.exe 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 process3 dnsIp4 113 93.123.39.68 NET1-ASBG Bulgaria 8->113 115 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->115 117 17 other IPs or domains 8->117 85 C:\Users\...\vj3JmiXRsF3mBK48MQOdVgcc.exe, PE32 8->85 dropped 87 C:\Users\...\vGGYr7HQlYc3oFXoQqJyrVqd.exe, PE32+ 8->87 dropped 89 C:\Users\...\v7c83M1H5jPex1hJ6W38DLqa.exe, PE32 8->89 dropped 91 26 other malicious files 8->91 dropped 157 Query firmware table information (likely to detect VMs) 8->157 159 Drops PE files to the document folder of the user 8->159 161 Creates HTML files with .exe extension (expired dropper behavior) 8->161 165 11 other signatures 8->165 19 HdWz59SBhRvdLelPM14Psplo.exe 8->19         started        22 X9RJAZokwZ3HY6POsqtUDdxY.exe 2 98 8->22         started        26 uZz0szkzCJf7Js87QjVDPNV7.exe 8->26         started        30 16 other processes 8->30 163 Machine Learning detection for dropped file 13->163 28 WerFault.exe 15->28         started        file5 signatures6 process7 dnsIp8 67 C:\Users\...\HdWz59SBhRvdLelPM14Psplo.tmp, PE32 19->67 dropped 32 HdWz59SBhRvdLelPM14Psplo.tmp 19->32         started        93 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 22->93 95 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 22->95 97 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 22->97 69 C:\Users\user\...\XXy4ymGpANcX6OTRQ4xg.exe, PE32 22->69 dropped 71 C:\Users\user\...\MofIfpi5G8Wt6hAh56xo.exe, PE32 22->71 dropped 73 C:\Users\user\...\FzSZaO_nTxvGFkI4eRZ6.exe, PE32 22->73 dropped 81 10 other malicious files 22->81 dropped 127 Binary is likely a compiled AutoIt script file 22->127 129 Tries to steal Mail credentials (via file / registry access) 22->129 131 Found many strings related to Crypto-Wallets (likely being stolen) 22->131 145 4 other signatures 22->145 35 schtasks.exe 22->35         started        37 schtasks.exe 22->37         started        99 104.26.8.59 CLOUDFLARENETUS United States 26->99 133 Query firmware table information (likely to detect VMs) 26->133 135 Disables Windows Defender (deletes autostart) 26->135 137 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->137 147 5 other signatures 26->147 101 185.172.128.24 NADYMSS-ASRU Russian Federation 30->101 103 91.92.245.15 THEZONEBG Bulgaria 30->103 105 7 other IPs or domains 30->105 75 C:\Users\...\PRONphkavjIhl7ajYRfMMofI.exe, PE32 30->75 dropped 77 C:\Users\user\AppData\Local\Temp\adasda.exe, PE32 30->77 dropped 79 C:\Users\user\AppData\Local\...\X89j4U6y.2Q, PE32 30->79 dropped 83 20 other files (16 malicious) 30->83 dropped 139 Detected unpacking (changes PE section rights) 30->139 141 Detected unpacking (overwrites its own PE header) 30->141 143 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->143 149 17 other signatures 30->149 39 EwA5O84au9X4FQe_1MazsnbK.exe 30->39         started        43 explorer.exe 30->43 injected 45 regsvr32.exe 30->45         started        47 5 other processes 30->47 file9 signatures10 process11 dnsIp12 55 C:\Users\user\AppData\...\webrtc.dll (copy), PE32 32->55 dropped 57 C:\Users\user\...\webresourceviewer.exe, PE32 32->57 dropped 59 C:\Users\user\AppData\...\unins000.exe (copy), PE32 32->59 dropped 65 50 other files (39 malicious) 32->65 dropped 49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        107 172.67.139.220 CLOUDFLARENETUS United States 39->107 61 C:\Users\...wA5O84au9X4FQe_1MazsnbK.exe, PE32 39->61 dropped 151 Creates multiple autostart registry keys 39->151 63 C:\Users\user\AppData\Roaming\wwhrugt, PE32 43->63 dropped 153 Benign windows process drops PE files 43->153 155 Tries to detect sandboxes / dynamic malware analysis system (file name check) 45->155 109 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 47->109 111 77.246.104.220 MEDIAL-ASRU Russian Federation 47->111 53 conhost.exe 47->53         started        file13 signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 14:21:20 UTC
File Type:
PE+ (Exe)
Extracted files:
19
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a76hbyl7zangfthdv7mjovplc5hasc5tydyxb2rduvnmpto2daqa._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:fabookie family:redline family:rhadamanthys family:risepro family:smokeloader family:stealc family:zgrat botnet:24k botnet:logsdiller cloud (telegram: @logsdillabot) botnet:pub3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer themida trojan
Link:
https://tria.ge/reports/240123-tx31naccar/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect Fabookie payload
Detect ZGRat V1
Detected Djvu ransomware
Djvu Ransomware
Fabookie
RedLine
RedLine payload
Rhadamanthys
RisePro
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Malware Config
C2 Extraction:
http://habrafa.com/test2/get.php
91.92.245.15:80
http://185.172.128.24
193.233.132.62:50500
http://gxutc2c.com/tmp/index.php
http://proekt8.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
45.15.156.60:12050
http://app.alie3ksgaa.com/check/safe
Unpacked files
SH256 hash:
07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
MD5 hash:
496a327e9fd93b6db80bd14c4a719be3
SHA1 hash:
b190039a7587a94d6ebf96415bd7bcf5d632b28e
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/40b6646b-bd59-4673-97d9-4b38c216c110/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07fc70e17fc8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2750716/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/472539/

Comments