MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 136dbf5ef8754e116fa76f6a00b1c7186567d7056de46b9c54e0fb245374aae2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 136dbf5ef8754e116fa76f6a00b1c7186567d7056de46b9c54e0fb245374aae2
SHA3-384 hash: a297ad886c0375faf99bc101d47ce0f153ba4d3859f5070d0d1bb05e4c094312da69fb7eeaebfd52c8afe82edf97fed8
SHA1 hash: e85e20613f3ecfc936e8d00d10c0ff76f8412de4
MD5 hash: d08a4177ab7500f854ae5888fe818335
humanhash: fourteen-oklahoma-pennsylvania-alpha
File name:file
Download: download sample
File size:491'008 bytes
First seen:2022-12-09 19:52:48 UTC
Last seen:2022-12-09 21:27:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:+0WwWdll43+jundvpUsFlWfoA1ayxHJ61:+KG76RndvpUsnA17xHJK
Threatray 773 similar samples on MalwareBazaar
TLSH T1E0A4F1BFB1294039FC23E638C813925A3A64D4ED35851A3005EE7C5694AB9E74CDEF27
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from http://85.209.135.181/files/Adsme.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344812/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.1654.12917.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Using the Windows Management Instrumentation requests
Creating a file
Enabling autorun for a service
Blocking the User Account Control
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639392229a505ad9423e8f48/reports/fdf6769d-2453-412d-80cc-ab59443b2151/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7aea0197-a1df-4568-b989-861f7467bfd8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1131670
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Disables UAC (registry)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764393 Sample: file.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 68 25 Multi AV Scanner detection for submitted file 2->25 27 .NET source code contains very large array initializations 2->27 29 Machine Learning detection for sample 2->29 7 file.exe 5 3 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 7->21 dropped 23 C:\Users\user\AppData\Local\...\file.exe.log, CSV 7->23 dropped 31 Adds a directory exclusion to Windows Defender 7->31 33 Disables UAC (registry) 7->33 35 Sample is not signed and drops a device driver 7->35 11 powershell.exe 19 7->11         started        13 RegAsm.exe 7->13         started        15 RegAsm.exe 7->15         started        17 3 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/136dbf5ef8754e116fa76f6a00b1c7186567d7056de46b9c54e0fb245374aae2/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 19:53:09 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnw36xxyovhbc35hn5vabmohdbswpvyfnxsgxhcu4d5siu3uvlra._file
Verdict:
malicious
Similar samples:
022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece
1ee453a94d90e6bd3615d306d7139c3abb5b7ea4f9f817a10218606c4aadcddf
3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f
66242b095b2cfb53b52d1743a42aaa9fd94c6b53f58869c4b1c9d893a541e3a6
73a4ca1224bc4657443596157d3ce150bcd4b6dd32217f2467818c7efea4ee43
866056e13d99c7a721a0e66aef8c2526dd2b8b6cecc90b0583699a175eeb66b7
a9cf955162a9164b63c70530a2ed72b02ab53f7b39a3a9ece842cd2bebfb117c
d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560
db9bb4ecdc01a72d728f9fc7e522848ba7afe64bfa27516f0505a179db2f7345
+ 763 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/221209-ylzlbaeb36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Checks whether UAC is enabled
Unexpected DNS network traffic destination
Sets service image path in registry
UAC bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e3070f8-5126-4ff8-9ea0-de5cbd4ed976
Unpacked files
SH256 hash:
136dbf5ef8754e116fa76f6a00b1c7186567d7056de46b9c54e0fb245374aae2
MD5 hash:
d08a4177ab7500f854ae5888fe818335
SHA1 hash:
e85e20613f3ecfc936e8d00d10c0ff76f8412de4
Link:
https://www.unpac.me/results/e4bced4b-ac40-4393-9c11-5c31be06ac3a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/136dbf5ef875/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/136dbf5ef8754e116fa76f6a00b1c7186567d7056de46b9c54e0fb245374aae2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2451380/
Cape
Cape
https://www.capesandbox.com/analysis/344812/

Comments