MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83
SHA3-384 hash: df6a1ae3d1f9a923fc7b019196272cbf292aa2c6e31eec9bc8c8a19e1bb1186dc56472033c3b19198557ea77ba9dc149
SHA1 hash: 5239134f660875cc8539974304f24e30453af6ff
MD5 hash: 302d160ec49ad177f817440c970199ea
humanhash: seven-asparagus-low-lamp
File name:302d160ec49ad177f817440c970199ea
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:3'350'016 bytes
First seen:2024-04-13 03:49:10 UTC
Last seen:2024-04-13 04:20:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dde04a4a91a59ef24083f245b804ae7b (2 x PrivateLoader)
ssdeep 98304:PDLtHRl3omAHgSY9JK3w3BwDemWwEMamVuKesos:3Fb2gSY9E3w3BwpTeso
Threatray 1'592 similar samples on MalwareBazaar
TLSH T1C9F53331BB881A14FE0966723815E1AC9317E3915AE7B6733417FF577E8A8D0D24A382
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e4d4f8e0d8c0c0c0 (1 x PrivateLoader)
Reporter zbetcheckin
Tags:64 exe PrivateLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83.exe
Verdict:
Malicious activity
Analysis date:
2024-04-13 03:50:09 UTC
Tags:
evasion privateloader
Link:
https://app.any.run/tasks/911ce30d-940e-49c7-82d3-1143e89d2910

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Modifying a system file
DNS request
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Sending a UDP request
Blocking the Windows Defender launch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmpress lolbin mpress packed packed packed shell32
Link:
https://www.filescan.io/uploads/661a00ec08ebdfcacd02c787/reports/30b857d2-399a-4023-a112-67a439bcb574/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8250adce-bc7a-4f83-b9a3-f16baae7b521
Result
Threat name:
GCleaner, Glupteba, LummaC Stealer, Mars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1425330
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected GCleaner
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425330 Sample: 80OrFCsz0u.exe Startdate: 13/04/2024 Architecture: WINDOWS Score: 100 114 a.574859385.xyz 2->114 116 t.me 2->116 118 22 other IPs or domains 2->118 138 Snort IDS alert for network traffic 2->138 140 Multi AV Scanner detection for domain / URL 2->140 142 Found malware configuration 2->142 146 21 other signatures 2->146 9 80OrFCsz0u.exe 11 56 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 signatures3 144 Performs DNS queries to domains with low reputation 114->144 process4 dnsIp5 132 5.42.66.10, 49730, 49733, 49734 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 9->132 134 a.574859385.xyz 23.137.249.94 GTLAKESUS Reserved 9->134 136 21 other IPs or domains 9->136 92 C:\Users\...\q0MRmQx9tMEIThtn2xuXb6dX.exe, MS-DOS 9->92 dropped 94 C:\Users\...\mlJoyYLeGNc2_LENgaMYaIqS.exe, PE32 9->94 dropped 96 C:\Users\...\hZLUydlOjZP7dtjnbQK0AUgF.exe, PE32 9->96 dropped 98 27 other malicious files 9->98 dropped 198 Query firmware table information (likely to detect VMs) 9->198 200 Drops PE files to the document folder of the user 9->200 202 Creates HTML files with .exe extension (expired dropper behavior) 9->202 204 9 other signatures 9->204 20 q0MRmQx9tMEIThtn2xuXb6dX.exe 1 77 9->20         started        25 5PBr2PJAqtKs3qDIxvrODTJP.exe 9->25         started        27 0Rdvmlz68Y24p31BYssbQsmn.exe 9->27         started        31 14 other processes 9->31 29 WerFault.exe 14->29         started        file6 signatures7 process8 dnsIp9 120 193.233.132.253 FREE-NET-ASFREEnetEU Russian Federation 20->120 74 C:\Users\user\...74oFCYx0fZSIyst5E5WGD.exe, PE32 20->74 dropped 76 C:\Users\user\AppData\...\lumma1104[1].exe, PE32 20->76 dropped 86 3 other malicious files 20->86 dropped 172 Detected unpacking (changes PE section rights) 20->172 174 Query firmware table information (likely to detect VMs) 20->174 176 Tries to steal Mail credentials (via file / registry access) 20->176 190 8 other signatures 20->190 122 185.172.128.26 NADYMSS-ASRU Russian Federation 25->122 124 185.172.128.228 NADYMSS-ASRU Russian Federation 25->124 78 C:\Users\user\AppData\...\KECFCGHIDH.exe, PE32 25->78 dropped 88 13 other files (9 malicious) 25->88 dropped 178 Multi AV Scanner detection for dropped file 25->178 180 Detected unpacking (overwrites its own PE header) 25->180 182 Found many strings related to Crypto-Wallets (likely being stolen) 25->182 192 2 other signatures 25->192 194 4 other signatures 27->194 33 RegAsm.exe 27->33         started        38 conhost.exe 27->38         started        126 185.172.128.90 NADYMSS-ASRU Russian Federation 31->126 128 193.233.132.74 FREE-NET-ASFREEnetEU Russian Federation 31->128 130 2 other IPs or domains 31->130 80 C:\Users\user\AppData\Local\...\is-55UVT.tmp, PE32 31->80 dropped 82 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 31->82 dropped 84 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 31->84 dropped 90 3 other malicious files 31->90 dropped 184 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->184 186 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->186 188 Found Tor onion address 31->188 196 13 other signatures 31->196 40 is-55UVT.tmp 31->40         started        42 RegAsm.exe 31->42         started        44 explorer.exe 31->44 injected 46 13 other processes 31->46 file10 signatures11 process12 dnsIp13 100 t.me 149.154.167.99 TELEGRAMRU United Kingdom 33->100 102 195.201.47.150 HETZNER-ASDE Germany 33->102 56 C:\Users\user\AppData\Local\...\sqln[1].dll, PE32 33->56 dropped 148 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->148 150 Installs new ROOT certificates 33->150 152 Tries to harvest and steal browser information (history, passwords, etc) 33->152 58 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->58 dropped 60 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 40->60 dropped 62 C:\Users\user\AppData\...\unins000.exe (copy), PE32 40->62 dropped 72 11 other files (10 malicious) 40->72 dropped 104 162.19.138.79 CENTURYLINK-US-LEGACY-QWESTUS United States 42->104 64 C:\Users\user\AppData\...\Soft123[1].exe, PE32+ 42->64 dropped 66 C:\ProgramDataGDGIEGHJE.exe, PE32+ 42->66 dropped 154 Tries to harvest and steal ftp login credentials 42->154 156 Tries to steal Crypto Currency Wallets 42->156 158 Tries to harvest and steal Bitcoin Wallet information 42->158 106 125.7.253.10 LGDACOMLGDACOMCorporationKR Korea Republic of 44->106 68 C:\Users\user\AppData\Roaming\jicuuwe, PE32 44->68 dropped 160 System process connects to network (likely due to code injection or exploit) 44->160 162 Benign windows process drops PE files 44->162 164 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->164 108 5.42.65.50 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 46->108 110 db-ip.com 104.26.5.15 CLOUDFLARENETUS United States 46->110 112 217.195.207.156 ASFIBERSUNUCUTR Turkey 46->112 70 C:\Users\user\...\Ysk2VLikRcFCZpMgIu2zr3Y.zip, Zip 46->70 dropped 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->166 168 Tries to steal Mail credentials (via file / registry access) 46->168 170 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->170 48 conhost.exe 46->48         started        50 conhost.exe 46->50         started        52 conhost.exe 46->52         started        54 3 other processes 46->54 file14 signatures15 process16
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83/
Threat name:
Win64.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2024-04-12 16:06:37 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c5sgr4a427fcr5tg4sz773ljw5vugbvgban62cczzgcjkdjujwbq._file
Verdict:
malicious
Similar samples:
01bd2d4585240c51c490af860bf6b9c2a32149acedf31dec5a458e5bf696c043
PrivateLoader
07f9da30eea63581d4574d675dbbd3b6989a603bdbaecd932b9311233f99f3ed
PrivateLoader
0ff5066a1c9caf9db55ddca514049faa9badfd6bee0a6e8ba825ee8198b65efb
PrivateLoader
751bac1e9305d5ee6fa68f8e1c9cc23775062207c92fd5bf595a09ceea1aa2a0
PrivateLoader
9208e906eeb23ee392919954cc64260ccb3e57160fb720a13524821c4e09f5e2
PrivateLoader
ee76f32a1d5930bf6371eabbf800df0111bd9d8e1768b7793843dfaeb2d6adcf
PrivateLoader
+ 1'582 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/240413-edxxzaeb5w/
Behaviour
Modifies system certificate store
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
Unpacked files
SH256 hash:
176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83
MD5 hash:
302d160ec49ad177f817440c970199ea
SHA1 hash:
5239134f660875cc8539974304f24e30453af6ff
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/653af835-ee33-4301-af06-ba836f05a5a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:mpress_2_xx_x64
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX x64 - no .NET
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2794559/

Comments


Avatar
zbet commented on 2024-04-13 03:49:11 UTC

url : hxxp://193.233.132.175/server/ww12/AppGate2103v01.exe