MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1adb3b5ba962f7eb431c9440abce7dd0269b8fb3e7b4235628b2cd8f5345b016. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PrivateLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	1adb3b5ba962f7eb431c9440abce7dd0269b8fb3e7b4235628b2cd8f5345b016
SHA3-384 hash:	8874ca5c38f284fb25de80131b61be1f1b121f2724a37a5d7aa14b603cdd03dbb84f6ed3336b05ec68971d8ee7c2a114
SHA1 hash:	e6e14b7d282ae76787135c988dece8398b82d116
MD5 hash:	756a1230e7e89d4637e9487bdc01f386
humanhash:	lamp-fifteen-oregon-item
File name:	File.exe
Download:	download sample
Signature	PrivateLoader Create hunting rule
File size:	2'858'496 bytes
First seen:	2024-08-18 12:27:57 UTC
Last seen:	2024-08-18 13:36:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	82a1160ea6d4db9ad17aacb065a21868 (3 x PrivateLoader, 2 x Stealc, 1 x Stop)
ssdeep	49152:976FmD7AREfZPunOb+FF54YkLmDQz5RZlHWbPaNd4WH0Wx8ZoARdGLTgWsdX1G3x:976FUMCZnCMLOIbXHqiX4WH7x8ZoAWXi
TLSH	T1CDD512AAB08741F9D465D7B0C90265ADF4353F71EE274C6B7ECA3B050D73262AE3A241
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	f08cb672b2bed871 (1 x PrivateLoader)
Reporter	abuse_ch
Tags:	exe PrivateLoader

Intelligence

File Origin

# of uploads :

# of downloads :

362

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

File.exe

Verdict:

Malicious activity

Analysis date:

2024-08-18 12:38:35 UTC

Tags:

privateloader

Link:

https://app.any.run/tasks/d7058534-6b19-409c-85ab-d7855b4482bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.DropperX-gen.8663.11680.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c1e8d5aa5b40be0aa070b2

Tags:

n e k a r k

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint lolbin packed shell32

Link:

https://www.filescan.io/uploads/66c1e8d43930e113b90d11a6/reports/3e646f6d-2e3b-459f-bc15-4835d0771a80/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/1adb3b5ba962f7eb431c9440abce7dd0269b8fb3e7b4235628b2cd8f5345b016

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fc500dbf-5a7c-4e07-a902-6f2cc17bcaef

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1494476

Signature

Adds extensions / path to Windows Defender exclusion list (Registry)

AI detected suspicious sample

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Exclude list of file types from scheduled, custom, and real-time scanning

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Modifies Group Policy settings

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Suricata IDS alerts for network traffic

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1adb3b5ba962f7eb431c9440abce7dd0269b8fb3e7b4235628b2cd8f5345b016

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1adb3b5ba962f7eb431c9440abce7dd0269b8fb3e7b4235628b2cd8f5345b016/

Threat name:

Win64.Trojan.PrivateLoader

Status:

Malicious

First seen:

2024-07-30 02:33:54 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dlntww5jml36wqy4srakxtt52atjxd5t462cgvriwlgy6u2fwala._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion

Link:

https://tria.ge/reports/240818-pnbslawfmp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Modifies firewall policy service

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fbf9afd6-57db-4b86-8407-f869aa956874

Unpacked files

SH256 hash:

1adb3b5ba962f7eb431c9440abce7dd0269b8fb3e7b4235628b2cd8f5345b016

MD5 hash:

756a1230e7e89d4637e9487bdc01f386

SHA1 hash:

e6e14b7d282ae76787135c988dece8398b82d116

Link:

https://www.unpac.me/results/48232fda-f9de-4169-8c8b-9df75cf874c9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1adb3b5ba962f7eb431c9440abce7dd0269b8fb3e7b4235628b2cd8f5345b016

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (NX_COMPAT)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::WriteProcessMemory KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::WriteConsoleA KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::GetFileAttributesA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegSetValueExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample