MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213
SHA3-384 hash: 8f8b86fa1f1f02afe7062b178dc4be35db5db341d01892a3d3599c2763f8993462e1aa7593d73668cff2dc26bff5568b
SHA1 hash: 7f5e0a87ef7952693e454fdd4e303d292fe4397f
MD5 hash: e636b1cca5d4a405df0f618b73c2df0a
humanhash: venus-monkey-summer-sixteen
File name:SecuriteInfo.com.Win64.Evo-gen.28136.30716
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:4'284'224 bytes
First seen:2024-04-12 11:28:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 023aae353653db016d3a89da454d1d86 (3 x PrivateLoader)
ssdeep 98304:h4zguqIX/Z8E5wzOxkAAHmY8obinW9GkQlGpBjpqhXHphaRR:h4zguZX6EaOKAAL8w8W9XrjYh3phaRR
TLSH T10B16126B678633F4C20DC7B465766A7C3176F3894C962A016399DA103D6F3692E3B30E
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b49c8c9c8c9ccc9c (1 x PrivateLoader)
Reporter SecuriteInfoCom
Tags:exe PrivateLoader signed

Code Signing Certificate

Organisation:SAMSUNG PRO B960-P WIFI DDR6
Issuer:SAMSUNG PRO B960-P WIFI DDR6
Algorithm:sha512WithRSAEncryption
Valid from:2024-01-31T10:51:46Z
Valid to:2025-06-06T00:00:00Z
Serial number: 4ab6f2cad3e6414aac7d421a956d711f
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8a50d7355211ffae0968ab6a41e52c3224a676593eba772c0162d279dcc56830
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213.exe
Verdict:
Malicious activity
Analysis date:
2024-04-12 11:29:33 UTC
Tags:
evasion privateloader
Link:
https://app.any.run/tasks/302224c9-1b7a-49c5-abf7-1bd09e847b6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Modifying a system file
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Launching a process
Sending a UDP request
Reading critical registry keys
Forced system process termination
Blocking the Windows Defender launch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin overlay packed packed shell32 stealc themidawinlicense
Link:
https://www.filescan.io/uploads/66191affacb99fc8ffbe390f/reports/d43f77d6-efa4-4f08-aa50-dd4064cfbae6/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/12b912d8-7152-423e-9e3d-b64807aef725
Result
Threat name:
GCleaner, Glupteba, LummaC Stealer, Mars
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1425038
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected GCleaner
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425038 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 12/04/2024 Architecture: WINDOWS Score: 100 112 a.574859385.xyz 2->112 114 t.me 2->114 116 21 other IPs or domains 2->116 136 Multi AV Scanner detection for domain / URL 2->136 138 Found malware configuration 2->138 140 Malicious sample detected (through community Yara rule) 2->140 144 26 other signatures 2->144 9 SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe 11 58 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 signatures3 142 Performs DNS queries to domains with low reputation 112->142 process4 dnsIp5 130 a.574859385.xyz 23.137.249.94 GTLAKESUS Reserved 9->130 132 185.215.113.46, 49710, 80 WHOLESALECONNECTIONSNL Portugal 9->132 134 22 other IPs or domains 9->134 92 C:\Users\...\xF8wwnvV7VSPLG6odA_kUMNE.exe, PE32 9->92 dropped 94 C:\Users\...\pXSDyS6i2m_eI_qg3pp5HEjN.exe, PE32 9->94 dropped 96 C:\Users\...\oBmS_v_1KyZtw2vx9RhHBuTc.exe, PE32 9->96 dropped 98 30 other malicious files 9->98 dropped 192 Query firmware table information (likely to detect VMs) 9->192 194 Drops PE files to the document folder of the user 9->194 196 Creates HTML files with .exe extension (expired dropper behavior) 9->196 198 11 other signatures 9->198 20 dsdzwO9zciWHADOWVbuoiWl0.exe 9->20         started        25 OGqyz0X7jMWNb2o61ZoNmk0z.exe 9->25         started        27 5BRYkzMBWPTHUlR0etpFq_rO.exe 9->27         started        31 15 other processes 9->31 29 WerFault.exe 14->29         started        file6 signatures7 process8 dnsIp9 118 185.172.128.228 NADYMSS-ASRU Russian Federation 20->118 120 185.172.128.26 NADYMSS-ASRU Russian Federation 20->120 74 C:\Users\user\AppData\...\DAFIEHIEGD.exe, PE32 20->74 dropped 86 13 other files (9 malicious) 20->86 dropped 166 Detected unpacking (changes PE section rights) 20->166 168 Detected unpacking (overwrites its own PE header) 20->168 170 Tries to steal Mail credentials (via file / registry access) 20->170 186 4 other signatures 20->186 188 3 other signatures 25->188 33 RegAsm.exe 25->33         started        38 conhost.exe 25->38         started        122 193.233.132.226 FREE-NET-ASFREEnetEU Russian Federation 27->122 76 C:\Users\user\...\oVli2fr9CbZSeAMCYvs9.exe, PE32 27->76 dropped 78 C:\Users\user\...\SgYF_ET9kWqa1EPxTSmH.exe, PE32 27->78 dropped 88 7 other malicious files 27->88 dropped 172 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->172 174 Found stalling execution ending in API Sleep call 27->174 176 Creates multiple autostart registry keys 27->176 178 Writes many files with high entropy 27->178 124 185.172.128.90 NADYMSS-ASRU Russian Federation 31->124 126 193.233.132.74 FREE-NET-ASFREEnetEU Russian Federation 31->126 128 193.233.132.253 FREE-NET-ASFREEnetEU Russian Federation 31->128 80 C:\Users\...\bYg8qNOB01YhcDjyq5v3mI8q.tmp, PE32 31->80 dropped 82 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 31->82 dropped 84 C:\Users\user\AppData\Local\...\notepad.exe, PE32+ 31->84 dropped 90 7 other malicious files 31->90 dropped 180 Query firmware table information (likely to detect VMs) 31->180 182 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->182 184 Found Tor onion address 31->184 190 20 other signatures 31->190 40 bYg8qNOB01YhcDjyq5v3mI8q.tmp 31->40         started        42 RegAsm.exe 31->42         started        44 RegAsm.exe 31->44         started        46 13 other processes 31->46 file10 signatures11 process12 dnsIp13 100 t.me 149.154.167.99 TELEGRAMRU United Kingdom 33->100 102 195.201.47.150 HETZNER-ASDE Germany 33->102 104 162.19.138.79 CENTURYLINK-US-LEGACY-QWESTUS United States 33->104 56 C:\Users\user\AppData\Local\...\sqln[1].dll, PE32 33->56 dropped 58 C:\Users\user\AppData\...\Soft123[1].exe, PE32+ 33->58 dropped 70 2 other malicious files 33->70 dropped 146 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->146 148 Installs new ROOT certificates 33->148 150 Tries to harvest and steal ftp login credentials 33->150 152 Tries to harvest and steal Bitcoin Wallet information 33->152 60 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->60 dropped 62 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 40->62 dropped 64 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 40->64 dropped 72 12 other files (11 malicious) 40->72 dropped 106 5.42.65.50 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 42->106 154 Tries to harvest and steal browser information (history, passwords, etc) 42->154 156 Tries to steal Crypto Currency Wallets 42->156 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->158 160 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->160 162 Writes many files with high entropy 44->162 108 db-ip.com 104.26.5.15 CLOUDFLARENETUS United States 46->108 110 217.195.207.156 ASFIBERSUNUCUTR Turkey 46->110 66 C:\Users\user\AppData\Local\...\fYEtSpT.exe, PE32 46->66 dropped 68 C:\Users\user\...\bidH44rbilPVUafJWZ_qqDb.zip, Zip 46->68 dropped 164 Tries to steal Mail credentials (via file / registry access) 46->164 48 conhost.exe 46->48         started        50 conhost.exe 46->50         started        52 conhost.exe 46->52         started        54 3 other processes 46->54 file14 signatures15 process16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-04-12 10:03:13 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyo3pqgqydqg6wpke36a45gcicdtlfghywip3hz6j42ozmkaqijq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/240412-nljvraaa66/
Behaviour
Modifies system certificate store
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
Unpacked files
SH256 hash:
1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213
MD5 hash:
e636b1cca5d4a405df0f618b73c2df0a
SHA1 hash:
7f5e0a87ef7952693e454fdd4e303d292fe4397f
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/a19141c4-7343-4f9d-90c7-01e2c7877aea/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e1db7c0d0c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:win_privateloader
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2810562/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA

Comments