MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1
SHA3-384 hash: c8345d3cd94cb23825b21589d824dad17e1e98428e6b46a5a144995a56bc9b5e08fa19e8180a98160190a89742bcba5a
SHA1 hash: b76c74c5deb946319827246e58c912dc26e052db
MD5 hash: af95d9855fa395906b155f0ed0323db5
humanhash: nuts-edward-zulu-cardinal
File name:SecuriteInfo.com.Win64.DropperX-gen.20168.7257
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:2'817'536 bytes
First seen:2024-06-07 20:20:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cd4556d786e561b960f0093c7fc3caa (2 x PrivateLoader)
ssdeep 49152:BCjU5jmNeRFdpJsMArAinehUabcwpHXZsb0B9Xrhz4DyBQFkL47hgM5vBv1PkiVE:HjmNKDpSM8QbHZVlBQSM5JdMiDQ1N
TLSH T1EAD522913483A5F2D026C7B0C811B6BCF1783B65EFA34C5776E96A041D23762AFA634D
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c1d9c9c4c6dbcccc (1 x PrivateLoader)
Reporter SecuriteInfoCom
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1.exe
Verdict:
Malicious activity
Analysis date:
2024-06-07 20:22:55 UTC
Tags:
evasion privateloader
Link:
https://app.any.run/tasks/fba3b0ea-04fe-4fc6-a47d-ff94fa13ec8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.20168.7257.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Modifying a system file
Connection attempt
Using the Windows Management Instrumentation requests
Replacing files
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/66636bb06be3b3c7c2336d43/reports/5729dd5c-26a5-4695-a504-a9afdeb2d6e3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pitou
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bba7485-c220-4a95-b2e5-4a02d1a0b7de
Result
Threat name:
Mars Stealer, PureLog Stealer, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1453862
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1453862 Sample: SecuriteInfo.com.Win64.Drop... Startdate: 07/06/2024 Architecture: WINDOWS Score: 100 130 Found malware configuration 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for URL or domain 2->134 136 24 other signatures 2->136 8 SecuriteInfo.com.Win64.DropperX-gen.20168.7257.exe 11 51 2->8         started        13 MPGPH131.exe 2->13         started        15 MPGPH131.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 120 176.111.174.109 WILWAWPL Russian Federation 8->120 122 94.232.45.38 WELLWEBNL Russian Federation 8->122 128 17 other IPs or domains 8->128 80 C:\Users\...\t0LhTNLf75S0gfvqEdwCdpBW.exe, PE32 8->80 dropped 82 C:\Users\...\rDljwhBrT570ort6ggGagMk2.exe, PE32 8->82 dropped 84 C:\Users\...\qT1QqgcK1_sRqD10T7fKkybR.exe, PE32 8->84 dropped 86 23 other malicious files 8->86 dropped 174 Drops PE files to the document folder of the user 8->174 176 Creates HTML files with .exe extension (expired dropper behavior) 8->176 178 Found many strings related to Crypto-Wallets (likely being stolen) 8->178 186 6 other signatures 8->186 19 BWFlzpWxXFkrIkTEhSnhu4p7.exe 8->19         started        22 jCkDeKnfFPE_8nBBm6TTJjCZ.exe 8->22         started        26 LRV2Syvuiyztf9pm3xMIUD8X.exe 2 61 8->26         started        28 12 other processes 8->28 180 Detected unpacking (changes PE section rights) 13->180 182 Machine Learning detection for dropped file 13->182 184 Hides threads from debuggers 13->184 124 184.28.90.27 AKAMAI-ASUS United States 17->124 126 127.0.0.1 unknown unknown 17->126 file5 signatures6 process7 dnsIp8 62 C:\Users\...\BWFlzpWxXFkrIkTEhSnhu4p7.tmp, PE32 19->62 dropped 30 BWFlzpWxXFkrIkTEhSnhu4p7.tmp 19->30         started        112 185.172.128.170 NADYMSS-ASRU Russian Federation 22->112 64 C:\Users\user\AppData\...\AAFIIJDAAA.exe, PE32 22->64 dropped 74 13 other files (9 malicious) 22->74 dropped 150 Detected unpacking (changes PE section rights) 22->150 152 Detected unpacking (overwrites its own PE header) 22->152 154 Tries to steal Mail credentials (via file / registry access) 22->154 168 4 other signatures 22->168 114 147.45.47.126 FREE-NET-ASFREEnetEU Russian Federation 26->114 116 104.26.5.15 CLOUDFLARENETUS United States 26->116 66 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 26->66 dropped 76 2 other malicious files 26->76 dropped 156 Found many strings related to Crypto-Wallets (likely being stolen) 26->156 158 Found stalling execution ending in API Sleep call 26->158 160 Contains functionality to inject threads in other processes 26->160 170 3 other signatures 26->170 33 schtasks.exe 26->33         started        35 schtasks.exe 26->35         started        118 172.67.202.186 CLOUDFLARENETUS United States 28->118 68 C:\...\F2HQNt8QaPOh9o675y2_uvYI.exe (copy), PE32+ 28->68 dropped 70 C:\Users\user\AppData\Local\Temp\...\scrt.dll, PE32 28->70 dropped 72 C:\Users\user\AppData\...\thirdparty.dll, PE32 28->72 dropped 78 13 other malicious files 28->78 dropped 162 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->162 164 Drops PE files to the startup folder 28->164 166 Contains functionality to inject code into remote processes 28->166 172 7 other signatures 28->172 37 RegAsm.exe 28->37         started        41 MSBuild.exe 28->41         started        43 MSBuild.exe 28->43         started        45 10 other processes 28->45 file9 signatures10 process11 dnsIp12 88 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->88 dropped 90 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 30->90 dropped 92 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 30->92 dropped 100 34 other files (23 malicious) 30->100 dropped 47 moonvideo2audio32.exe 30->47         started        50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        104 104.21.91.177 CLOUDFLARENETUS United States 37->104 138 Query firmware table information (likely to detect VMs) 37->138 140 Tries to harvest and steal browser information (history, passwords, etc) 37->140 142 Tries to steal Crypto Currency Wallets 37->142 106 5.42.65.63 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 41->106 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->144 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->146 108 149.154.167.99 TELEGRAMRU United Kingdom 45->108 110 116.202.190.18 HETZNER-ASDE Germany 45->110 94 C:\Users\user\AppData\Local\...\Install.exe, PE32 45->94 dropped 96 C:\Users\user\AppData\Local\...\sqls[1].dll, PE32 45->96 dropped 98 C:\Users\user\AppData\Local\...\Child.pif, PE32 45->98 dropped 148 Drops PE files with a suspicious file extension 45->148 54 conhost.exe 45->54         started        56 conhost.exe 45->56         started        58 conhost.exe 45->58         started        60 2 other processes 45->60 file13 signatures14 process15 file16 102 C:\ProgramData\...\QEEM Processor 6.7.66.exe, PE32 47->102 dropped
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-06-05 22:13:31 UTC
File Type:
PE+ (Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gigb5ge7jk6hcabbyngqkrcyrrehvjgsccqesqwoxs7b3mhxo7aq._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader
Link:
https://tria.ge/reports/240607-y4fwxsdf79/
Behaviour
Modifies system certificate store
Drops file in System32 directory
Looks up external IP address via web service
Modifies firewall policy service
PrivateLoader
Unpacked files
SH256 hash:
320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1
MD5 hash:
af95d9855fa395906b155f0ed0323db5
SHA1 hash:
b76c74c5deb946319827246e58c912dc26e052db
Link:
https://www.unpac.me/results/77277cb6-08fa-4659-a60d-18a5fb5554e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments