MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 15


Intelligence 15 IOCs 3 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad
SHA3-384 hash: 1c334a5663b9d422991fd677998fecda349b0bb655cb50d9a9338b05073eb9a21b2c3d7c43f5573aa494fe2ba3e624f2
SHA1 hash: 11db57ac940e2e924a1355b0d131068b8b560ec4
MD5 hash: 3f25d675056188caf86ca8f03d01a39a
humanhash: seven-social-hydrogen-nitrogen
File name:3f25d675056188caf86ca8f03d01a39a.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:9'386'376 bytes
First seen:2024-09-08 19:00:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:MzIKniADgJ5Y+L7CJuBoLKH4wSLWwfzoakC5OxvUWrbXiHREzSX2fe3v:MznnigK5CJuRHULxoaZQ7rGHhX2G/
TLSH T1FD96AF057F40CE11D52E9637889BEB8413E8FD862742D93A384DB3CDA59177E1B2F18A
TrID 36.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
28.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.2% (.EXE) Win64 Executable (generic) (10523/12/4)
3.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
File icon (PE):PE icon
dhash icon e564ecdca4b4848d (2 x LummaStealer, 1 x Stop, 1 x PrivateLoader)
Reporter abuse_ch
Tags:exe PrivateLoader


Avatar
abuse_ch
PrivateLoader C2:
http://92.246.139.82/api/crazyfish.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://92.246.139.82/api/crazyfish.php https://threatfox.abuse.ch/ioc/1322390/
http://92.246.139.82/api/twofish.php https://threatfox.abuse.ch/ioc/1322391/
89.105.223.249:29986 https://threatfox.abuse.ch/ioc/1322392/

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f25d675056188caf86ca8f03d01a39a.exe
Verdict:
Malicious activity
Analysis date:
2024-09-08 19:03:49 UTC
Tags:
berbew privateloader evasion
Link:
https://app.any.run/tasks/6c9eb7ee-0725-4086-a625-ef925cb6f506

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Malwarex-10033462-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ddf47081c57823b78e6b59
Tags:
Encryption Static Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated overlay packed
Link:
https://www.filescan.io/uploads/66ddf470ee4db382bc7b8ea8/reports/5a83aa8b-a670-4e8e-9f97-38b396c83f53/overview
Verdict:
Malicious
Labled as:
Trojan.PasswordStealer.GenericS
Link:
https://www.hybrid-analysis.com/sample/37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd7784dc-d23d-4034-9453-a3ef469c5bf8
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Neorekla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1507613
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the System eventlog
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Neoreklami
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1507613 Sample: PM7K6PbAf0.exe Startdate: 08/09/2024 Architecture: WINDOWS Score: 100 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 Antivirus detection for URL or domain 2->160 162 21 other signatures 2->162 12 PM7K6PbAf0.exe 1 2->12         started        16 orpqcnvisucm.exe 2->16         started        18 svchost.exe 2->18         started        20 svchost.exe 2->20         started        process3 dnsIp4 124 C:\Users\user\AppData\...\PM7K6PbAf0.exe.log, ASCII 12->124 dropped 226 Found many strings related to Crypto-Wallets (likely being stolen) 12->226 228 Writes to foreign memory regions 12->228 230 Allocates memory in foreign processes 12->230 232 Injects a PE file into a foreign processes 12->232 23 RegAsm.exe 1 31 12->23         started        28 RegAsm.exe 12->28         started        30 conhost.exe 12->30         started        126 C:\Windows\Temp\kwjhqsakhddk.sys, PE32+ 16->126 dropped 234 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->234 236 Found strings related to Crypto-Mining 16->236 238 Modifies the context of a thread in another process (thread injection) 16->238 240 3 other signatures 16->240 32 powercfg.exe 16->32         started        34 powercfg.exe 16->34         started        36 WerFault.exe 18->36         started        128 184.28.90.27 AKAMAI-ASUS United States 20->128 130 127.0.0.1 unknown unknown 20->130 file5 signatures6 process7 dnsIp8 146 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 23->146 148 104.237.62.213 WEBNXUS United States 23->148 154 9 other IPs or domains 23->154 108 C:\Users\...\tIg6MuOUVdd8TZMqCkLxvvXY.exe, PE32 23->108 dropped 110 C:\Users\...\bkkDLTK85vAhlknshDJJNyQ5.exe, PE32 23->110 dropped 112 C:\Users\...\bClSvuoeQNFeAJkLSBxTvz0S.exe, PE32 23->112 dropped 116 14 other malicious files 23->116 dropped 208 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->208 210 Drops PE files to the document folder of the user 23->210 212 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->212 220 4 other signatures 23->220 38 73Dpujowg7NMxIS9N4LNUwaw.exe 2 23->38         started        41 7WEEfFcNoTjmDP0zmbwFsXH1.exe 1 23->41         started        43 tIg6MuOUVdd8TZMqCkLxvvXY.exe 4 23->43         started        50 7 other processes 23->50 150 185.215.113.22 WHOLESALECONNECTIONSNL Portugal 28->150 152 104.26.13.31 CLOUDFLARENETUS United States 28->152 114 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 28->114 dropped 214 Installs new ROOT certificates 28->214 216 Tries to harvest and steal browser information (history, passwords, etc) 28->216 218 Tries to steal Crypto Currency Wallets 28->218 46 conhost.exe 32->46         started        48 reg.exe 36->48         started        file9 signatures10 process11 file12 164 Contains functionality to inject code into remote processes 38->164 166 Writes to foreign memory regions 38->166 168 Allocates memory in foreign processes 38->168 52 RegAsm.exe 38->52         started        69 3 other processes 38->69 170 Injects a PE file into a foreign processes 41->170 57 RegAsm.exe 41->57         started        59 WerFault.exe 41->59         started        61 conhost.exe 41->61         started        118 C:\Users\user\AppData\Local\...\axplong.exe, PE32 43->118 dropped 172 Detected unpacking (changes PE section rights) 43->172 174 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->174 176 Tries to evade debugger and weak emulator (self modifying code) 43->176 184 4 other signatures 43->184 120 C:\Users\user\AppData\Local\...\Install.exe, PE32 50->120 dropped 122 C:\ProgramData\...\orpqcnvisucm.exe, PE32+ 50->122 dropped 178 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 50->178 180 Uses powercfg.exe to modify the power settings 50->180 182 Reads the System eventlog 50->182 186 3 other signatures 50->186 63 Install.exe 50->63         started        65 RegAsm.exe 50->65         started        67 powercfg.exe 50->67         started        71 9 other processes 50->71 signatures13 process14 dnsIp15 132 46.8.231.109 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 52->132 98 C:\Users\user\AppData\...\softokn3[1].dll, PE32 52->98 dropped 100 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 52->100 dropped 102 C:\Users\user\AppData\...\mozglue[1].dll, PE32 52->102 dropped 106 12 other files (8 malicious) 52->106 dropped 188 Tries to steal Mail credentials (via file / registry access) 52->188 190 Modifies Windows Defender protection settings 52->190 192 Tries to steal Crypto Currency Wallets 52->192 134 45.152.113.10 CODECCLOUD-AS-APCodecCloudHKLimitedHK Russian Federation 57->134 136 198.54.120.231 NAMECHEAP-NETUS United States 57->136 194 Tries to harvest and steal ftp login credentials 57->194 196 Tries to harvest and steal browser information (history, passwords, etc) 57->196 198 Tries to harvest and steal Bitcoin Wallet information 57->198 138 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->138 104 C:\Users\user\AppData\Local\...\Install.exe, PE32 63->104 dropped 73 Install.exe 63->73         started        140 149.154.167.99 TELEGRAMRU United Kingdom 65->140 142 147.45.126.10 FREE-NET-ASFREEnetEU Russian Federation 65->142 200 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 65->200 76 conhost.exe 67->76         started        144 2 other IPs or domains 71->144 78 conhost.exe 71->78         started        80 conhost.exe 71->80         started        82 conhost.exe 71->82         started        84 4 other processes 71->84 file16 signatures17 process18 signatures19 222 Modifies Windows Defender protection settings 73->222 86 cmd.exe 73->86         started        process20 signatures21 202 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 86->202 204 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 86->204 206 Modifies Windows Defender protection settings 86->206 89 forfiles.exe 86->89         started        92 conhost.exe 86->92         started        94 Conhost.exe 86->94         started        process22 signatures23 224 Modifies Windows Defender protection settings 89->224 96 cmd.exe 89->96         started        process24
Score:
55%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-09-05 07:12:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6635lnaycyyuzwvqh5q4pjsar4mvxcs6zcoubegurgabdotacwq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Link:
https://tria.ge/reports/240908-xn7h9stenb/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4faa7d8d-5285-490b-9a80-d84982425ca0
Unpacked files
SH256 hash:
86e9d60c29c635146be5eeb4d2df981010bb60d586cf553a75419772bbc0b302
MD5 hash:
6c2bc5b8b43a3118520f0951e4a5b2de
SHA1 hash:
cff937c3d22b83804890ca0584645ea2abaf224d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6eccc7c5-4f04-4018-a28e-7d5c9079084e/
Parent samples :
4b405c22574517f903942744984e85e0240fe1b020e30ab94b3d3225ac7f5a58
c1a96310dd45b906c51fd21fd604550225e1eec1941245850b24773e22768ad7
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be
0843b763880a4e1b559d29140afff5cd867bcada20eda6db2524d4e5045af114
521d404952876e51d0cf3a4d0d69e30566406a3a129343d5e53d5d7274f4d3dc
13368bfeba0fbf3160dbbb1155b1439b7fcdb0fb59baef1cc93207821e63465f
fa565ec0da19b4c700bf3705101bd49c9c09aaf26691abb6fe1c3622926cc8d2
59778733797d1033f33e5803810777b199bab7a53710c385c9f8b1cea648d4ec
6ae1ebeb88e73be3fd5141deb9e85ed84203af1ef50cea7f2efc6be74816e52e
e7ad5000fcab4b69737e7b206f7ea0fbeeb7f68443e983e924e2710b54c7e5d4
e6e621591cd287a1b4504c178c9ce8e53e8c7e8c299ffaf0add782e21c96b99b
c1b3b50c6ab0ed4e6e453cd5762585cd10876007f4a2de76fb26f498350c92d7
022845dbd0b028f17d257923279a9adcde5c7e4024f219059e0682c3825b7eae
11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab0
0f79d37dd89fe7f6dab0c5bb89ade5bcf8378cd30a960ffeeb27c08460c9bd03
286fddf3ce6b929da962c680febfff82719828cecf2c16df5a14cbfd1dfd27e9
4ff955e39fc6b4f0c0a715c3b87b95c47d61df9145e0071061a5070a5c87c855
c18daf8d23214417f5c2165c850ffe0e83b657d9ba045dde50757cfd5b5f4dbc
f26bf72c9af9e8ef4064f0370f1543dd43807bb5e9295c2de48cf99b1b22a947
c955b3b1da4142b077f791749db32f9a871e62c503b421dc8fc061ac3ad71025
e9e2b36855a104b566a9bcdf118a692539c364538fb1822b1d4267cfb3a6cd43
38e933a54738075088e6a5e0301e12bdd32adc933abc68714b154125f1985909
6ccb73967f66acd2af71b4d41a7b5f3755f04d1adba41bafc573f8c1cc14c26a
12ba4ba5d28771a0ffdfc88f9542718b9d67caddfeedb68ddac6688e8cefd76e
f301e8067f6dc52246e372aaee08ee765ed3900fbddc219de63eb318f7f432cc
e56209567fa12794362b0c68d5f4a14bce9895ec878aa1bfa5cbb73cc93d41d4
39799cbca0280a21fa444531c85521db039ef70f963a8960f3fcaca71d3cf802
28df39e7ca8b5f1d4f1b0a56220ead1e0a5de264d7d70b0b20fb512ec5584e56
677074e2c7852d99ae47bcc355c3d77c3afa0391f9393012c3b1ef24957beacb
37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad
SH256 hash:
fb262b14ef2beeec61b8f6e231b698269805aee14f331423b4227a326aa545b3
MD5 hash:
fca7c761b5a1b868f197bec77f1607a1
SHA1 hash:
8dbbffd5200d1b11e4723decc370cadbb4193b7e
Link:
https://www.unpac.me/results/6eccc7c5-4f04-4018-a28e-7d5c9079084e/
SH256 hash:
301c765d541f3dd4f6e33228939af1fdd335a21d116375f8c56be705bafc3491
MD5 hash:
6bd4e7204c37aa80d956e02c52633407
SHA1 hash:
1dcae8b4e99b5d80870f6ce49932032b571879e4
Link:
https://www.unpac.me/results/6eccc7c5-4f04-4018-a28e-7d5c9079084e/
SH256 hash:
37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad
MD5 hash:
3f25d675056188caf86ca8f03d01a39a
SHA1 hash:
11db57ac940e2e924a1355b0d131068b8b560ec4
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6eccc7c5-4f04-4018-a28e-7d5c9079084e/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37bdbeada0c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high

Comments