MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b
SHA3-384 hash: 60eac7e3f0c408322c1a74e9e1999b0f54c310c64da183d8d6133b9cd6d3861b27bdf4999e06d3a4998cc78ce65d47f4
SHA1 hash: 19ae75ffa328bf9489f205cdc361d29e30856b22
MD5 hash: e8bae2ff6cc2b382b4c4ad3f77d00742
humanhash: dakota-fruit-king-green
File name:file
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:4'736'000 bytes
First seen:2023-10-30 18:53:52 UTC
Last seen:2023-10-30 20:32:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2becf94364f15a5960607ffb2981d10 (1 x PrivateLoader)
ssdeep 98304:rVMKfMCVqNpbGvK7N46RRG4xHQOwp/e76O+q7A/kqprZ9PSLr0VJ:BUCmlKKlRRxNQdGmO88GlALQV
TLSH T1882612837B4500FEF03983F5847147DFB2662A936D6265452F8D6A08ADC23FD4E6E2C9
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f3f9b9707b9be231 (1 x PrivateLoader)
Reporter jstrosch
Tags:exe PrivateLoader X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win64.PWSX-gen.28763.10783
Verdict:
Malicious activity
Analysis date:
2023-10-30 05:49:35 UTC
Tags:
sinkhole opendir privateloader evasion loader smoke risepro stealer stealc redline amadey botnet trojan
Link:
https://app.any.run/tasks/f7e25698-d6b3-41b6-b3f4-af6e4fa00cc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457176/
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.55097.25811.8655.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Modifying a system file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Replacing files
Launching a service
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Creating a file
Forced system process termination
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed packed vmprotect
Link:
https://www.filescan.io/uploads/653ffbcf72356e4f29e94c95/reports/b13152c1-095d-4cdb-870c-218a182941ed/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.AZB trojan
Link:
https://www.hybrid-analysis.com/sample/39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a14bdd82-37f0-4461-ac0c-75c22266ef77
Result
Threat name:
Glupteba, Neoreklami, Phonk Miner, RedLi
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334465
Signature
Adds extensions / path to Windows Defender exclusion list
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Neoreklami
Yara detected Phonk Miner
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1334465 Sample: file.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 216 Found malware configuration 2->216 218 Malicious sample detected (through community Yara rule) 2->218 220 Antivirus detection for URL or domain 2->220 222 26 other signatures 2->222 11 file.exe 11 36 2->11         started        16 svchost.exe 2->16         started        18 svchost.exe 2->18         started        20 2 other processes 2->20 process3 dnsIp4 164 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->164 166 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->166 168 12 other IPs or domains 11->168 114 C:\Users\...\uv3lBveMFCicG3x8cloI5Ber.exe, PE32+ 11->114 dropped 116 C:\Users\...\stwwNyDxibngNDXIJgIS9Zcn.exe, PE32+ 11->116 dropped 118 C:\Users\...\rtDOE2rN3Is1slb9zdXnMXwL.exe, PE32 11->118 dropped 120 11 other malicious files 11->120 dropped 246 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->246 248 Creates HTML files with .exe extension (expired dropper behavior) 11->248 250 Disables Windows Defender (deletes autostart) 11->250 252 3 other signatures 11->252 22 2pX0mRCfPQtyElJgi_f6sgUj.exe 11->22         started        25 FmbuUZQdBR1Ikaenw1fr6zOa.exe 7 11->25         started        28 XT4AHQQbjAmQluI3OYOVvDNI.exe 11->28         started        30 5 other processes 11->30 file5 signatures6 process7 dnsIp8 232 Writes to foreign memory regions 22->232 234 Allocates memory in foreign processes 22->234 236 Injects a PE file into a foreign processes 22->236 33 InstallUtil.exe 15 316 22->33         started        100 C:\Users\user\AppData\Local\...\Install.exe, PE32 25->100 dropped 102 C:\Users\user\AppData\Local\...\config.txt, data 25->102 dropped 38 Install.exe 25->38         started        104 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 28->104 dropped 106 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 28->106 dropped 108 C:\Users\user\AppData\Local\Temp\...\file.bin, Zip 28->108 dropped 40 cmd.exe 28->40         started        170 194.169.175.220 CLOUDCOMPUTINGDE Germany 30->170 172 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 30->172 174 185.172.128.69 NADYMSS-ASRU Russian Federation 30->174 110 C:\Users\...\BCBYV4qPHdJnRLEU8HvWXSsE.exe, PE32+ 30->110 dropped 112 C:\Users\user\AppData\...\newumma[1].exe, PE32 30->112 dropped 238 Found many strings related to Crypto-Wallets (likely being stolen) 30->238 240 Found Tor onion address 30->240 242 Disables Windows Defender (deletes autostart) 30->242 244 3 other signatures 30->244 42 conhost.exe 30->42         started        file9 signatures10 process11 dnsIp12 158 85.217.144.143 WS171-ASRU Bulgaria 33->158 160 176.57.208.22 TIMEWEB-ASRU Russian Federation 33->160 162 15 other IPs or domains 33->162 88 C:\Users\...\zmF134d2NUF2E8qqHotIUzBm.exe, PE32 33->88 dropped 90 C:\Users\...\zTWH0Oc25ykEJvnB73SBoQjD.exe, PE32 33->90 dropped 92 C:\Users\...\zKprHKF2mWs0wtnvAPgJhV2e.exe, PE32 33->92 dropped 98 258 other malicious files 33->98 dropped 224 Drops script or batch files to the startup folder 33->224 226 Creates HTML files with .exe extension (expired dropper behavior) 33->226 228 Writes many files with high entropy 33->228 44 7dAyG1bJFqD9H6TcwPa7vIRH.exe 33->44         started        47 Dzq3wWPNjexEdsEcBQxaHAR1.exe 33->47         started        51 iS9fbFC8hCO6WhksNxJz9Uxy.exe 33->51         started        61 6 other processes 33->61 94 C:\Users\user\AppData\Local\...\Install.exe, PE32 38->94 dropped 230 Multi AV Scanner detection for dropped file 38->230 53 Install.exe 38->53         started        96 (copy), Zip 40->96 dropped 55 7z.exe 40->55         started        57 conhost.exe 40->57         started        59 mode.com 40->59         started        file13 signatures14 process15 dnsIp16 122 C:\Users\...\7dAyG1bJFqD9H6TcwPa7vIRH.tmp, PE32 44->122 dropped 63 7dAyG1bJFqD9H6TcwPa7vIRH.tmp 44->63         started        176 5.182.38.138 VMAGE-ASRU Russian Federation 47->176 178 149.154.167.99 TELEGRAMRU United Kingdom 47->178 180 5.75.188.83 HETZNER-ASDE Germany 47->180 136 6 other files (4 malicious) 47->136 dropped 190 Detected unpacking (changes PE section rights) 47->190 192 Detected unpacking (overwrites its own PE header) 47->192 194 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->194 204 3 other signatures 47->204 182 107.167.110.217 OPERASOFTWAREUS United States 51->182 184 107.167.125.189 OPERASOFTWAREUS United States 51->184 188 4 other IPs or domains 51->188 124 Opera_installer_2310301855431517948.dll, PE32 51->124 dropped 126 C:\Users\user\AppData\Local\...\opera_package, PE32 51->126 dropped 128 C:\Users\user\...\additional_file0.tmp, PE32 51->128 dropped 138 3 other malicious files 51->138 dropped 196 Writes many files with high entropy 51->196 67 iS9fbFC8hCO6WhksNxJz9Uxy.exe 51->67         started        69 iS9fbFC8hCO6WhksNxJz9Uxy.exe 51->69         started        71 iS9fbFC8hCO6WhksNxJz9Uxy.exe 51->71         started        130 C:\Users\user\AppData\Local\...\KSrhDpO.exe, PE32 53->130 dropped 198 Multi AV Scanner detection for dropped file 53->198 200 Adds extensions / path to Windows Defender exclusion list 53->200 73 forfiles.exe 53->73         started        132 C:\Users\user\AppData\Local\...\file_2.zip, Zip 55->132 dropped 186 104.21.38.126 CLOUDFLARENETUS United States 61->186 134 C:\Users\...\cBppEYVBzXaWjE7BAt9eNkwm.tmp, PE32 61->134 dropped 202 Injects a PE file into a foreign processes 61->202 75 KKJtW8lkGMWi8TnlJJk29BZn.exe 61->75         started        file17 signatures18 process19 file20 144 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 63->144 dropped 146 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 63->146 dropped 148 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 63->148 dropped 156 14 other files (12 malicious) 63->156 dropped 206 Uses schtasks.exe or at.exe to add and modify task schedules 63->206 77 KAudioConverter.exe 63->77         started        80 schtasks.exe 63->80         started        150 Opera_installer_2310301855487016804.dll, PE32 67->150 dropped 82 iS9fbFC8hCO6WhksNxJz9Uxy.exe 67->82         started        152 Opera_installer_2310301855453587660.dll, PE32 69->152 dropped 154 Opera_installer_2310301855471188140.dll, PE32 71->154 dropped 84 conhost.exe 73->84         started        208 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 75->208 210 Maps a DLL or memory area into another process 75->210 212 Checks if the current machine is a virtual machine (disk enumeration) 75->212 214 Creates a thread in another existing process (thread injection) 75->214 signatures21 process22 file23 140 C:\ProgramData\...\Video Fetcher.exe, PE32 77->140 dropped 86 conhost.exe 80->86         started        142 Opera_installer_2310301855499713780.dll, PE32 82->142 dropped process24
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-10-29 12:44:43 UTC
File Type:
PE+ (Exe)
Extracted files:
39
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfizxqzstig3vwuyfklt33dxbas2grkwkpelps7qt75ihyoubz5q._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/231030-xj7cpsgf33/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b
MD5 hash:
e8bae2ff6cc2b382b4c4ad3f77d00742
SHA1 hash:
19ae75ffa328bf9489f205cdc361d29e30856b22
Link:
https://www.unpac.me/results/68233914-8c99-4b84-8685-5b5b3450e967/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39519bc3329a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715050/
Cape
Cape
https://www.capesandbox.com/analysis/457176/

Comments