MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e1c85adecccc0d02b09681a421ba0457962bfd1a035a5bd234ec13c55ad2f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e1c85adecccc0d02b09681a421ba0457962bfd1a035a5bd234ec13c55ad2f4
SHA3-384 hash: 53d0b1b1b3da4b314dc842aec82133703ff2525a0e84cdd372978c6f6519beef5ebb894f20f6bad96bff0346141883a5
SHA1 hash: 57c2f9cbeb17f80a540a6aeafdd61f28443418ce
MD5 hash: be94b480184550913c269e35a13ad28c
humanhash: timing-north-avocado-nuts
File name:SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:6'132'736 bytes
First seen:2024-04-15 08:25:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bedb96d8a71f9004abf64308e680fcb9 (3 x PrivateLoader)
ssdeep 98304:mkpa5UKdCrbpaah6k5u6yA6nE0w5jjvjjjjl5S/hdIOrd/ClFkydIy3rBld3:m3fdCxaah75uUSw5jjvjjjj3dOr5TLyF
Threatray 9 similar samples on MalwareBazaar
TLSH T125566CA7E7E6365FC47DE4F28102766E8B0EB8554F35F88758B5A2348A6FD0CA20C741
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f4e4e4f4d8ccd4d8 (1 x PrivateLoader)
Reporter SecuriteInfoCom
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f.exe
Verdict:
Malicious activity
Analysis date:
2024-04-15 05:44:59 UTC
Tags:
amadey botnet stealer lumma loader redline opendir gcleaner stealc evasion risepro privateloader
Link:
https://app.any.run/tasks/868dcbd9-3fa6-4457-bc47-74c8e6c3c844

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Modifying a system file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Replacing files
Launching a service
Launching a process
Sending a UDP request
Sending an HTTP GET request
Reading critical registry keys
Forced system process termination
Moving a file to the Program Files subdirectory
Blocking the Windows Defender launch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/661ce4a235699b4745ce2df2/reports/508f7c33-85dd-4e57-815c-3fed185f663c/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/40e1c85adecccc0d02b09681a421ba0457962bfd1a035a5bd234ec13c55ad2f4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3990b72-ec99-4cd7-9188-04e9246e0a91
Result
Threat name:
Glupteba, LummaC Stealer, Mars Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1426022
Signature
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Disable power options
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426022 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 15/04/2024 Architecture: WINDOWS Score: 100 92 t.me 2->92 94 nidoe.org 2->94 96 26 other IPs or domains 2->96 122 Snort IDS alert for network traffic 2->122 124 Multi AV Scanner detection for domain / URL 2->124 126 Found malware configuration 2->126 128 24 other signatures 2->128 9 SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe 11 53 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 116 85.192.56.26, 49730, 80 DINET-ASRU Russian Federation 9->116 118 185.215.113.46, 49736, 80 WHOLESALECONNECTIONSNL Portugal 9->118 120 20 other IPs or domains 9->120 84 C:\Users\...\iDqkuCfFL5PrhKDbGc0YrdXD.exe, PE32 9->84 dropped 86 C:\Users\...\f0s6sy2LRAmC6oUHbkJs3cEc.exe, PE32 9->86 dropped 88 C:\Users\...\bVpo4CHGKFEiEuQ4zpPWLxu8.exe, MS-DOS 9->88 dropped 90 25 other malicious files 9->90 dropped 166 Query firmware table information (likely to detect VMs) 9->166 168 Drops PE files to the document folder of the user 9->168 170 Creates HTML files with .exe extension (expired dropper behavior) 9->170 172 9 other signatures 9->172 20 1CVmRHxaBSMli13V24kYHFkn.exe 1 77 9->20         started        25 44ML7E0LitChlTmXuymcoTJw.exe 2 9->25         started        27 Z4LyLuJxaoN0VHw1RPRY7QvL.exe 9->27         started        31 13 other processes 9->31 29 WerFault.exe 14->29         started        file6 signatures7 process8 dnsIp9 98 193.233.132.253 FREE-NET-ASFREEnetEU Russian Federation 20->98 66 C:\Users\user\...\HwvqJMdzXJvsBGFsZ4Mw.exe, PE32 20->66 dropped 68 C:\Users\user\AppData\...\lumma1104[1].exe, PE32 20->68 dropped 70 C:\Users\user\...\AdobeUpdaterV202.exe, PE32 20->70 dropped 80 2 other malicious files 20->80 dropped 142 Detected unpacking (changes PE section rights) 20->142 144 Query firmware table information (likely to detect VMs) 20->144 146 Tries to steal Mail credentials (via file / registry access) 20->146 162 10 other signatures 20->162 72 C:\Users\user\AppData\Local\...\is-NAUAU.tmp, PE32 25->72 dropped 33 is-NAUAU.tmp 25->33         started        148 Disables Windows Defender (deletes autostart) 27->148 150 Exclude list of file types from scheduled, custom, and real-time scanning 27->150 152 Adds extensions / path to Windows Defender exclusion list (Registry) 27->152 154 Disable Windows Defender real time protection (registry) 27->154 100 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 31->100 102 185.172.128.26 NADYMSS-ASRU Russian Federation 31->102 104 193.233.132.226 FREE-NET-ASFREEnetEU Russian Federation 31->104 74 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 31->74 dropped 76 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 31->76 dropped 78 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 31->78 dropped 82 13 other files (9 malicious) 31->82 dropped 156 Detected unpacking (overwrites its own PE header) 31->156 158 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->158 160 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->160 164 13 other signatures 31->164 36 RegAsm.exe 31->36         started        40 RegAsm.exe 31->40         started        42 RegAsm.exe 31->42         started        44 11 other processes 31->44 file10 signatures11 process12 dnsIp13 54 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->54 dropped 56 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 33->56 dropped 58 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 33->58 dropped 64 12 other files (11 malicious) 33->64 dropped 106 5.42.65.50 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 36->106 130 Installs new ROOT certificates 36->130 132 Tries to harvest and steal browser information (history, passwords, etc) 36->132 134 Tries to steal Crypto Currency Wallets 36->134 108 t.me 149.154.167.99 TELEGRAMRU United Kingdom 40->108 110 157.90.25.39 REDIRISRedIRISAutonomousSystemES United States 40->110 60 C:\Users\user\AppData\Local\...\sqln[1].dll, PE32 40->60 dropped 112 db-ip.com 104.26.5.15 CLOUDFLARENETUS United States 42->112 114 217.195.207.156 ASFIBERSUNUCUTR Turkey 42->114 62 C:\Users\user\...\t8PfXIO0jrKwSHwdcTSNk68.zip, Zip 42->62 dropped 136 Tries to steal Mail credentials (via file / registry access) 42->136 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->138 140 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->140 46 conhost.exe 44->46         started        48 conhost.exe 44->48         started        50 conhost.exe 44->50         started        52 3 other processes 44->52 file14 signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/40e1c85adecccc0d02b09681a421ba0457962bfd1a035a5bd234ec13c55ad2f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40e1c85adecccc0d02b09681a421ba0457962bfd1a035a5bd234ec13c55ad2f4/
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-04-14 11:03:49 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idq4qww6ztga2avqs2a2iin2arlzmk75dibvuw6sgtwbhrk22l2a._file
Verdict:
unknown
Similar samples:
176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83
PrivateLoader
1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213
PrivateLoader
62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
PrivateLoader
bc84c3a9cfeb083fe41a238c55ea3163b5c9e5103fee0a7d7f4d8a1236b6d22d
PrivateLoader
d562b3b44859f761645676e0c0e7daad1226c5b90f53b4fe5e5395bf77454ec7
PrivateLoader
f25ec06833cd9a9569e2459ab9e079f68f4b18849d56576db4241f34492c14ae
PrivateLoader
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/240415-kbvygscg3x/
Behaviour
Modifies system certificate store
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
Unpacked files
SH256 hash:
454485afce1a9aa105ddd94072c63fc433c7aa378b3ebf94bf3c6e1a56fcfb54
MD5 hash:
542538c7cb8986fa2867045e2255976a
SHA1 hash:
c3496e0a1faac9bb970308cf26f278c41a7d8ab3
Link:
https://www.unpac.me/results/10f7d5e5-7ede-4853-9aae-e676f53cc2b7/
SH256 hash:
40e1c85adecccc0d02b09681a421ba0457962bfd1a035a5bd234ec13c55ad2f4
MD5 hash:
be94b480184550913c269e35a13ad28c
SHA1 hash:
57c2f9cbeb17f80a540a6aeafdd61f28443418ce
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/10f7d5e5-7ede-4853-9aae-e676f53cc2b7/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/40e1c85adecc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40e1c85adecccc0d02b09681a421ba0457962bfd1a035a5bd234ec13c55ad2f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 40e1c85adecccc0d02b09681a421ba0457962bfd1a035a5bd234ec13c55ad2f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2794559/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance

Comments