MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10
SHA3-384 hash: 7e9d340eec1d23e0098727ec0a39a92f2b517951f02e3788f7dd8f58eaa43d88ff1c9ca4249cc24eaf7060837fbd6b02
SHA1 hash: c7d0885f62f777978c3a5bbaf236d2dfaa8fd4b3
MD5 hash: 2827fdb5ffd1d33b8ca04a8e6c5f1c03
humanhash: earth-cat-twelve-ceiling
File name:Install.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:4'113'080 bytes
First seen:2022-12-31 08:06:16 UTC
Last seen:2022-12-31 09:33:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 48 x PureHVNC, 35 x CoinMiner)
ssdeep 98304:zdCV6nw9E4wiJfk+y4E/zbjauqPGDuFJWqyEho+nC2US2:Nnw9pJtyPeuqPGD6DyEhzCzh
Threatray 7'182 similar samples on MalwareBazaar
TLSH T1D11633CAE185791ADAB6EAF698253D1F3AF30F76D145E8B48E82F0C34D36B45C05A443
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c439dcccccc4639e (1 x PrivateLoader)
Reporter tech_skeech
Tags:exe PrivateLoader signed

Code Signing Certificate

Organisation:Logitech ZC-9016 USA State of Washington
Issuer:Logitech ZC-9016 USA State of Washington
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-15T11:48:33Z
Valid to:2031-12-16T11:48:33Z
Serial number: 5fcd5e9349261c9449b88b4124df5004
Intelligence: 27 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 63aa80362de14c7d27647ef57cf3a4928f5dda32e3a54c46c72902172a42dea0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Install.exe
Verdict:
Suspicious activity
Analysis date:
2022-12-31 08:08:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34593f5c-a245-4b87-a001-5d797b50eee4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64617991.14321.20029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Searching for the window
Searching for analyzing tools
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed vidar
Link:
https://www.filescan.io/uploads/63afeda8a70bef46551c563c/reports/a2716172-fbbb-4df3-b958-8bb680ad828e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c21757ec-a226-4e7e-a8fe-9f3ab08ec240
Result
Threat name:
Amadey, Fabookie, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143467
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Fabookie
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 776197 Sample: Install.exe Startdate: 31/12/2022 Architecture: WINDOWS Score: 100 103 Snort IDS alert for network traffic 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 25 other signatures 2->109 9 Install.exe 3 2->9         started        13 ClipManager_Svc.exe 2->13         started        process3 file4 71 C:\Users\user\AppData\...\Install.exe.log, CSV 9->71 dropped 137 Query firmware table information (likely to detect VMs) 9->137 139 Writes to foreign memory regions 9->139 141 Tries to evade debugger and weak emulator (self modifying code) 9->141 143 3 other signatures 9->143 15 InstallUtil.exe 10 49 9->15         started        signatures5 process6 dnsIp7 89 208.67.104.60, 49703, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 15->89 91 meta-zone-1.ru 31.31.196.244, 49700, 49701, 49702 AS-REGRU Russian Federation 15->91 93 16 other IPs or domains 15->93 51 C:\Users\...\o6QwibvdzRXTBNCQFsZOQBgp.exe, PE32 15->51 dropped 53 C:\Users\...\n6MKegVF2zADpw1ReffskvdJ.exe, PE32 15->53 dropped 55 C:\Users\...\lLfvusrAdT4Y10lUm_IuzMSH.exe, PE32 15->55 dropped 57 16 other malicious files 15->57 dropped 95 May check the online IP address of the machine 15->95 97 Creates HTML files with .exe extension (expired dropper behavior) 15->97 99 Disables Windows Defender (deletes autostart) 15->99 101 2 other signatures 15->101 20 GrCKsJUZq4Ch0FBf5DmJm08v.exe 15->20         started        25 n6MKegVF2zADpw1ReffskvdJ.exe 18 15->25         started        27 lLfvusrAdT4Y10lUm_IuzMSH.exe 15->27         started        29 8 other processes 15->29 file8 signatures9 process10 dnsIp11 75 megalobster.ru 20->75 77 kokoko-24.online 20->77 79 telegram.org 20->79 61 C:\Users\...\fZQ7UytYgMMjSL71FMjO3ESG.exe, MS-DOS 20->61 dropped 63 C:\Users\user\AppData\Local\...\WW14[1].bmp, MS-DOS 20->63 dropped 65 C:\...\PowerControl_Svc.exe, MS-DOS 20->65 dropped 111 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->111 113 Query firmware table information (likely to detect VMs) 20->113 115 Hides threads from debuggers 20->115 117 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->117 81 t.me 149.154.167.99 TELEGRAMRU United Kingdom 25->81 83 116.203.3.152 HETZNER-ASDE Germany 25->83 119 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->119 121 Tries to harvest and steal browser information (history, passwords, etc) 25->121 123 Tries to steal Crypto Currency Wallets 25->123 125 Writes to foreign memory regions 27->125 127 Allocates memory in foreign processes 27->127 129 Injects a PE file into a foreign processes 27->129 31 conhost.exe 27->31         started        33 vbc.exe 27->33         started        85 aaa.apiaaaeg.com 45.66.159.18 ENZUINC-US Russian Federation 29->85 87 4 other IPs or domains 29->87 67 C:\Users\user\AppData\Local\...\dsdoHVo.1le, PE32 29->67 dropped 69 C:\...\ClipManager_Svc.exe, PE32 29->69 dropped 131 Maps a DLL or memory area into another process 29->131 133 Checks if the current machine is a virtual machine (disk enumeration) 29->133 135 Creates a thread in another existing process (thread injection) 29->135 35 EjqyefPLLvpLI_juhalZBjSQ.exe 29->35         started        39 schtasks.exe 29->39         started        41 schtasks.exe 29->41         started        43 3 other processes 29->43 file12 signatures13 process14 dnsIp15 73 xv.yxzgamen.com 188.114.96.3 CLOUDFLARENETUS European Union 35->73 59 C:\Users\user\AppData\Local\Temp\db.dll, PE32 35->59 dropped 45 conhost.exe 35->45         started        47 conhost.exe 39->47         started        49 conhost.exe 41->49         started        file16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10/
Threat name:
Win64.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-12-29 18:50:40 UTC
File Type:
PE+ (Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbl66zvffrqfb4omcd5kiggfrwpdznidt6ayi3bvzmxpid3ap4ia._file
Verdict:
malicious
Similar samples:
76594bfde86ba22d8decd126752d700a9567551aff57ff9c85f1cc53b5b51ba5
PrivateLoader
867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e
PrivateLoader
98980b5d5796c559c08ea5b20a4a459048087758b1149767af47788ea3388fdd
PrivateLoader
9d4a5344f0cb03807c0857078c93768d2ab92ad9cd8aec51922fd80137773ee1
PrivateLoader
a0ee5991a87a49c2a3d877f34ae33b27a95c88c1e95eb13f0cc1658adc815b6a
PrivateLoader
b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e
PrivateLoader
c633d7549fb4a77e02fa1e48f8fb3e3b41d8a998778d2e2c024949673dad0ba5
PrivateLoader
e1689f695b580c88f6b58274cfed905541749bd86f9f3cd95b70ae22387313ca
PrivateLoader
f8140b5a0a7451917bfeac768b1165af6cb5ea0f97fdfe01235c7f049ba2a137
PrivateLoader
+ 7'172 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader main themida trojan
Link:
https://tria.ge/reports/221231-jzzqxahd39/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
PrivateLoader
Malware Config
C2 Extraction:
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
208.67.104.60
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8d8a906b-aa0a-4ab2-8c02-6a40a1f326de
Unpacked files
SH256 hash:
5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10
MD5 hash:
2827fdb5ffd1d33b8ca04a8e6c5f1c03
SHA1 hash:
c7d0885f62f777978c3a5bbaf236d2dfaa8fd4b3
Link:
https://www.unpac.me/results/13606f86-3848-476c-82e1-adc3342f2e40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10

(this sample)

  
Delivery method
Distributed via web download

Comments