MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 610adcb80eda549be8018351da776c02210646d36aad5ef19ea92a7dfe6a123e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 610adcb80eda549be8018351da776c02210646d36aad5ef19ea92a7dfe6a123e
SHA3-384 hash: 6652334899de1bbb9056363fb5fe680064d4ad788fa3ab6097b6eb77abdbdd3437f988018638f78f155d29fa1b863588
SHA1 hash: 1327fe4e609c37ab56c109eac995be061b119556
MD5 hash: 025c54e5c587ce50f39a77a65b936e9a
humanhash: berlin-wisconsin-ten-table
File name:setup.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:3'076'608 bytes
First seen:2024-07-11 13:00:18 UTC
Last seen:2024-07-11 13:30:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 448b6888b26145ced7ce018aab459303 (4 x PrivateLoader, 2 x RiseProStealer, 2 x Stealc)
ssdeep 49152:thF85NofUrgQHdOqP/JXecQQ7CWejXxs3KAWgmBITWTew0u6n3ZN1tr1tPX5pjbF:tw5NofUrgQZP/tn7/ejXG3qSi3V635tZ
Threatray 6 similar samples on MalwareBazaar
TLSH T156E52246678685F8C00BCF38D495B2BDB1683F01CCA88C177AC97E0C5FB3696EE66215
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e1e161e167adedbf (1 x PrivateLoader)
Reporter abuse_ch
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
407
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
610adcb80eda549be8018351da776c02210646d36aad5ef19ea92a7dfe6a123e.exe
Verdict:
Malicious activity
Analysis date:
2024-07-11 13:09:25 UTC
Tags:
evasion privateloader berbew
Link:
https://app.any.run/tasks/964f077e-830c-4182-a1cc-92283647daf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.30833.9101.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668fd7906df1b20b8ec4872fwin7simulatehigh_evasion
Tags:
Stealth Privateloader
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Modifying a system file
Using the Windows Management Instrumentation requests
Replacing files
Launching a service
Launching a process
Sending a UDP request
Connection attempt
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed privateloader shell32
Link:
https://www.filescan.io/uploads/668fd7907a9d1652007056ec/reports/a41491d3-0dc6-4086-a361-39861fd95f63/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/610adcb80eda549be8018351da776c02210646d36aad5ef19ea92a7dfe6a123e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gadwats
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0631f615-f2dd-492f-a99d-e380859de4c0
Result
Threat name:
LummaC, Mars Stealer, PureLog Stealer, R
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1471498
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Stop EventLog
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected MSILDownloaderGeneric
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Stealerium
Yara detected Vidar
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1471498 Sample: setup.exe Startdate: 11/07/2024 Architecture: WINDOWS Score: 100 122 service-domain.xyz 2->122 124 api.check-data.xyz 2->124 126 25 other IPs or domains 2->126 158 Snort IDS alert for network traffic 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 166 29 other signatures 2->166 13 setup.exe 11 43 2->13         started        18 eqtpkqwqodik.exe 2->18         started        20 svchost.exe 2->20         started        22 4 other processes 2->22 signatures3 164 Performs DNS queries to domains with low reputation 124->164 process4 dnsIp5 146 stationacutwo.shop 188.114.97.3, 443, 49741, 49743 CLOUDFLARENETUS European Union 13->146 148 vk.com 87.240.137.164, 49739, 49740, 49744 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 13->148 152 12 other IPs or domains 13->152 114 C:\Users\...\zdqgQm3o0oecMphSyAzQ7YKg.exe, PE32 13->114 dropped 116 C:\Users\...\o60vmXHrt7raZcKD82zBI7vJ.exe, PE32+ 13->116 dropped 118 C:\Users\...\YPe_84ZOBC5LoI0HyqKgCCBB.exe, PE32 13->118 dropped 120 16 other malicious files 13->120 dropped 210 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->210 212 Drops PE files to the document folder of the user 13->212 214 Creates HTML files with .exe extension (expired dropper behavior) 13->214 220 6 other signatures 13->220 24 OrBL2gOVsgJ5oKv146AmWJcc.exe 35 13->24         started        29 YPe_84ZOBC5LoI0HyqKgCCBB.exe 3 13->29         started        31 CdpoUT43dxKC2VC8JANy2dHs.exe 13->31         started        33 7 other processes 13->33 216 Multi AV Scanner detection for dropped file 18->216 218 Found direct / indirect Syscall (likely to bypass EDR) 18->218 150 127.0.0.1 unknown unknown 20->150 file6 signatures7 process8 dnsIp9 140 85.28.47.30 GES-ASRU Russian Federation 24->140 142 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 24->142 100 C:\Users\user\AppData\...\softokn3[1].dll, PE32 24->100 dropped 102 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 24->102 dropped 104 C:\Users\user\AppData\...\mozglue[1].dll, PE32 24->104 dropped 112 9 other files (5 malicious) 24->112 dropped 186 Multi AV Scanner detection for dropped file 24->186 188 Detected unpacking (changes PE section rights) 24->188 190 Creates HTML files with .exe extension (expired dropper behavior) 24->190 206 6 other signatures 24->206 192 Writes to foreign memory regions 29->192 194 Allocates memory in foreign processes 29->194 196 Injects a PE file into a foreign processes 29->196 35 MSBuild.exe 29->35         started        198 Contains functionality to inject code into remote processes 31->198 40 RegAsm.exe 31->40         started        144 discord.com 162.159.138.232 CLOUDFLARENETUS United States 33->144 106 C:\Users\user\AppData\Local\...\Install.exe, PE32 33->106 dropped 108 C:\Users\user\AppData\Local\...\Install.exe, PE32 33->108 dropped 110 C:\ProgramData\...\eqtpkqwqodik.exe, PE32+ 33->110 dropped 200 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 33->200 202 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->202 204 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 33->204 208 4 other signatures 33->208 42 Install.exe 33->42         started        44 MSBuild.exe 33->44         started        46 Install.exe 33->46         started        48 11 other processes 33->48 file10 signatures11 process12 dnsIp13 128 77.105.132.27 PLUSTELECOM-ASRU Russian Federation 35->128 130 65.109.241.221 ALABANZA-BALTUS United States 35->130 88 C:\Users\user\AppData\...\lumma0907[1].exe, PE32 35->88 dropped 90 C:\Users\user\AppData\...\vidar0907[1].exe, PE32 35->90 dropped 92 C:\ProgramData\JEBKJDAFHJ.exe, PE32 35->92 dropped 94 C:\ProgramData\HIIIIEGHDG.exe, PE32 35->94 dropped 168 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->168 170 Tries to harvest and steal ftp login credentials 35->170 172 Tries to harvest and steal browser information (history, passwords, etc) 35->172 132 77.105.135.107 PLUSTELECOM-ASRU Russian Federation 40->132 174 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->174 176 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->176 178 Tries to steal Crypto Currency Wallets 40->178 96 C:\Users\user\AppData\Local\...\Install.exe, PE32 42->96 dropped 180 Machine Learning detection for dropped file 42->180 50 Install.exe 42->50         started        134 steamcommunity.com 104.102.42.29 AKAMAI-ASUS United States 44->134 136 tea.arpdabl.org 185.107.56.203 NFORCENL Netherlands 44->136 138 survey-smiles.com 199.59.243.226 BODIS-NJUS United States 44->138 182 Tries to harvest and steal Bitcoin Wallet information 44->182 98 C:\Users\user\AppData\Local\...\Install.exe, PE32 46->98 dropped 53 Install.exe 46->53         started        55 conhost.exe 48->55         started        57 conhost.exe 48->57         started        59 conhost.exe 48->59         started        61 7 other processes 48->61 file14 signatures15 process16 signatures17 154 Multi AV Scanner detection for dropped file 50->154 156 Uses schtasks.exe or at.exe to add and modify task schedules 50->156 63 forfiles.exe 50->63         started        65 schtasks.exe 50->65         started        67 forfiles.exe 53->67         started        process18 process19 69 cmd.exe 63->69         started        72 conhost.exe 63->72         started        74 conhost.exe 65->74         started        76 cmd.exe 67->76         started        78 conhost.exe 67->78         started        signatures20 80 powershell.exe 69->80         started        184 Suspicious powershell command line found 76->184 82 powershell.exe 76->82         started        process21 process22 84 WMIC.exe 80->84         started        86 WMIC.exe 82->86         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/610adcb80eda549be8018351da776c02210646d36aad5ef19ea92a7dfe6a123e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/610adcb80eda549be8018351da776c02210646d36aad5ef19ea92a7dfe6a123e/
Threat name:
Win64.Trojan.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2024-06-22 00:57:44 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mefnzoao3jkjx2abqni5u53maiqqmrwtnkwv54m6vevh37tkci7a._file
Verdict:
malicious
Similar samples:
4bdfd59b483a10eb95136609e25962884d8c6c4c97249fde304dc19b504768c9
PrivateLoader
e65f08b6749e63fea544cd201161e63abe6925e0e739faddda2bd4af5af56b97
PrivateLoader
fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12
PrivateLoader
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader
Link:
https://tria.ge/reports/240711-p872jazcpa/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Modifies firewall policy service
PrivateLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cb8ece64-f4d4-4be2-9656-6b8701f32a7e
Unpacked files
SH256 hash:
610adcb80eda549be8018351da776c02210646d36aad5ef19ea92a7dfe6a123e
MD5 hash:
025c54e5c587ce50f39a77a65b936e9a
SHA1 hash:
1327fe4e609c37ab56c109eac995be061b119556
Link:
https://www.unpac.me/results/5c9e2d0e-2180-4dc2-8805-7a52468bcc9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/610adcb80eda549be8018351da776c02210646d36aad5ef19ea92a7dfe6a123e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments