MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
SHA3-384 hash: 84ad33bc20e9a1df62e066c8bdb5183e99de039815abef55220905d4772557c220398e9e6f72058ed4551f16f6b4fc2a
SHA1 hash: 9255b5e94028f3f55adda2576d60bd39452eaf08
MD5 hash: 4204b9d4c4df5c4b4d67922db24f342a
humanhash: edward-missouri-neptune-artist
File name:4204b9d4c4df5c4b4d67922db24f342a
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:3'396'944 bytes
First seen:2024-03-28 08:13:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bedb96d8a71f9004abf64308e680fcb9 (3 x PrivateLoader)
ssdeep 49152:l/Ki16IscOcmroPBql2IzydQgfTzTGKr6d61YryTz3onQqHlfBrfgOtat:Ujpreg7zyWsFGd61QYoHBroO4t
TLSH T14EF5123713D55524E3BEEBB06A7A63300B22FC846CB2E61D5352DA496C7F701A973722
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e4e0e0e0e0bae8f4 (1 x PrivateLoader)
Reporter zbetcheckin
Tags:64 exe PrivateLoader signed

Code Signing Certificate

Organisation:SAMSUNG PRO B960-P WIFI DDR6
Issuer:SAMSUNG PRO B960-P WIFI DDR6
Algorithm:sha512WithRSAEncryption
Valid from:2024-01-31T10:51:46Z
Valid to:2025-06-06T00:00:00Z
Serial number: 4ab6f2cad3e6414aac7d421a956d711f
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8a50d7355211ffae0968ab6a41e52c3224a676593eba772c0162d279dcc56830
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414.exe
Verdict:
Malicious activity
Analysis date:
2024-03-28 08:16:20 UTC
Tags:
evasion privateloader
Link:
https://app.any.run/tasks/864dae64-9ea3-4362-9e11-750d7182b303

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Modifying a system file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Connecting to a non-recommended domain
Creating a file
Sending a UDP request
Forced system process termination
Creating a process from a recently created file
Blocking the Windows Defender launch
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
lolbin overlay packed packed shell32 themidawinlicense
Link:
https://www.filescan.io/uploads/660526d1749593bccd27602c/reports/3a7c186a-5600-403a-94c4-07a096b876a4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d15e6cac-ba85-4ded-ab4c-424813227ad1
Result
Threat name:
Amadey, Glupteba, Mars Stealer, PureLog
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1416900
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Disable power options
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416900 Sample: i1crvbOZAP.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 108 d.392391234.xyz 2->108 110 steamcommunity.com 2->110 112 26 other IPs or domains 2->112 144 Snort IDS alert for network traffic 2->144 146 Multi AV Scanner detection for domain / URL 2->146 148 Found malware configuration 2->148 152 27 other signatures 2->152 9 i1crvbOZAP.exe 11 54 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 3 other processes 2->18 signatures3 150 Performs DNS queries to domains with low reputation 108->150 process4 dnsIp5 136 46.226.167.187, 49731, 80 SKYNET-ASSkynetLTDEkaterinburgRussiaRU Russian Federation 9->136 138 d.392391234.xyz 95.164.45.22 NASSIST-ASGI Gibraltar 9->138 142 24 other IPs or domains 9->142 100 C:\Users\...\xDVBd5GtHhrlSm0slOnr7_gW.exe, PE32 9->100 dropped 102 C:\Users\...\uRWnWA7bjEhugCQgmREIdGsh.exe, PE32 9->102 dropped 104 C:\Users\...\tskTMObYcvz1CtypLgyOWpYi.exe, PE32 9->104 dropped 106 27 other malicious files 9->106 dropped 198 Query firmware table information (likely to detect VMs) 9->198 200 Drops PE files to the document folder of the user 9->200 202 Creates HTML files with .exe extension (expired dropper behavior) 9->202 204 10 other signatures 9->204 20 D5ft_dAZwUuL52qmUM1rPffT.exe 9->20         started        25 fq9BbqPKEgDrDHrc1Aru5zuA.exe 1 9->25         started        27 Y8KGRj_sUjw5KjZpIoRDoSwV.exe 2 9->27         started        35 14 other processes 9->35 29 WerFault.exe 14->29         started        31 WerFault.exe 14->31         started        33 WerFault.exe 14->33         started        140 127.0.0.1 unknown unknown 16->140 file6 signatures7 process8 dnsIp9 114 185.172.128.26 NADYMSS-ASRU Russian Federation 20->114 116 185.172.128.65 NADYMSS-ASRU Russian Federation 20->116 64 C:\Users\user\AppData\...\FHCGHJDBFI.exe, PE32 20->64 dropped 66 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->66 dropped 68 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->68 dropped 78 11 other files (7 malicious) 20->78 dropped 154 Detected unpacking (changes PE section rights) 20->154 156 Detected unpacking (overwrites its own PE header) 20->156 158 Tries to steal Mail credentials (via file / registry access) 20->158 174 4 other signatures 20->174 160 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->160 162 Writes to foreign memory regions 25->162 164 Allocates memory in foreign processes 25->164 166 Injects a PE file into a foreign processes 25->166 37 RegAsm.exe 25->37         started        42 conhost.exe 25->42         started        44 WerFault.exe 25->44         started        70 C:\Users\...\Y8KGRj_sUjw5KjZpIoRDoSwV.tmp, PE32 27->70 dropped 46 Y8KGRj_sUjw5KjZpIoRDoSwV.tmp 27->46         started        118 5.42.65.117 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 35->118 120 193.233.132.67 FREE-NET-ASFREEnetEU Russian Federation 35->120 122 db-ip.com 104.26.4.15 CLOUDFLARENETUS United States 35->122 72 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 35->72 dropped 74 C:\Users\user\AppData\Local\...\Install.exe, PE32 35->74 dropped 76 C:\Users\user\AppData\Local\...\explorha.exe, PE32 35->76 dropped 80 2 other malicious files 35->80 dropped 168 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->168 170 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 35->172 176 16 other signatures 35->176 48 RegAsm.exe 35->48         started        50 RegAsm.exe 35->50         started        52 explorer.exe 35->52 injected 54 8 other processes 35->54 file10 signatures11 process12 dnsIp13 124 steamcommunity.com 23.47.27.74 AKAMAI-ASUS United States 37->124 126 78.46.229.36 HETZNER-ASDE Germany 37->126 128 centrosmissextensions.com 162.19.138.79 CENTURYLINK-US-LEGACY-QWESTUS United States 37->128 82 C:\Users\user\AppData\...\mozglue[1].dll, PE32 37->82 dropped 94 10 other files (8 malicious) 37->94 dropped 178 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->178 180 Tries to steal Crypto Currency Wallets 37->180 182 Tries to harvest and steal Bitcoin Wallet information 37->182 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->84 dropped 86 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 46->86 dropped 88 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 46->88 dropped 96 16 other files (15 malicious) 46->96 dropped 130 5.42.65.0 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 48->130 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->184 186 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->186 188 Tries to harvest and steal browser information (history, passwords, etc) 48->188 132 104.104.85.160 AKAMAI-ASUS United States 50->132 98 3 other files (2 malicious) 50->98 dropped 190 Tries to harvest and steal ftp login credentials 50->190 134 nidoe.org 37.255.238.137 TCIIR Iran (ISLAMIC Republic Of) 52->134 90 C:\Users\user\AppData\Roaming\wsjtivv, PE32 52->90 dropped 192 System process connects to network (likely due to code injection or exploit) 52->192 194 Benign windows process drops PE files 52->194 196 Hides that the sample has been downloaded from the Internet (zone.identifier) 52->196 92 C:\Users\user\AppData\Local\...\Install.exe, PE32 54->92 dropped 56 conhost.exe 54->56         started        58 conhost.exe 54->58         started        60 conhost.exe 54->60         started        62 2 other processes 54->62 file14 signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-03-27 12:36:28 UTC
File Type:
PE+ (Exe)
Extracted files:
66
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mlgxwrd333r6yftqzewzlbpb7xn2uxko5asn52hrlfaaaw7zkqka._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/240328-j4zayagb4s/
Behaviour
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
Unpacked files
SH256 hash:
62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
MD5 hash:
4204b9d4c4df5c4b4d67922db24f342a
SHA1 hash:
9255b5e94028f3f55adda2576d60bd39452eaf08
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/2f9c4dff-2d6e-451b-8f91-dd6469e7ae67/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2794559/

Comments


Avatar
zbet commented on 2024-03-28 08:13:57 UTC

url : hxxp://193.233.132.175/server/ww12/AppGate2103v01.exe