MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6858af2688d2e14af2f506e8a268045e38a9ee1a69759ded34c506c112910958. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6858af2688d2e14af2f506e8a268045e38a9ee1a69759ded34c506c112910958
SHA3-384 hash: fb6c1702f7453867579b01cd74882782d15e7c74d6b5860d6d7d16da66f180cffcadeb3bdd74112453ac73bb816a5333
SHA1 hash: a149857a61bf22d84960f4fbc3fe39cf6b1661da
MD5 hash: 021db70d51c7eb264d8e3d201987de59
humanhash: fix-lima-arkansas-two
File name:021db70d51c7eb264d8e3d201987de59
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:391'168 bytes
First seen:2023-04-08 15:27:53 UTC
Last seen:2023-06-13 15:01:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8eaeaee9e4e4c899dd50ffac2cff753f (2 x PrivateLoader, 1 x Amadey)
ssdeep 6144:W35lLu/HzRf/kUDUltCdq4Zqc0W50fC0pw0pN0Obw2z8qhqscwE4jxoMv0fXhMwD:Wp6RfIl0Y4OMIY4j1YXhMwLnn
Threatray 50 similar samples on MalwareBazaar
TLSH T13F844934E601F027F4F210329C5E93FAA428AB30675518EFB7D95E6A97B56C1E230B17
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe PrivateLoader

Intelligence

File Origin
# of uploads :
138
# of downloads :
260
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
021db70d51c7eb264d8e3d201987de59
Verdict:
Malicious activity
Analysis date:
2023-04-08 15:30:48 UTC
Tags:
opendir evasion loader privateloader
Link:
https://app.any.run/tasks/7c5df731-0731-45cb-8121-0ae0c3e270c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380926/
Detection(s):
SecuriteInfo.com.Variant.Zusy.403762.26742.10418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Searching for analyzing tools
Creating a file in the Windows subdirectories
Modifying a system file
Replacing files
Launching a service
Sending a UDP request
Reading critical registry keys
Forced system process termination
Creating a process with a hidden window
Creating a window
Changing a file
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware privateloader setupapi.dll shell32.dll windows zusy
Link:
https://www.filescan.io/uploads/64318806da5bf6666c9d2e77/reports/6fef1ea2-7431-4787-b527-64c973b6aa26/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6858af2688d2e14af2f506e8a268045e38a9ee1a69759ded34c506c112910958
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b286f4b6-5ec4-499c-beb0-c2c1cf8eadaf
Result
Threat name:
Amadey, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1210619
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected PrivateLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 843535 Sample: WRFYKnUOzx.exe Startdate: 08/04/2023 Architecture: WINDOWS Score: 100 209 Malicious sample detected (through community Yara rule) 2->209 211 Antivirus detection for URL or domain 2->211 213 Antivirus detection for dropped file 2->213 215 18 other signatures 2->215 10 WRFYKnUOzx.exe 18 2->10         started        15 PowerControl_Svc.exe 15 2->15         started        17 PowerControl_Svc.exe 16 2->17         started        19 6 other processes 2->19 process3 dnsIp4 175 149.154.167.99 TELEGRAMRU United Kingdom 10->175 177 163.123.143.4 ILIGHT-NETUS Reserved 10->177 183 3 other IPs or domains 10->183 137 C:\Users\...\9VGTQKbVODjrhfc_z7UB21w8.exe, MS-DOS 10->137 dropped 139 C:\Users\user\AppData\Local\...\WWW14[1].bmp, MS-DOS 10->139 dropped 141 C:\...\PowerControl_Svc.exe, PE32 10->141 dropped 143 C:\...\PowerControl_Svc.exe:Zone.Identifier, ASCII 10->143 dropped 255 Drops PE files to the document folder of the user 10->255 257 Uses schtasks.exe or at.exe to add and modify task schedules 10->257 21 9VGTQKbVODjrhfc_z7UB21w8.exe 11 42 10->21         started        26 schtasks.exe 1 10->26         started        28 schtasks.exe 1 10->28         started        145 C:\Users\...\HwYFSa3VWmJlQDJMsth6C4fz.exe, MS-DOS 15->145 dropped 147 C:\Users\user\AppData\Local\...\WWW14[1].bmp, MS-DOS 15->147 dropped 30 HwYFSa3VWmJlQDJMsth6C4fz.exe 15->30         started        38 2 other processes 15->38 149 C:\Users\...\pGBJMFomrz2tPu61wIfbVEqi.exe, MS-DOS 17->149 dropped 151 C:\Users\user\AppData\Local\...\WWW14[2].bmp, MS-DOS 17->151 dropped 32 pGBJMFomrz2tPu61wIfbVEqi.exe 42 17->32         started        34 schtasks.exe 17->34         started        36 schtasks.exe 17->36         started        179 20.73.194.208 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->179 181 51.124.78.146 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 19->181 259 Query firmware table information (likely to detect VMs) 19->259 40 3 other processes 19->40 file5 signatures6 process7 dnsIp8 163 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 21->163 165 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 21->165 173 17 other IPs or domains 21->173 119 C:\Users\...\wTegw0iIJDlHQGgVgcXyEfxa.exe, PE32 21->119 dropped 121 C:\Users\...\oFx0Z4vVNHQS8wFkkCDqHPQC.exe, PE32 21->121 dropped 123 C:\Users\...\nT4WROdd8Wyr9pYBfT4Qvr7r.exe, PE32 21->123 dropped 131 13 other malicious files 21->131 dropped 219 Multi AV Scanner detection for dropped file 21->219 221 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->221 223 Query firmware table information (likely to detect VMs) 21->223 237 4 other signatures 21->237 42 nT4WROdd8Wyr9pYBfT4Qvr7r.exe 21->42         started        45 1sWq6YXJb9ZA7PfBChnTSPSw.exe 21->45         started        48 wTegw0iIJDlHQGgVgcXyEfxa.exe 21->48         started        58 7 other processes 21->58 50 conhost.exe 26->50         started        52 conhost.exe 28->52         started        167 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 30->167 125 C:\Users\...\fVCsZQmh5dfvHslckkuHXqJN.exe, PE32 30->125 dropped 133 14 other malicious files 30->133 dropped 225 Detected unpacking (changes PE section rights) 30->225 227 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->227 229 Creates HTML files with .exe extension (expired dropper behavior) 30->229 169 208.67.104.60 GRAYSON-COLLIN-COMMUNICATIONSUS United States 32->169 171 104.21.87.159 CLOUDFLARENETUS United States 32->171 127 C:\Users\...\kzz3sjbp9sXoEz_zlmXRf0KT.exe, PE32 32->127 dropped 129 C:\Users\...\j5WkJiF5fotTdQDVFNKaIQdv.exe, PE32 32->129 dropped 135 13 other malicious files 32->135 dropped 231 Disables Windows Defender (deletes autostart) 32->231 233 Tries to evade debugger and weak emulator (self modifying code) 32->233 235 Disable Windows Defender real time protection (registry) 32->235 54 conhost.exe 34->54         started        56 conhost.exe 36->56         started        61 2 other processes 38->61 file9 signatures10 process11 dnsIp12 239 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->239 241 Maps a DLL or memory area into another process 42->241 243 Checks if the current machine is a virtual machine (disk enumeration) 42->243 245 Creates a thread in another existing process (thread injection) 42->245 63 explorer.exe 42->63 injected 153 C:\Users\user\AppData\Local\...\is-K13L1.tmp, PE32 45->153 dropped 68 is-K13L1.tmp 45->68         started        155 C:\Users\user\AppData\Local\...\Install.exe, PE32 48->155 dropped 70 Install.exe 48->70         started        185 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 58->185 187 188.119.113.104 SERVERIUS-ASNL Russian Federation 58->187 189 6 other IPs or domains 58->189 247 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 58->247 249 Disables Windows Defender (deletes autostart) 58->249 251 Tries to harvest and steal browser information (history, passwords, etc) 58->251 253 4 other signatures 58->253 72 cmd.exe 58->72         started        74 ipconfig.exe 58->74         started        76 bCqlB3wCanDj9TzfPO7jFKwi.exe 58->76         started        78 4 other processes 58->78 file13 signatures14 process15 dnsIp16 191 187.212.236.255 UninetSAdeCVMX Mexico 63->191 193 175.126.109.15 SKB-ASSKBroadbandCoLtdKR Korea Republic of 63->193 197 5 other IPs or domains 63->197 97 C:\Users\user\AppData\Roaming\vfjeugt, PE32 63->97 dropped 99 C:\Users\user\AppData\Local\Temp\C383.exe, PE32 63->99 dropped 101 C:\Users\user\AppData\Local\Temp\5FC1.exe, PE32 63->101 dropped 199 System process connects to network (likely due to code injection or exploit) 63->199 201 Benign windows process drops PE files 63->201 203 Hides that the sample has been downloaded from the Internet (zone.identifier) 63->203 80 rundll32.exe 63->80         started        103 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 68->103 dropped 105 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 68->105 dropped 107 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 68->107 dropped 111 7 other files (5 malicious) 68->111 dropped 82 FRec48.exe 68->82         started        109 C:\Users\user\AppData\Local\...\Install.exe, PE32 70->109 dropped 205 Multi AV Scanner detection for dropped file 70->205 86 Install.exe 70->86         started        207 Drops PE files with a suspicious file extension 72->207 89 cmd.exe 72->89         started        91 conhost.exe 72->91         started        93 conhost.exe 74->93         started        195 104.21.54.11 CLOUDFLARENETUS United States 76->195 file17 signatures18 process19 dnsIp20 157 45.12.253.56 CMCSUS Germany 82->157 159 45.12.253.72 CMCSUS Germany 82->159 161 45.12.253.75 CMCSUS Germany 82->161 113 C:\Users\user\AppData\...\AIEG28M1xg409C.exe, PE32 82->113 dropped 115 C:\Users\user\AppData\Local\...\pWsxBGH.exe, PE32 86->115 dropped 217 Multi AV Scanner detection for dropped file 86->217 117 C:\Users\user\AppData\Local\...\Co.exe.pif, PE32 89->117 dropped 95 powershell.exe 89->95         started        file21 signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6858af2688d2e14af2f506e8a268045e38a9ee1a69759ded34c506c112910958/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 13:31:23 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbmk6jui2lquv4xva3uke2aely4kt3q2nf2z33juyudmceurbfma._file
Verdict:
malicious
Similar samples:
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
PrivateLoader
b02e208c505340db8fa3ebd470bea3872bd2790443596a20f119a7667aab1af6
PrivateLoader
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
PrivateLoader
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
PrivateLoader
e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9
PrivateLoader
e4cfaf2310c8aa89c4ccbc38a70aaa1cd3a61f41313f220800068c91c7dbacfb
PrivateLoader
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
PrivateLoader
+ 40 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader main spyware stealer trojan
Link:
https://tria.ge/reports/230408-swbdksfg8t/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
PrivateLoader
Malware Config
C2 Extraction:
94.142.138.113
94.142.138.131
208.67.104.60
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
149.154.158.34
Unpacked files
SH256 hash:
6858af2688d2e14af2f506e8a268045e38a9ee1a69759ded34c506c112910958
MD5 hash:
021db70d51c7eb264d8e3d201987de59
SHA1 hash:
a149857a61bf22d84960f4fbc3fe39cf6b1661da
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/00b28107-fa4e-4f66-8404-6cc2dc72a237/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6858af2688d2e14af2f506e8a268045e38a9ee1a69759ded34c506c112910958

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:Windows_Trojan_PrivateLoader_96ac2734
Create hunting rule
Author:Elastic Security
Rule name:win_privateloader
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 6858af2688d2e14af2f506e8a268045e38a9ee1a69759ded34c506c112910958

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2602450/
Cape
Cape
https://www.capesandbox.com/analysis/380926/

Comments


Avatar
zbet commented on 2023-04-08 15:27:55 UTC

url : hxxp://163.123.143.4/download/Service.vmp