MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 880716d3e1fe4e69e32f45fbd59b7de7e9d0df1f6912e5f7b39bb4907ede3874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 880716d3e1fe4e69e32f45fbd59b7de7e9d0df1f6912e5f7b39bb4907ede3874
SHA3-384 hash: 4cd99669d46ff273e4f49607bb8ce6d01096e8276248ccc26e375c97ecdb55743409e35e20d3e2b754046a667dac741f
SHA1 hash: b6751740b05eab608aad776eea2e8a3f35871c71
MD5 hash: 055fc87832ccb0e40d13eb6cf0b67136
humanhash: king-oranges-mockingbird-timing
File name:055fc87832ccb0e40d13eb6cf0b67136
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:4'040'704 bytes
First seen:2023-02-01 13:28:42 UTC
Last seen:2023-02-08 17:54:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3084ce279de8f767d7f3adb11fae9540 (1 x PrivateLoader)
ssdeep 98304:t2mXqUjEBZCW7038QcdfQZcht/c5ilvTilNZwB5E:t2mXpwZT7bdfQZSK
Threatray 801 similar samples on MalwareBazaar
TLSH T1CC1623379A951166C0D9C837C427BD9371F2067E4A83AC7851DAFDC626335E0FE026AB
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon a9e8b497e6cadaf2 (1 x Formbook, 1 x PrivateLoader, 1 x CoinMiner)
Reporter zbetcheckin
Tags:32 exe PrivateLoader

Intelligence

File Origin
# of uploads :
5
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
c90720ba16d8752a433b595db49c4a16.exe
Verdict:
Malicious activity
Analysis date:
2023-01-30 19:01:03 UTC
Tags:
evasion opendir loader trojan rat redline stealer
Link:
https://app.any.run/tasks/f25504f2-2017-47f0-be24-bdd0ef44bf66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358998/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65175504.357.17928.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the Program Files subdirectories
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a file in the Windows subdirectories
Modifying a system file
Replacing files
Reading critical registry keys
Launching a service
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/64486/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
qakbot setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63da691e528134caf0437fdd/reports/5ccc961c-41fc-4068-a828-41c589a46c4d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b8a9a589-5efa-4e87-ba6b-62565092b80a
Result
Threat name:
Amadey, Fabookie, Glupteba, Nymaim, Priv
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1163216
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Fabookie
Yara detected Glupteba
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 795975 Sample: k7GwEhhqFz.exe Startdate: 01/02/2023 Architecture: WINDOWS Score: 100 160 45.12.253.98 CMCSUS Germany 2->160 162 www.facebook.com 2->162 164 3 other IPs or domains 2->164 218 Snort IDS alert for network traffic 2->218 220 Malicious sample detected (through community Yara rule) 2->220 222 Antivirus detection for URL or domain 2->222 224 32 other signatures 2->224 11 PowerControl_Svc.exe 16 2->11         started        15 PowerControl_Svc.exe 15 2->15         started        17 k7GwEhhqFz.exe 3 2->17         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 184 23.254.227.202, 49702, 80 HOSTWINDSUS United States 11->184 186 telegram.org 11->186 130 C:\Users\...\krt5XyawV0MpIqOgXcT5GPjF.exe, PE32 11->130 dropped 132 C:\Users\user\AppData\Local\...\WWW14[2].bmp, PE32 11->132 dropped 22 krt5XyawV0MpIqOgXcT5GPjF.exe 11 48 11->22         started        27 schtasks.exe 11->27         started        29 schtasks.exe 11->29         started        188 163.123.143.4, 49706, 49707, 80 ILIGHT-NETUS Reserved 15->188 190 telegram.org 15->190 134 C:\Users\...\IXkGxOZsfiiqS9zX0MQGE8Xw.exe, PE32 15->134 dropped 136 C:\Users\user\AppData\Local\...\WWW14[1].bmp, PE32 15->136 dropped 31 IXkGxOZsfiiqS9zX0MQGE8Xw.exe 10 13 15->31         started        33 schtasks.exe 15->33         started        35 schtasks.exe 15->35         started        192 23.254.227.214, 49696, 49700, 49701 HOSTWINDSUS United States 17->192 194 t.me 149.154.167.99, 443, 49695, 49698 TELEGRAMRU United Kingdom 17->194 196 2 other IPs or domains 17->196 138 C:\...\PowerControl_Svc.exe, PE32 17->138 dropped 140 C:\...\PowerControl_Svc.exe:Zone.Identifier, ASCII 17->140 dropped 210 May check the online IP address of the machine 17->210 212 Uses schtasks.exe or at.exe to add and modify task schedules 17->212 214 Tries to detect virtualization through RDTSC time measurements 17->214 37 schtasks.exe 1 17->37         started        39 schtasks.exe 1 17->39         started        216 Query firmware table information (likely to detect VMs) 20->216 file6 signatures7 process8 dnsIp9 172 sun6-20.userapi.com 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 22->172 174 sun6-22.userapi.com 95.142.206.2 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 22->174 182 14 other IPs or domains 22->182 104 C:\Users\...\waH49SOpfxYTCb1_GGGxi0wD.exe, PE32+ 22->104 dropped 106 C:\Users\...\wPZ6JTjdjU5ImGqugnokZPc2.exe, PE32 22->106 dropped 108 C:\Users\...\vLPZWfO4Fq3d2vyF76zvwpvY.exe, PE32+ 22->108 dropped 110 19 other malicious files 22->110 dropped 226 Multi AV Scanner detection for dropped file 22->226 228 May check the online IP address of the machine 22->228 230 Creates HTML files with .exe extension (expired dropper behavior) 22->230 232 Modifies Group Policy settings 22->232 41 wPZ6JTjdjU5ImGqugnokZPc2.exe 22->41         started        44 O2HRXStoI_iCfOZloIFng6eO.exe 22->44         started        59 10 other processes 22->59 47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        176 vk.com 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 31->176 178 192.168.2.1 unknown unknown 31->178 180 ipinfo.io 31->180 234 Disables Windows Defender (deletes autostart) 31->234 236 Tries to harvest and steal browser information (history, passwords, etc) 31->236 238 Disable Windows Defender real time protection (registry) 31->238 51 conhost.exe 33->51         started        53 conhost.exe 35->53         started        55 conhost.exe 37->55         started        57 conhost.exe 39->57         started        file10 signatures11 process12 dnsIp13 112 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 41->112 dropped 62 mnolyk.exe 41->62         started        114 C:\Users\...\O2HRXStoI_iCfOZloIFng6eO.tmp, PE32 44->114 dropped 240 Obfuscated command line found 44->240 67 O2HRXStoI_iCfOZloIFng6eO.tmp 44->67         started        198 youtube-ui.l.google.com 172.217.168.78 GOOGLEUS United States 59->198 200 star-mini.c10r.facebook.com 157.240.253.35 FACEBOOKUS United States 59->200 202 4 other IPs or domains 59->202 116 C:\Users\user\AppData\Local\...\Install.exe, PE32 59->116 dropped 118 C:\Users\user\AppData\Local\...\Install.exe, PE32 59->118 dropped 120 C:\ProgramData\versionApp\SRIKA.exe, PE32+ 59->120 dropped 242 Tries to harvest and steal browser information (history, passwords, etc) 59->242 244 Sets debug register (to hijack the execution of another thread) 59->244 246 Maps a DLL or memory area into another process 59->246 248 2 other signatures 59->248 69 Install.exe 59->69         started        71 Install.exe 59->71         started        73 cmd.exe 59->73         started        file14 signatures15 process16 dnsIp17 204 193.233.20.2 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 62->204 142 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 62->142 dropped 144 C:\Users\user\AppData\Roaming\...\trebo1.exe, PE32 62->144 dropped 156 2 other malicious files 62->156 dropped 206 Multi AV Scanner detection for dropped file 62->206 208 Creates an undocumented autostart registry key 62->208 75 trebo1.exe 62->75         started        79 cmd.exe 62->79         started        81 schtasks.exe 62->81         started        83 rundll32.exe 62->83         started        146 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 67->146 dropped 148 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 67->148 dropped 150 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 67->150 dropped 158 6 other files (5 malicious) 67->158 dropped 85 finalrecovery.exe 67->85         started        152 C:\Users\user\AppData\Local\...\Install.exe, PE32 69->152 dropped 88 Install.exe 69->88         started        154 C:\Users\user\AppData\Local\...\Install.exe, PE32 71->154 dropped 90 Install.exe 71->90         started        92 conhost.exe 73->92         started        file18 signatures19 process20 dnsIp21 122 C:\Users\user\AppData\...\vcredist_47f68b.dll, PE32+ 75->122 dropped 250 Multi AV Scanner detection for dropped file 75->250 252 Query firmware table information (likely to detect VMs) 75->252 254 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 75->254 256 4 other signatures 75->256 94 conhost.exe 79->94         started        96 cmd.exe 79->96         started        98 cacls.exe 79->98         started        102 2 other processes 79->102 100 conhost.exe 81->100         started        166 45.12.253.56 CMCSUS Germany 85->166 168 45.12.253.72 CMCSUS Germany 85->168 170 45.12.253.75 CMCSUS Germany 85->170 124 C:\Users\user\AppData\...\gbkfDbuh.exe, PE32 85->124 dropped 126 C:\Users\user\AppData\Local\...\UwBjiek.exe, PE32 88->126 dropped 128 C:\Users\user\AppData\Local\...\iBiuUXk.exe, PE32 90->128 dropped file22 signatures23 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/880716d3e1fe4e69e32f45fbd59b7de7e9d0df1f6912e5f7b39bb4907ede3874/
Threat name:
Win32.Infostealer.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 06:53:33 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=radrnu7b7zhgtyzpix55lg3547u5bxy7nejol55tto2ja7w6hb2a._file
Verdict:
malicious
Similar samples:
053e095aadd84662c18caec141b4dca4f26ad9ac28ba9e82db02ea1aef9eb9b3
PrivateLoader
28c1edc4fa9f29fde994540cd25402fd47d46404eb1ebbfc0fc0a245bf03bd04
PrivateLoader
71976a8939fca900ea30249c75dc1f462bebf2d9bac2e9900679c59bf2ad00c8
PrivateLoader
7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97
PrivateLoader
814fc7778be212ae98517be97fcfaf80674fa0fb2325e6e74e7246d3f845816a
PrivateLoader
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
PrivateLoader
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
PrivateLoader
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b
PrivateLoader
f022991ffa81316654d102a92989ed05e2ba1a7cdff6bf828f830dbeae375627
PrivateLoader
+ 791 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230201-qq749aga96/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
PrivateLoader
Unpacked files
SH256 hash:
cbb4925b9932f4c5df7e53c37bde31de16640a3fcb0ae7e60aa8ce4757c67e91
MD5 hash:
e8dc662f41a03d189e99866e7d36fb70
SHA1 hash:
a3561d3b2b413152586cf6c98598f5cb0d1f69a9
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/d478ede4-d5a5-432a-8567-188882c91587/
SH256 hash:
880716d3e1fe4e69e32f45fbd59b7de7e9d0df1f6912e5f7b39bb4907ede3874
MD5 hash:
055fc87832ccb0e40d13eb6cf0b67136
SHA1 hash:
b6751740b05eab608aad776eea2e8a3f35871c71
Link:
https://www.unpac.me/results/d478ede4-d5a5-432a-8567-188882c91587/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/880716d3e1fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/880716d3e1fe4e69e32f45fbd59b7de7e9d0df1f6912e5f7b39bb4907ede3874

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 880716d3e1fe4e69e32f45fbd59b7de7e9d0df1f6912e5f7b39bb4907ede3874

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2525166/
Cape
Cape
https://www.capesandbox.com/analysis/358998/

Comments


Avatar
zbet commented on 2023-02-01 13:28:51 UTC

url : hxxp://163.123.143.4/download/Service_soft.bmp