MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e83c0f6566169af1cf6c28670dcee6edeb15d0913aa24ad3831c9f97eb42307. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e83c0f6566169af1cf6c28670dcee6edeb15d0913aa24ad3831c9f97eb42307
SHA3-384 hash: 110d64ba0fa568a8a28388a926251b5deea6c9bd835e64dde3ac552a0588501272fe19e98b0570c993a2b7487f50c6f8
SHA1 hash: 5b7099d771a8bc73d6ba04539f8c4914ebddc553
MD5 hash: 35b12aa59cb3816e264afda86eeb9c6e
humanhash: skylark-mango-asparagus-sweet
File name:file
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:6'499'328 bytes
First seen:2023-11-07 17:17:23 UTC
Last seen:2023-11-10 14:09:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ee26deb5354c4489ff0dc7547168b2dc (3 x Amadey, 3 x RedLineStealer, 1 x PrivateLoader)
ssdeep 98304:LNDHuQj/uHg7lHz19DIbDzvDPsKjptRf7PGX58U+3x8dXQKlsT1KO:L0Qj/d11903ptZqtsOA2sTkO
TLSH T14C6612AD6744B35DC01EC431C423BC97B2A69E2F97E5B4AA72C7BEC07379615CA01B06
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 719d8d7173f17317 (3 x PrivateLoader, 2 x RedLineStealer, 2 x Amadey)
Reporter andretavare5
Tags:exe PrivateLoader


Avatar
andretavare5
Sample downloaded from https://vk.com/doc26060933_667443076?hash=bDMwfuwwa4Bhfk5iGf4pMZfzUuBZI01JVp5BaGnL6ks&dl=iT71Bl3sZ2372hed0nHcWcvZK3ySxQ2nVKfHeXmS1cs&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
117
# of downloads :
349
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.25417.12256.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Modifying a system file
Сreating synchronization primitives
Replacing files
Launching a service
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Sending a custom TCP request
Forced system process termination
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed packed shell32 vmprotect
Link:
https://www.filescan.io/uploads/654a714b946b6ab2245a7c42/reports/5599c49c-c77c-4aa0-bebb-0c3b8b6fa168/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8e83c0f6566169af1cf6c28670dcee6edeb15d0913aa24ad3831c9f97eb42307
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0fd0efd8-aa51-4e33-ba02-6c358a806889
Result
Threat name:
Glupteba, PrivateLoader, RedLine, SmokeL
Create hunting rule
Detection:
malicious
Classification:
evad.troj.adwa.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338405
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found API chain indicative of debugger detection
Found C&C like URL pattern
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338405 Sample: file.exe Startdate: 07/11/2023 Architecture: WINDOWS Score: 100 144 vk.com 2->144 146 sun6-20.userapi.com 2->146 148 9 other IPs or domains 2->148 174 Found malware configuration 2->174 176 Malicious sample detected (through community Yara rule) 2->176 178 Antivirus detection for URL or domain 2->178 180 18 other signatures 2->180 12 file.exe 10 23 2->12         started        17 tuiaiff 2->17         started        19 svchost.exe 2->19         started        21 4 other processes 2->21 signatures3 process4 dnsIp5 162 45.15.156.229, 49706, 49713, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 12->162 164 vk.com 87.240.132.78, 443, 49709, 49710 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 12->164 166 4 other IPs or domains 12->166 134 C:\Users\...\vOzpuiIThndHVcte8DjP7UlO.exe, PE32+ 12->134 dropped 136 C:\Users\...\rjwZvePiDFFVLtizhaJFNuzk.exe, PE32 12->136 dropped 138 C:\Users\user\AppData\...\latestumma[1].exe, PE32 12->138 dropped 140 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 12->140 dropped 214 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->214 216 Creates HTML files with .exe extension (expired dropper behavior) 12->216 218 Disables Windows Defender (deletes autostart) 12->218 228 5 other signatures 12->228 23 rjwZvePiDFFVLtizhaJFNuzk.exe 7 12->23         started        26 vOzpuiIThndHVcte8DjP7UlO.exe 12->26         started        220 Multi AV Scanner detection for dropped file 17->220 222 Detected unpacking (changes PE section rights) 17->222 224 Sample uses process hollowing technique 17->224 226 Injects a PE file into a foreign processes 17->226 29 tuiaiff 17->29         started        file6 signatures7 process8 file9 110 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 23->110 dropped 112 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 23->112 dropped 114 C:\Users\user\AppData\Local\Temp\kos4.exe, PE32 23->114 dropped 116 2 other malicious files 23->116 dropped 31 toolspub2.exe 23->31         started        34 kos4.exe 14 5 23->34         started        38 latestX.exe 23->38         started        40 2 other processes 23->40 192 Suspicious powershell command line found 26->192 194 Adds a directory exclusion to Windows Defender 26->194 196 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->196 198 Maps a DLL or memory area into another process 29->198 200 Checks if the current machine is a virtual machine (disk enumeration) 29->200 202 Creates a thread in another existing process (thread injection) 29->202 signatures10 process11 dnsIp12 230 Multi AV Scanner detection for dropped file 31->230 232 Contains functionality to inject code into remote processes 31->232 234 Injects a PE file into a foreign processes 31->234 42 toolspub2.exe 31->42         started        150 stim.graspalace.com 104.21.20.155 CLOUDFLARENETUS United States 34->150 152 iplogger.com 172.67.194.188 CLOUDFLARENETUS United States 34->152 102 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 34->102 dropped 45 LzmwAqmV.exe 34->45         started        104 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 38->104 dropped 106 C:\Windows\System32\drivers\etc\hosts, ASCII 38->106 dropped 236 Modifies the hosts file 38->236 238 Adds a directory exclusion to Windows Defender 38->238 108 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 40->108 dropped 240 Detected unpacking (changes PE section rights) 40->240 242 Detected unpacking (overwrites its own PE header) 40->242 48 Broom.exe 2 6 40->48         started        50 e0cbefcb1af40c7d4aff4aca26621a98.exe 40->50         started        52 powershell.exe 40->52         started        file13 signatures14 process15 file16 204 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->204 206 Maps a DLL or memory area into another process 42->206 208 Checks if the current machine is a virtual machine (disk enumeration) 42->208 210 Creates a thread in another existing process (thread injection) 42->210 54 explorer.exe 42->54 injected 142 C:\Users\user\AppData\Local\...\is-3NRFB.tmp, PE32 45->142 dropped 59 is-3NRFB.tmp 45->59         started        212 Multi AV Scanner detection for dropped file 48->212 61 powershell.exe 50->61         started        63 conhost.exe 52->63         started        signatures17 process18 dnsIp19 154 45.15.158.91 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 54->154 156 merchentusindiajute.com 103.152.79.123 TWIDC-AS-APTWIDCLimitedHK unknown 54->156 158 host-host-file8.com 95.214.26.28 CMCSUS Germany 54->158 118 C:\Users\user\AppData\Roaming\tuiaiff, PE32 54->118 dropped 120 C:\Users\user\AppData\Local\Temp\85E4.exe, PE32+ 54->120 dropped 122 C:\Users\user\AppData\Local\Temp\3300.exe, PE32 54->122 dropped 182 System process connects to network (likely due to code injection or exploit) 54->182 184 Benign windows process drops PE files 54->184 186 Suspicious powershell command line found 54->186 190 2 other signatures 54->190 65 cmd.exe 54->65         started        68 cmd.exe 54->68         started        70 cmd.exe 54->70         started        82 5 other processes 54->82 124 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 59->124 dropped 126 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 59->126 dropped 128 C:\Program Files (x86)\...\is-T1EAB.tmp, PE32 59->128 dropped 130 21 other files (20 malicious) 59->130 dropped 188 Uses schtasks.exe or at.exe to add and modify task schedules 59->188 72 PhotoSnap.exe 59->72         started        75 PhotoSnap.exe 59->75         started        78 schtasks.exe 59->78         started        80 conhost.exe 61->80         started        file20 signatures21 process22 dnsIp23 168 Uses cmd line tools excessively to alter registry or file data 65->168 170 Uses powercfg.exe to modify the power settings 65->170 172 Modifies power options to not sleep / hibernate 65->172 84 conhost.exe 65->84         started        86 sc.exe 65->86         started        88 sc.exe 65->88         started        94 3 other processes 65->94 96 5 other processes 68->96 98 2 other processes 70->98 132 C:\ProgramData\...\Movie Archive.exe, PE32 72->132 dropped 160 embpdju.ua 75->160 90 conhost.exe 78->90         started        92 conhost.exe 82->92         started        100 5 other processes 82->100 file24 signatures25 process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e83c0f6566169af1cf6c28670dcee6edeb15d0913aa24ad3831c9f97eb42307
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e83c0f6566169af1cf6c28670dcee6edeb15d0913aa24ad3831c9f97eb42307/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-07 17:18:06 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
9 of 37 (24.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2b4b5swmfu26hhwykdhbxhon3plcxijcovcjljyghe7s7vuemdq._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader
Link:
https://tria.ge/reports/231107-vt9vgacc8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in System32 directory
PrivateLoader
Unpacked files
SH256 hash:
8e83c0f6566169af1cf6c28670dcee6edeb15d0913aa24ad3831c9f97eb42307
MD5 hash:
35b12aa59cb3816e264afda86eeb9c6e
SHA1 hash:
5b7099d771a8bc73d6ba04539f8c4914ebddc553
Link:
https://www.unpac.me/results/a66fa818-24e0-46ae-8257-aa00c2c260ea/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e83c0f65661/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/8e83c0f6566169af1cf6c28670dcee6edeb15d0913aa24ad3831c9f97eb42307

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by

Comments