MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3
SHA3-384 hash: 21521c9f3ba2e4fdf0215c5dabca09743d39f9cfb7345719cd9ebc7a6e436e9f23b618b14a91bc6682baf892db9db8da
SHA1 hash: d8aced6d7fd09deb2580990cecd2594c17d75c4d
MD5 hash: a5891df2ec1f8f0335bc744b24b4d646
humanhash: undress-stairway-solar-snake
File name:SecuriteInfo.com.Win64.Evo-gen.30302.14698
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:7'633'920 bytes
First seen:2024-05-24 11:40:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ba19d25372b3cb9b6f9bdd416ebf12c (4 x PrivateLoader, 1 x LummaStealer)
ssdeep 98304:6iqnIOSIVtC+icuty84gK7NcnJygMABQYCFsq1kkkkkkkkkkkkkkkkkkxkkkkkkb:8IpIjut1Bc+naA6YCFVy2A026
TLSH T1DE76499B55AC293ACA0688B650CD739FE385B8F9061069C7F59CF337B623853781473A
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f8e0f8f0e8c8c0d0 (2 x PrivateLoader)
Reporter SecuriteInfoCom
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3.exe
Verdict:
Malicious activity
Analysis date:
2024-05-24 11:41:01 UTC
Tags:
evasion berbew privateloader
Link:
https://app.any.run/tasks/02177b02-8878-4966-a71a-c74d165478f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.30302.14698.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66507df1a8a296404f97a687win7simulatehigh_evasion
Tags:
Network Static Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Modifying a system file
DNS request
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin mpress packed packed shell32 themidawinlicense
Link:
https://www.filescan.io/uploads/66507cd4ae3ab1fab22a80cd/reports/5b086132-c099-4183-923c-c61ba09226e1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2f29b4ad-c35d-415b-a874-d19ae947fd9f
Result
Threat name:
CryptOne, Djvu, GCleaner, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1447129
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected CryptOne packer
Yara detected Djvu Ransomware
Yara detected GCleaner
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447129 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 24/05/2024 Architecture: WINDOWS Score: 100 102 service-domain.xyz 2->102 104 f.123654987.xyz 2->104 106 33 other IPs or domains 2->106 132 Snort IDS alert for network traffic 2->132 134 Multi AV Scanner detection for domain / URL 2->134 136 Found malware configuration 2->136 140 26 other signatures 2->140 9 SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe 11 58 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 signatures3 138 Performs DNS queries to domains with low reputation 104->138 process4 dnsIp5 118 f.123654987.xyz 37.221.125.202 PTSERVIDORPT Lithuania 9->118 120 85.192.56.26, 49730, 80 DINET-ASRU Russian Federation 9->120 122 20 other IPs or domains 9->122 94 C:\Users\...\va2JQfwFWdGawVd2zp4LeR00.exe, PE32 9->94 dropped 96 C:\Users\...\uSTzApXGKnAPBLGKxFTiBRtj.exe, PE32+ 9->96 dropped 98 C:\Users\...\r7sW8wNeP3sav5N1yYLUJzML.exe, PE32 9->98 dropped 100 28 other malicious files 9->100 dropped 182 Query firmware table information (likely to detect VMs) 9->182 184 Drops PE files to the document folder of the user 9->184 186 Creates HTML files with .exe extension (expired dropper behavior) 9->186 188 10 other signatures 9->188 20 2JjpKpJKHpHJisxPcc0WWCif.exe 2 9->20         started        23 YsL35EpGrjU1rZchKY2714UT.exe 1 9->23         started        26 va2JQfwFWdGawVd2zp4LeR00.exe 9->26         started        33 15 other processes 9->33 29 Conhost.exe 14->29         started        31 WerFault.exe 16->31         started        file6 signatures7 process8 dnsIp9 76 C:\Users\...\2JjpKpJKHpHJisxPcc0WWCif.tmp, PE32 20->76 dropped 35 2JjpKpJKHpHJisxPcc0WWCif.tmp 20->35         started        78 C:\Users\user\AppData\Local\...\katDE8F.tmp, PE32 23->78 dropped 142 Writes to foreign memory regions 23->142 144 Allocates memory in foreign processes 23->144 146 Sample uses process hollowing technique 23->146 148 Injects a PE file into a foreign processes 23->148 38 katDE8F.tmp 23->38         started        124 185.172.128.170 NADYMSS-ASRU Russian Federation 26->124 80 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->80 dropped 82 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->82 dropped 90 10 other files (6 malicious) 26->90 dropped 150 Detected unpacking (changes PE section rights) 26->150 152 Detected unpacking (overwrites its own PE header) 26->152 154 Tries to steal Mail credentials (via file / registry access) 26->154 162 4 other signatures 26->162 126 185.172.128.90 NADYMSS-ASRU Russian Federation 33->126 128 147.45.47.126 FREE-NET-ASFREEnetEU Russian Federation 33->128 130 3 other IPs or domains 33->130 84 C:\Users\user\AppData\...\7De6QmGXH.exe, PE32 33->84 dropped 86 C:\Users\user\...\Xv6O6ANXmRXk_nKzAGAD.exe, PE32 33->86 dropped 88 C:\Users\user\...\svHbiLAWsgmJ0AGdyd6Z.exe, PE32 33->88 dropped 92 16 other malicious files 33->92 dropped 156 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 33->156 158 Query firmware table information (likely to detect VMs) 33->158 160 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->160 164 14 other signatures 33->164 42 RegAsm.exe 33->42         started        44 RegAsm.exe 33->44         started        46 RegAsm.exe 33->46         started        48 6 other processes 33->48 file10 signatures11 process12 dnsIp13 58 C:\Users\user\...\zvaervideorecorder.exe, PE32 35->58 dropped 60 C:\Users\user\AppData\...\unins000.exe (copy), PE32 35->60 dropped 62 C:\Users\user\AppData\...\openh264.dll (copy), PE32+ 35->62 dropped 72 35 other files (24 malicious) 35->72 dropped 108 23.197.127.21 AKAMAI-ASN1EU United States 38->108 64 C:\Users\user\AppData\...\softokn3[1].dll, PE32 38->64 dropped 66 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 38->66 dropped 74 10 other files (6 malicious) 38->74 dropped 166 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->166 168 Tries to harvest and steal ftp login credentials 38->168 170 Tries to harvest and steal browser information (history, passwords, etc) 38->170 180 2 other signatures 38->180 110 5.42.65.115 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 42->110 172 Installs new ROOT certificates 42->172 174 Tries to steal Crypto Currency Wallets 42->174 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->176 178 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->178 112 steamcommunity.com 23.67.133.187 AKAMAI-ASN1EU United States 46->112 114 65.109.242.59 ALABANZA-BALTUS United States 46->114 68 C:\Users\user\AppData\Local\...\sqls[1].dll, PE32 46->68 dropped 116 api.2ip.ua 188.114.97.3 CLOUDFLARENETUS European Union 48->116 70 C:\Users\user\AppData\Local\...\Install.exe, PE32 48->70 dropped 50 rundll32.exe 48->50         started        52 conhost.exe 48->52         started        54 Install.exe 48->54         started        56 conhost.exe 48->56         started        file14 signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=siif3ie4yshe7an57yjesbf66as65fgi5weasnj3d4mrsoulvxzq._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader themida trojan
Link:
https://tria.ge/reports/240524-nte7jafe95/
Behaviour
Modifies system certificate store
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
PrivateLoader
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4e741959-052a-4112-aa49-22dbebd989c9
Unpacked files
SH256 hash:
454485afce1a9aa105ddd94072c63fc433c7aa378b3ebf94bf3c6e1a56fcfb54
MD5 hash:
542538c7cb8986fa2867045e2255976a
SHA1 hash:
c3496e0a1faac9bb970308cf26f278c41a7d8ab3
Link:
https://www.unpac.me/results/0389e431-c3eb-40d6-af47-304ac28c1c22/
SH256 hash:
92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3
MD5 hash:
a5891df2ec1f8f0335bc744b24b4d646
SHA1 hash:
d8aced6d7fd09deb2580990cecd2594c17d75c4d
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/0389e431-c3eb-40d6-af47-304ac28c1c22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2862168/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance

Comments