MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f
SHA3-384 hash: 2dce9db67f10194708e181ca1b33793e882a6e70300572edae129969c8330fad3d35253d193fd41455eb6f2d63f033aa
SHA1 hash: 6312833fd6b72358334d21ad2ce689ca3defb0c6
MD5 hash: 30747903174aaf785850d4c0a306dd1f
humanhash: uniform-eleven-nitrogen-bakerloo
File name:30747903174aaf785850d4c0a306dd1f
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:3'417'600 bytes
First seen:2024-06-06 18:15:16 UTC
Last seen:2024-06-06 19:26:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 448b6888b26145ced7ce018aab459303 (4 x PrivateLoader, 2 x RiseProStealer, 2 x Stealc)
ssdeep 49152:v0JkLMjIxOE3cqFjTdiqH7ZQiIK4ePyS5wfm26hEbH4BMEt96kSOIsk3G8pxxuln:cxw3/tT5H7ZNIK4YLS0BLz6kyLWOPOP
TLSH T1C1F5018272E9D1B4E1B7AB70D57515FC3E363EA2EC79890F21803D193DB2A508DB435A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 6f79337b47131353 (1 x PrivateLoader)
Reporter zbetcheckin
Tags:64 exe PrivateLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f.exe
Verdict:
Malicious activity
Analysis date:
2024-06-06 18:18:39 UTC
Tags:
evasion privateloader berbew
Link:
https://app.any.run/tasks/fee3632e-cb21-4c14-bbae-bd3f33345fe8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.9849.9220.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Modifying a system file
Connection attempt
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Replacing files
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/6661fce821581a92819b4d44/reports/afb32ce2-94e2-459f-b07b-0d44bcb5a909/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/09c79d47-fe79-418e-bf74-fa46c508d7b9
Result
Threat name:
PureLog Stealer, RedLine, RisePro Steale
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1453289
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Disable power options
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1453289 Sample: UmMgwOUPt5.exe Startdate: 06/06/2024 Architecture: WINDOWS Score: 100 140 Found malware configuration 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for URL or domain 2->144 146 20 other signatures 2->146 8 UmMgwOUPt5.exe 11 53 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 130 176.111.174.109 WILWAWPL Russian Federation 8->130 132 94.232.45.38 WELLWEBNL Russian Federation 8->132 138 20 other IPs or domains 8->138 82 C:\Users\...\vKFWj2E2SexRwx9Z0fAA34Fv.exe, PE32 8->82 dropped 84 C:\Users\...\tlIbT2dN7D7sZbG70jaOlQs4.exe, PE32 8->84 dropped 86 C:\Users\...\rwLYKGin3MXETsgK_IAzug81.exe, PE32 8->86 dropped 88 25 other malicious files 8->88 dropped 186 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->186 188 Drops PE files to the document folder of the user 8->188 190 Creates HTML files with .exe extension (expired dropper behavior) 8->190 192 7 other signatures 8->192 19 j8wVddc0tmfSFVJqtZS2FzLb.exe 8->19         started        22 akdPwjtQ5882j9P89iA4UBY2.exe 2 62 8->22         started        26 VzeA_ihziRa3FzOzpsJfRx5V.exe 8->26         started        28 13 other processes 8->28 134 184.28.90.27 AKAMAI-ASUS United States 13->134 136 127.0.0.1 unknown unknown 13->136 file5 signatures6 process7 dnsIp8 64 C:\Users\...\j8wVddc0tmfSFVJqtZS2FzLb.tmp, PE32 19->64 dropped 30 j8wVddc0tmfSFVJqtZS2FzLb.tmp 19->30         started        124 147.45.47.126 FREE-NET-ASFREEnetEU Russian Federation 22->124 126 104.26.4.15 CLOUDFLARENETUS United States 22->126 76 3 other malicious files 22->76 dropped 166 Detected unpacking (changes PE section rights) 22->166 168 Tries to steal Mail credentials (via file / registry access) 22->168 170 Found many strings related to Crypto-Wallets (likely being stolen) 22->170 180 6 other signatures 22->180 33 schtasks.exe 22->33         started        66 C:\Users\user\AppData\Local\Temp\...\scrt.dll, PE32 26->66 dropped 68 C:\Users\user\AppData\...\thirdparty.dll, PE32 26->68 dropped 70 C:\Users\user\AppData\Local\...\sciterui.dll, PE32 26->70 dropped 78 10 other malicious files 26->78 dropped 172 Writes many files with high entropy 26->172 128 172.67.202.186 CLOUDFLARENETUS United States 28->128 72 C:\...\PpfsSWY66vXc47tZe8X_tipk.exe (copy), PE32+ 28->72 dropped 74 C:\Users\user\AppData\Local\...\Install.exe, PE32 28->74 dropped 80 14 other malicious files 28->80 dropped 174 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->174 176 Query firmware table information (likely to detect VMs) 28->176 178 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->178 182 11 other signatures 28->182 35 RegAsm.exe 28->35         started        39 MSBuild.exe 28->39         started        41 MSBuild.exe 28->41         started        43 8 other processes 28->43 file9 signatures10 process11 dnsIp12 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->92 dropped 94 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 30->94 dropped 96 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 30->96 dropped 104 34 other files (23 malicious) 30->104 dropped 45 consoledictaphone32.exe 30->45         started        48 consoledictaphone32.exe 30->48         started        51 conhost.exe 33->51         started        112 149.154.167.99 TELEGRAMRU United Kingdom 35->112 114 116.202.190.18 HETZNER-ASDE Germany 35->114 98 C:\Users\user\AppData\Local\...\sqls[1].dll, PE32 35->98 dropped 148 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->148 150 Tries to harvest and steal ftp login credentials 35->150 152 Tries to harvest and steal browser information (history, passwords, etc) 35->152 164 2 other signatures 35->164 116 5.42.65.63 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 39->116 154 Tries to steal Crypto Currency Wallets 39->154 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->156 158 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->158 53 conhost.exe 41->53         started        118 95.101.111.148 TELEFONICATELXIUSES European Union 43->118 120 35.81.211.41 MERIT-AS-14US United States 43->120 122 2 other IPs or domains 43->122 100 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->100 dropped 102 C:\Users\user\AppData\Local\...\Child.pif, PE32 43->102 dropped 160 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->160 162 Drops PE files with a suspicious file extension 43->162 55 Install.exe 43->55         started        58 conhost.exe 43->58         started        60 conhost.exe 43->60         started        62 conhost.exe 43->62         started        file13 signatures14 process15 dnsIp16 90 C:\ProgramData\...\PCI Bridge 6.5.66.exe, PE32 45->90 dropped 106 93.123.39.193 NET1-ASBG Bulgaria 48->106 108 194.59.31.219 COMBAHTONcombahtonGmbHDE Germany 48->108 110 141.98.234.31 CH-NET-ASRO Russian Federation 48->110 184 Multi AV Scanner detection for dropped file 55->184 file17 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f/
Threat name:
Win64.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-06-06 12:27:00 UTC
File Type:
PE+ (Exe)
Extracted files:
32
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3k3xtodxj55q3ctiqsppjoi7af2yzqyw63zzwgkvvygajzocb7q._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader
Link:
https://tria.ge/reports/240606-wwhpfahg51/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Modifies firewall policy service
PrivateLoader
Unpacked files
SH256 hash:
9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f
MD5 hash:
30747903174aaf785850d4c0a306dd1f
SHA1 hash:
6312833fd6b72358334d21ad2ce689ca3defb0c6
Link:
https://www.unpac.me/results/61a93f6d-7ae5-4e0b-8d40-638973ea2476/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe 9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2877423/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments


Avatar
zbet commented on 2024-06-06 18:15:17 UTC

url : hxxp://irfanrashid.com/wp-content/server3/AppGate2103v01.exe