MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3519e6c142a1a4e08f6c71b02ce3bf50b3182fdb6131da271fae77c7a4eba6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3519e6c142a1a4e08f6c71b02ce3bf50b3182fdb6131da271fae77c7a4eba6f
SHA3-384 hash: d6bc3606e3065366d678862ac333050d176d6558c599f946f0427d103902e611bb03681292fa92afdcd8df48d0fe992a
SHA1 hash: 9f1823bb5ff000dea21e3e43a0bf821434482ff3
MD5 hash: d6a782cd2e4b92e06bbc8204013f3d68
humanhash: jig-cardinal-hotel-washington
File name:d6a782cd2e4b92e06bbc8204013f3d68
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:2'624'368 bytes
First seen:2023-09-29 17:13:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:oLdSRmCAGo0rfIDYlrglqWh9iO9EMJYamBLMpLNH:oLw7A7ufLroqWh9hEuYppML
TLSH T187C50140B1ED6DF4ED95D2382196DE905DEF1B9EB303E849AD4CA0E824307B679B3D21
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 exe PrivateLoader signed

Code Signing Certificate

Organisation:gofile inc
Issuer:gofile inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-28T13:20:27Z
Valid to:2024-09-28T13:20:27Z
Serial number: ad00423aabb33d027ce1da4ccb2847be
Thumbprint Algorithm:SHA256
Thumbprint: c2d5dc4f895fe2c2d5b2949b2c4871932062e176f24cd6ee63ebbe0562caa40d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452032/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.16454.8794.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Sending a custom TCP request
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Searching for the window
Sending a UDP request
Launching cmd.exe command interpreter
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/651705dbf1b40cb0d6248fdc/reports/4f3ef76b-1646-4ac6-a68e-f26ab3dc6781/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a3519e6c142a1a4e08f6c71b02ce3bf50b3182fdb6131da271fae77c7a4eba6f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ddd21e1-bc9f-42b3-9dcb-2b54e653be11
Result
Threat name:
Amadey, Fabookie, RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316771
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316771 Sample: smKd9MjnOD.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 206 Found malware configuration 2->206 208 Malicious sample detected (through community Yara rule) 2->208 210 Antivirus detection for URL or domain 2->210 212 15 other signatures 2->212 12 smKd9MjnOD.exe 2 4 2->12         started        15 powershell.exe 2->15         started        17 DigitalPulseUpdate.exe 2->17         started        20 nhdues.exe 2->20         started        process3 dnsIp4 220 Writes to foreign memory regions 12->220 222 Allocates memory in foreign processes 12->222 224 Adds a directory exclusion to Windows Defender 12->224 226 2 other signatures 12->226 22 InstallUtil.exe 15 155 12->22         started        27 powershell.exe 21 12->27         started        29 conhost.exe 15->29         started        154 35.182.67.195 AMAZON-02US United States 17->154 signatures5 process6 dnsIp7 156 85.217.144.143 WS171-ASRU Bulgaria 22->156 158 5.42.64.2 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 22->158 160 25 other IPs or domains 22->160 126 C:\Users\...\x1Cn1IjtjZ30UvX42tV4Zkvc.exe, PE32 22->126 dropped 128 C:\Users\...\ubvOGeHcXr9vy2Ufv2P3OzRp.exe, PE32 22->128 dropped 130 C:\Users\...\r1VUyFuSuwdhiMbiI6P0auol.exe, PE32 22->130 dropped 132 149 other malicious files 22->132 dropped 214 Drops script or batch files to the startup folder 22->214 216 Writes many files with high entropy 22->216 31 OHbAtFHJR8kiePbx6hKDvtNJ.exe 22->31         started        36 IGf7xKpmSHA9pzfQzJ48arpA.exe 3 22->36         started        38 mAPKBYEPaS2pjcq5tmQASATo.exe 22->38         started        42 7 other processes 22->42 40 conhost.exe 27->40         started        file8 signatures9 process10 dnsIp11 166 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 31->166 168 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 31->168 174 15 other IPs or domains 31->174 104 C:\Users\...\xUaGu1bWraeYlKzMes4hvq4A.exe, PE32 31->104 dropped 106 C:\Users\...\tLxt5fWjI613YnomttNziekK.exe, PE32 31->106 dropped 108 C:\Users\...\lHIwSiKEH3DBAbqJxNYsWhPZ.exe, PE32 31->108 dropped 116 21 other malicious files 31->116 dropped 180 Query firmware table information (likely to detect VMs) 31->180 182 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->182 184 Creates HTML files with .exe extension (expired dropper behavior) 31->184 196 5 other signatures 31->196 110 C:\Users\user\AppData\Local\...\nhdues.exe, PE32 36->110 dropped 186 Contains functionality to inject code into remote processes 36->186 44 nhdues.exe 36->44         started        170 107.167.110.218 OPERASOFTWAREUS United States 38->170 172 107.167.125.189 OPERASOFTWAREUS United States 38->172 176 5 other IPs or domains 38->176 118 9 other malicious files 38->118 dropped 188 Writes many files with high entropy 38->188 49 mAPKBYEPaS2pjcq5tmQASATo.exe 38->49         started        51 mAPKBYEPaS2pjcq5tmQASATo.exe 38->51         started        53 mAPKBYEPaS2pjcq5tmQASATo.exe 38->53         started        178 14 other IPs or domains 42->178 112 C:\Users\user\Pictures\360TS_Setup.exe.P2P, PE32 42->112 dropped 114 C:\Users\user\...\360TS_Setup.exe (copy), PE32 42->114 dropped 120 7 other malicious files 42->120 dropped 190 Tries to harvest and steal browser information (history, passwords, etc) 42->190 192 Modifies the hosts file 42->192 194 Adds a directory exclusion to Windows Defender 42->194 55 MSTcAgUFDEf5MFI9qDLMoO14.tmp 42->55         started        57 Install.exe 42->57         started        file12 signatures13 process14 dnsIp15 162 193.42.32.29 EENET-ASEE Germany 44->162 134 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 44->134 dropped 136 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 44->136 dropped 148 2 other malicious files 44->148 dropped 228 Multi AV Scanner detection for dropped file 44->228 230 Creates an undocumented autostart registry key 44->230 232 Uses schtasks.exe or at.exe to add and modify task schedules 44->232 59 rundll32.exe 44->59         started        61 cmd.exe 44->61         started        63 schtasks.exe 44->63         started        65 rundll32.exe 44->65         started        138 Opera_installer_2309291715097867368.dll, PE32 49->138 dropped 67 mAPKBYEPaS2pjcq5tmQASATo.exe 49->67         started        140 Opera_installer_2309291715074882472.dll, PE32 51->140 dropped 142 Opera_installer_2309291715084697208.dll, PE32 53->142 dropped 144 C:\Users\user\AppData\...\unins000.exe (copy), PE32 55->144 dropped 150 6 other files (5 malicious) 55->150 dropped 70 _setup64.tmp 55->70         started        72 schtasks.exe 55->72         started        77 2 other processes 55->77 146 C:\Users\user\AppData\Local\...\Install.exe, PE32 57->146 dropped 74 Install.exe 57->74         started        file16 signatures17 process18 dnsIp19 80 rundll32.exe 59->80         started        84 conhost.exe 61->84         started        86 cmd.exe 61->86         started        88 cacls.exe 61->88         started        98 4 other processes 61->98 90 conhost.exe 63->90         started        122 Opera_installer_2309291715106387572.dll, PE32 67->122 dropped 92 conhost.exe 70->92         started        94 conhost.exe 72->94         started        124 C:\Users\user\AppData\Local\...behaviorgraphrVbNQA.exe, PE32 74->124 dropped 218 Multi AV Scanner detection for dropped file 74->218 164 3.98.219.138 AMAZON-02US United States 77->164 96 conhost.exe 77->96         started        file20 signatures21 process22 dnsIp23 152 109.206.241.33 AWMLTNL Germany 80->152 198 System process connects to network (likely due to code injection or exploit) 80->198 200 Tries to steal Instant Messenger accounts or passwords 80->200 202 Tries to harvest and steal ftp login credentials 80->202 204 Tries to harvest and steal browser information (history, passwords, etc) 80->204 100 tar.exe 80->100         started        signatures24 process25 process26 102 conhost.exe 100->102         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3519e6c142a1a4e08f6c71b02ce3bf50b3182fdb6131da271fae77c7a4eba6f/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 06:53:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uniz43aufine4chwy4nqftr36uftdax5wyjr3itr7ltxy6soxjxq._file
Verdict:
unknown
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:glupteba family:privateloader dropper evasion loader spyware stealer themida trojan upx
Link:
https://tria.ge/reports/230929-vrzayseg29/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Launches sc.exe
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Themida packer
UPX packed file
Windows security modification
Downloads MZ/PE file
Stops running service(s)
Amadey
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
PrivateLoader
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://193.42.32.29/9bDc8sQ/index.php
http://app.nnnaajjjgc.com/check/safe
Unpacked files
SH256 hash:
9ec30884c8d020079e9bac678137579032ffcae6712ba773a0bc1829d5f7391f
MD5 hash:
08bbf0b803b1b2929c93165429c2948f
SHA1 hash:
0696c3fae7458fcbd0381fa5323f349da8e6a420
Link:
https://www.unpac.me/results/0845432c-e1df-41b3-90b4-a3a40c0efaf2/
SH256 hash:
a3519e6c142a1a4e08f6c71b02ce3bf50b3182fdb6131da271fae77c7a4eba6f
MD5 hash:
d6a782cd2e4b92e06bbc8204013f3d68
SHA1 hash:
9f1823bb5ff000dea21e3e43a0bf821434482ff3
Link:
https://www.unpac.me/results/0845432c-e1df-41b3-90b4-a3a40c0efaf2/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a3519e6c142a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3519e6c142a1a4e08f6c71b02ce3bf50b3182fdb6131da271fae77c7a4eba6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe a3519e6c142a1a4e08f6c71b02ce3bf50b3182fdb6131da271fae77c7a4eba6f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715112/
Cape
Cape
https://www.capesandbox.com/analysis/452032/

Comments


Avatar
zbet commented on 2023-09-29 17:13:17 UTC

url : hxxp://85.217.144.143/files/RBY1.exe