MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PrivateLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8
SHA3-384 hash:	cddf1c3d238bee509cf85b9646c6224ee5111b9aff0ee78bb2459f8a3b3eca56e105caa093892d4d3a7ca5eacb03c3ec
SHA1 hash:	7dc9f3ac41b40b5ed78a42273f3f5f95d2d367c3
MD5 hash:	d9ce98a0b0029d26876ac86409bac27e
humanhash:	don-golf-table-grey
File name:	file
Download:	download sample
Signature	PrivateLoader Create hunting rule
File size:	5'021'184 bytes
First seen:	2023-11-02 09:50:23 UTC
Last seen:	2023-11-10 14:20:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5de3d424cd6789b476f93abd644dde5a (1 x PrivateLoader)
ssdeep	98304:T/kRk50qK5N7jdM2gOpqufwX9h+3dcWUWZJziS1hZUZyeYOth3fOCQb9GK1/49s:bokO9jdMxOUUwWdiWmS+JuZGKJ49
Threatray	1 similar samples on MalwareBazaar
TLSH	T12236334A7CC12AD5D58B73300E37FD7EB2BD2DB969944A6C682C6B876E53261973C003
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2d1e767c36ea6e3 (1 x PrivateLoader)
Reporter	andretavare5
Tags:	exe PrivateLoader

andretavare5

Sample downloaded from http://171.22.28.226/download/Services.exe

Intelligence

File Origin

# of uploads :

187

# of downloads :

332

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-11-02 11:22:22 UTC

Tags:

privateloader evasion opendir

Link:

https://app.any.run/tasks/cf690be6-d989-4bfa-a326-7457492f87c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/457760/

Detection(s):

SecuriteInfo.com.FileRepMalware.28383.6860.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the Program Files subdirectories

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending an HTTP GET request to an infection source

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed packed setupapi shell32 vmprotect

Link:

https://www.filescan.io/uploads/6543710572356e4f29eaab26/reports/e5ea9a5a-e878-4933-9084-a44d90a1a728/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/527af45d-4b2d-4d78-bf16-d0823388a26b

Result

Threat name:

PrivateLoader

Detection:

malicious

Classification:

troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1335900

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Detected VMProtect packer

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Snort IDS alert for network traffic

Yara detected PrivateLoader

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-11-02 09:21:00 UTC

AV detection:

14 of 22 (63.64%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yymfui6fdofmo7tmdppszvfi2onqfl4lqat5ifrm7f3g2gopq7ea._file

Verdict:

unknown

PrivateLoader

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader vmprotect

Link:

https://tria.ge/reports/231102-lvf44sac3x/

Behaviour

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Drops file in Program Files directory

Looks up external IP address via web service

VMProtect packed file

PrivateLoader

Unpacked files

SH256 hash:

c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8

MD5 hash:

d9ce98a0b0029d26876ac86409bac27e

SHA1 hash:

7dc9f3ac41b40b5ed78a42273f3f5f95d2d367c3

Link:

https://www.unpac.me/results/db09aacc-a7a7-49d5-8628-91c9a9f7fc76/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c6185a23c51b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c6185a23c51b8ac77e6c1bdf2cd4a8d39b02af8b8027d4162cf9766d19cf87c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2714990/

Cape

https://www.capesandbox.com/analysis/457760/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample