MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd
SHA3-384 hash: c92b26c515864240fa9eff9771c0b96f021b5ccf5e1f9429580765e28a9ad10dc0746534f8b391e860a720f0312df413
SHA1 hash: cd309589f6866ce718461315aedcab94506dfe0a
MD5 hash: 2336ddbcfa5e610159ee26e52448824f
humanhash: comet-oven-two-spaghetti
File name:2336ddbcfa5e610159ee26e52448824f.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:153'088 bytes
First seen:2023-11-12 09:10:21 UTC
Last seen:2023-11-12 10:24:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:Q40WZo912dr5L6H4GHkpC6ryUob1IDa5mmXzvhGkyLFTRRRRRRRRRnMRRRRRRRRy:Q40H9cd16H4GHkJrzo/5pz5eTRRRRRRu
TLSH T14BE38D9D82BB1285D4FF5AB85C2321E1C27234196A39EF48AC8470B569FCBA1C5C573F
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.21131.32469.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Sending a custom TCP request
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed redcap
Link:
https://www.filescan.io/uploads/655096a73dd412119bf7f9d0/reports/be00e131-b906-4dc7-bc50-bab416c94cb4/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6273e632-1aea-4903-931b-6a2931f34caa
Result
Threat name:
Glupteba, PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341291
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found evasive API chain checking for user administrative privileges
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Writes many files with high entropy
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1341291 Sample: 6h7y0LYfJ8.exe Startdate: 12/11/2023 Architecture: WINDOWS Score: 100 163 Multi AV Scanner detection for domain / URL 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 Antivirus detection for URL or domain 2->167 169 15 other signatures 2->169 12 6h7y0LYfJ8.exe 2 4 2->12         started        15 svchost.exe 2->15         started        18 rundll32.exe 2->18         started        process3 dnsIp4 181 Adds a directory exclusion to Windows Defender 12->181 183 Disables UAC (registry) 12->183 20 CasPol.exe 15 251 12->20         started        25 powershell.exe 21 12->25         started        159 173.222.228.121 AKAMAI-ASUS United States 15->159 161 127.0.0.1 unknown unknown 15->161 signatures5 process6 dnsIp7 137 179.61.12.110 TECNOWEBPERUSACPE Chile 20->137 139 5.42.67.10 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 20->139 141 14 other IPs or domains 20->141 87 C:\Users\...\zhdk9BOpirrMXW6pOc0EDJ6F.exe, PE32 20->87 dropped 89 C:\Users\...\zTjZQJEw8rg9fyYxuWD102JF.exe, PE32 20->89 dropped 91 C:\Users\...\yAHZyrA864v7Kew1PlkpsnOQ.exe, PE32+ 20->91 dropped 93 213 other malicious files 20->93 dropped 175 Drops script or batch files to the startup folder 20->175 177 Creates HTML files with .exe extension (expired dropper behavior) 20->177 179 Writes many files with high entropy 20->179 27 uIXkhS65dqOguzbKF5AK7PBS.exe 20->27         started        32 Yp0XJICbOdctlREz1Rch7SNa.exe 20->32         started        34 BNwvCplYY9Cn5VWF2NNa7naC.exe 20->34         started        38 9 other processes 20->38 36 conhost.exe 25->36         started        file8 signatures9 process10 dnsIp11 145 107.167.110.218 OPERASOFTWAREUS United States 27->145 147 107.167.125.189 OPERASOFTWAREUS United States 27->147 155 6 other IPs or domains 27->155 113 Opera_installer_2311120912211056064.dll, PE32 27->113 dropped 127 7 other malicious files 27->127 dropped 185 Writes many files with high entropy 27->185 187 Found evasive API chain checking for user administrative privileges 27->187 40 uIXkhS65dqOguzbKF5AK7PBS.exe 27->40         started        43 uIXkhS65dqOguzbKF5AK7PBS.exe 27->43         started        45 uIXkhS65dqOguzbKF5AK7PBS.exe 27->45         started        47 dllhost.exe 27->47         started        115 C:\Users\user\AppData\Local\...\Install.exe, PE32 32->115 dropped 117 C:\Users\user\AppData\Local\...\config.txt, data 32->117 dropped 49 Install.exe 32->49         started        157 4 other IPs or domains 34->157 119 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 34->119 dropped 189 Query firmware table information (likely to detect VMs) 34->189 191 Disables Windows Defender (deletes autostart) 34->191 193 Modifies Group Policy settings 34->193 201 4 other signatures 34->201 149 107.167.110.217 OPERASOFTWAREUS United States 38->149 151 37.228.108.133 NO-OPERANO Norway 38->151 153 104.21.38.126 CLOUDFLARENETUS United States 38->153 121 Opera_installer_2311120912297107640.dll, PE32 38->121 dropped 123 C:\Users\user\AppData\...\toniightlevel.exe, PE32+ 38->123 dropped 125 C:\Users\user\AppData\...\tonightlevel.exe, PE32 38->125 dropped 129 7 other malicious files 38->129 dropped 195 Detected unpacking (changes PE section rights) 38->195 197 Detected unpacking (overwrites its own PE header) 38->197 199 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->199 203 3 other signatures 38->203 51 Install.exe 38->51         started        53 dTuCqvhGo2XCcHI8TTqrpOfx.exe 38->53         started        55 dTuCqvhGo2XCcHI8TTqrpOfx.exe 38->55         started        57 2 other processes 38->57 file12 signatures13 process14 dnsIp15 95 Opera_installer_2311120912240363020.dll, PE32 40->95 dropped 97 C:\Users\user\AppData\...\opera_browser.dll, PE32+ 40->97 dropped 111 11 other malicious files 40->111 dropped 60 uIXkhS65dqOguzbKF5AK7PBS.exe 40->60         started        99 Opera_installer_2311120912216603636.dll, PE32 43->99 dropped 101 Opera_installer_2311120912224892344.dll, PE32 45->101 dropped 103 C:\Users\user\AppData\Local\...\Install.exe, PE32 49->103 dropped 63 Install.exe 49->63         started        105 C:\Users\user\AppData\Local\...\Install.exe, PE32 51->105 dropped 66 Install.exe 51->66         started        107 Opera_installer_2311120912307047888.dll, PE32 53->107 dropped 109 Opera_installer_2311120912349968144.dll, PE32 55->109 dropped 143 45.61.160.199 ASN-QUADRANET-GLOBALUS United States 57->143 file16 process17 file18 131 Opera_installer_2311120912254284300.dll, PE32 60->131 dropped 133 C:\Users\user\AppData\Local\...\vxriDpF.exe, PE32 63->133 dropped 205 Modifies Windows Defender protection settings 63->205 207 Adds extensions / path to Windows Defender exclusion list 63->207 68 forfiles.exe 63->68         started        71 forfiles.exe 63->71         started        135 C:\Users\user\AppData\Local\...\qwturil.exe, PE32 66->135 dropped 73 forfiles.exe 66->73         started        signatures19 process20 signatures21 171 Modifies Windows Defender protection settings 68->171 173 Adds extensions / path to Windows Defender exclusion list 68->173 75 conhost.exe 68->75         started        77 cmd.exe 68->77         started        79 cmd.exe 71->79         started        81 conhost.exe 71->81         started        83 conhost.exe 73->83         started        process22 process23 85 reg.exe 79->85         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-12 09:06:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrkaoucvav6mrqg6dbpx72trcrv3bkccju632ggkcim4fh7xa26q._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader discovery dropper evasion loader persistence rootkit spyware stealer themida trojan upx
Link:
https://tria.ge/reports/231112-k5la5see27/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Glupteba
Glupteba payload
PrivateLoader
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd
MD5 hash:
2336ddbcfa5e610159ee26e52448824f
SHA1 hash:
cd309589f6866ce718461315aedcab94506dfe0a
Link:
https://www.unpac.me/results/aeb5d7f1-4fe1-4e5b-ae16-a3f536dfc573/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc5407505505/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2728931/
  
Delivery method
Distributed via web download

Comments