MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec
SHA3-384 hash: f513d2a63f91fe7792ab0f7b34dc3c1c4c9b782ed84fc1c32feae363193d8aa56a7185b5eb3ae66baf7beaf5bb1c4951
SHA1 hash: ea3aafced1beeb897bdd7b0bfa838e7c54923eaa
MD5 hash: 2846ca0568818dea5e64420f9864a15a
humanhash: wisconsin-oxygen-two-four
File name:file
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:6'236'920 bytes
First seen:2024-04-30 18:28:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9ffd3cb6f8f065a3d64ee1514e732cbe (3 x PrivateLoader, 1 x LummaStealer)
ssdeep 49152:onPKuySikreDzoEQcwpgF5aQBhD5KkGW1lCpWHZkay++5Sru4SakCZ3Kbq5idnT7:onfyA8UEblj79gmCMHZ7DZH5idX
TLSH T1895618F67C61B9C9C212C07686E3652D4746A131D5F07E1F4691B1F8AB3B2282FEE6C1
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon bcac88a4b48ec4d4 (1 x PrivateLoader)
Reporter Bitsight
Tags:exe PrivateLoader signed

Code Signing Certificate

Organisation:AVG Technologies USA LLC �¡ @�
Issuer:AVG Technologies USA LLC �¡ @�
Algorithm:sha1WithRSAEncryption
Valid from:2024-01-03T10:48:44Z
Valid to:2034-01-04T10:48:44Z
Serial number: 123b429c3afd48a34558ff520d424fc4
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 397b03015dbcae0290503fd5d4a0a2de50b9ef54118fc7ed8f754bcf0979574a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: https://vk.com/doc5294803_669134487?hash=q19d2doQNq3XLF3BrQiFMkVG6VA4GxcVVsj7yIZ7Uhg&dl=1tFTcUz7Siqezjht2inMqkTNi7uazWrGEq4JAFFLIkH&api=1&no_preview=1#off

Intelligence

File Origin
# of uploads :
1
# of downloads :
378
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec.exe
Verdict:
Malicious activity
Analysis date:
2024-04-30 18:29:44 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/516f40c5-4109-4dc5-9985-107b75613f04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.10844.935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Modifying a system file
Connection attempt
Sending an HTTP GET request
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Replacing files
Launching a service
Reading critical registry keys
Launching a process
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
91%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66313871de9c2e310304d23f/reports/378ae494-e270-4803-a3fd-9f4677e03174/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f179f057-32e9-47bc-a7a0-feffc0bf6362
Result
Threat name:
LummaC, GCleaner, Glupteba, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1434283
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to download and execute files (via powershell)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected GCleaner
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1434283 Sample: file.exe Startdate: 30/04/2024 Architecture: WINDOWS Score: 100 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Multi AV Scanner detection for dropped file 2->133 135 18 other signatures 2->135 8 file.exe 11 62 2->8         started        13 WinTrackerSP.exe 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 115 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->115 117 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->117 119 22 other IPs or domains 8->119 97 C:\Users\...\oVDijaSg43uhdsVFv6YSiRRb.exe, PE32 8->97 dropped 99 C:\Users\...\nDqH9YCkRTWfdia7q4yWroCs.exe, PE32 8->99 dropped 101 C:\Users\...\jyvJiQ5G7FQWGOiZZtnZarsG.exe, PE32 8->101 dropped 103 31 other malicious files 8->103 dropped 183 Query firmware table information (likely to detect VMs) 8->183 185 Drops PE files to the document folder of the user 8->185 187 Creates HTML files with .exe extension (expired dropper behavior) 8->187 193 8 other signatures 8->193 19 Lxw7uf_bmAos3kuSR2kfSqFW.exe 8->19         started        22 IOjjrEgGTt3zhAMwmB54wMWH.exe 8->22         started        25 3F1X4UE0cq9uqeL1QtwwpozI.exe 8->25         started        32 16 other processes 8->32 189 Multi AV Scanner detection for dropped file 13->189 191 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->191 28 WerFault.exe 15->28         started        30 WerFault.exe 15->30         started        file5 signatures6 process7 dnsIp8 79 C:\Users\...\Lxw7uf_bmAos3kuSR2kfSqFW.tmp, PE32 19->79 dropped 34 Lxw7uf_bmAos3kuSR2kfSqFW.tmp 19->34         started        139 Writes to foreign memory regions 22->139 141 Allocates memory in foreign processes 22->141 143 Injects a PE file into a foreign processes 22->143 37 RegAsm.exe 22->37         started        121 185.172.128.151 NADYMSS-ASRU Russian Federation 25->121 81 C:\Users\user\AppData\...\softokn3[1].dll, PE32 25->81 dropped 83 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 25->83 dropped 85 C:\Users\user\AppData\...\mozglue[1].dll, PE32 25->85 dropped 93 9 other files (5 malicious) 25->93 dropped 145 Detected unpacking (changes PE section rights) 25->145 147 Detected unpacking (overwrites its own PE header) 25->147 149 Tries to steal Mail credentials (via file / registry access) 25->149 157 4 other signatures 25->157 123 185.172.128.90 NADYMSS-ASRU Russian Federation 32->123 125 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 32->125 127 3 other IPs or domains 32->127 87 C:\Users\user\AppData\Local\...\INetC.dll, PE32 32->87 dropped 89 C:\Users\user\...\7BTejy19ViiMf8TCyUUs.exe, PE32 32->89 dropped 91 C:\Users\user\...\w53PPy3vv74tECuYyLbA.exe, PE32 32->91 dropped 95 14 other malicious files 32->95 dropped 151 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->151 153 Query firmware table information (likely to detect VMs) 32->153 155 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->155 159 12 other signatures 32->159 41 RegAsm.exe 32->41         started        43 cmd.exe 32->43         started        45 RegAsm.exe 32->45         started        47 7 other processes 32->47 file9 signatures10 process11 dnsIp12 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 34->61 dropped 63 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 34->63 dropped 65 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 34->65 dropped 75 34 other files (23 malicious) 34->75 dropped 107 95.217.242.142 HETZNER-ASDE Germany 37->107 109 23.210.138.105 AKAMAI-ASUS United States 37->109 67 C:\Users\user\AppData\Local\...\sqlx[1].dll, PE32 37->67 dropped 69 C:\Users\user\AppData\...\softokn3[1].dll, PE32 37->69 dropped 71 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 37->71 dropped 77 10 other files (6 malicious) 37->77 dropped 161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->161 163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->163 165 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->165 181 3 other signatures 37->181 111 5.42.65.96 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 41->111 167 Installs new ROOT certificates 41->167 169 Tries to harvest and steal browser information (history, passwords, etc) 41->169 171 Tries to steal Crypto Currency Wallets 41->171 173 Suspicious powershell command line found 43->173 175 Tries to download and execute files (via powershell) 43->175 49 powershell.exe 43->49         started        53 conhost.exe 43->53         started        113 104.21.51.78 CLOUDFLARENETUS United States 45->113 177 Query firmware table information (likely to detect VMs) 45->177 73 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->73 dropped 179 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->179 55 conhost.exe 47->55         started        57 conhost.exe 47->57         started        59 conhost.exe 47->59         started        file13 signatures14 process15 dnsIp16 105 108.156.105.24 AMAZON-02US United States 49->105 137 Installs new ROOT certificates 49->137 signatures17
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2024-04-30 11:25:41 UTC
File Type:
PE+ (Exe)
Extracted files:
54
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cgwq3dlrcvoq47cmxm7ov4ovekugl3pxxui6kd2qzubr4setlwa._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader themida trojan
Link:
https://tria.ge/reports/240430-w4wk9sda5w/
Behaviour
Modifies system certificate store
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
PrivateLoader
Unpacked files
SH256 hash:
454485afce1a9aa105ddd94072c63fc433c7aa378b3ebf94bf3c6e1a56fcfb54
MD5 hash:
542538c7cb8986fa2867045e2255976a
SHA1 hash:
c3496e0a1faac9bb970308cf26f278c41a7d8ab3
Link:
https://www.unpac.me/results/a51c9adf-24de-4d90-9a2c-8d5321180992/
SH256 hash:
d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec
MD5 hash:
2846ca0568818dea5e64420f9864a15a
SHA1 hash:
ea3aafced1beeb897bdd7b0bfa838e7c54923eaa
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/a51c9adf-24de-4d90-9a2c-8d5321180992/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d08d686c6b88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe d08d686c6b88aae873e265d9f7578ea915432f6fbde88f287a866818f2449aec

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2810562/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA

Comments