MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32
SHA3-384 hash: e90e1c87fefb9c55667a064cfa5e3a74ff07d5f3587c4ca188516924aea2408bc2e75c0114d99d2f6cead3002b4fb827
SHA1 hash: b59a2989c0f48597f691d3ead8f549f2327c6d0a
MD5 hash: a7ee1f4bf11bdfab2327d098c6583af1
humanhash: alabama-blue-fillet-oxygen
File name:a7ee1f4bf11bdfab2327d098c6583af1
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:6'781'952 bytes
First seen:2023-09-29 12:36:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 504d78790e3f8461b1aa5a2fc85391cb (1 x PrivateLoader)
ssdeep 196608:XdatXBkprOtdefgVeIXcIv/W5yYtjR1kJA3iaAim:NaVB2rOtTVew5/W5n1LkJA3i3
TLSH T12A6612BD7748330DC05DC4355833BD87F1B3552F5AE8A46AB2D7BA8067AA721DA02F42
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e4b8b88c8ca4c4a4 (1 x PrivateLoader)
Reporter zbetcheckin
Tags:64 exe PrivateLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://171.22.28.226/download/Services.exe
Verdict:
Malicious activity
Analysis date:
2023-09-29 10:35:43 UTC
Tags:
opendir loader privateloader evasion
Link:
https://app.any.run/tasks/037fb776-9dc7-4707-a66e-21688b13b3fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451982/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.18079.26059.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Searching for analyzing tools
Searching for the window
Modifying a system file
Сreating synchronization primitives
DNS request
Replacing files
Launching a service
Sending an HTTP GET request
Launching a process
Reading critical registry keys
Sending a UDP request
Creating a file
Forced system process termination
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin packed packed shell32 themidawinlicense vmprotect
Link:
https://www.filescan.io/uploads/6516c4f333582f234e06efa9/reports/5915dd4e-10e0-4264-9bbe-85665ac52b89/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9f68a0ab-14d6-4be0-a1d4-749ac5613c27
Result
Threat name:
Glupteba, Lu0Bot, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316561
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Lu0Bot
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316561 Sample: BUz0FElFiK.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 152 Found malware configuration 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 Antivirus detection for URL or domain 2->156 158 24 other signatures 2->158 11 BUz0FElFiK.exe 11 36 2->11         started        16 svchost.exe 2->16         started        18 svchost.exe 2->18         started        20 6 other processes 2->20 process3 dnsIp4 132 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->132 134 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->134 136 12 other IPs or domains 11->136 112 C:\Users\...\wXhfZooYZn6Zb_loRoxmpZGN.exe, PE32 11->112 dropped 114 C:\Users\...\_OzhxsaM6GaKGAdexcYmui60.exe, PE32 11->114 dropped 116 C:\Users\...\Sd6iZnkujfMcoDeBcUV3RYfu.exe, PE32+ 11->116 dropped 118 9 other malicious files 11->118 dropped 224 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->224 226 Query firmware table information (likely to detect VMs) 11->226 228 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->228 230 8 other signatures 11->230 22 Sd6iZnkujfMcoDeBcUV3RYfu.exe 10 23 11->22         started        27 OF9k7Z95JRIdVvR0m3QYxC8M.exe 11->27         started        29 wXhfZooYZn6Zb_loRoxmpZGN.exe 1 11->29         started        33 4 other processes 11->33 31 WerFault.exe 16->31         started        file5 signatures6 process7 dnsIp8 120 87.240.137.140 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 22->120 122 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 22->122 130 5 other IPs or domains 22->130 102 C:\Users\...\uzk1O2R4Wfp3goHuknpcbiUH.exe, PE32 22->102 dropped 104 C:\Users\...\dnqDjUIH3xpdyNJumX9vG9XN.exe, PE32 22->104 dropped 106 C:\Users\...\XZqM1S7iKvs6GU8zAAueNrpD.exe, PE32 22->106 dropped 110 4 other malicious files 22->110 dropped 182 Disables Windows Defender (deletes autostart) 22->182 184 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->184 186 Disable Windows Defender real time protection (registry) 22->186 35 PhiSFiNv9c28rqiYhM698nXK.exe 22->35         started        38 XZqM1S7iKvs6GU8zAAueNrpD.exe 22->38         started        41 uzk1O2R4Wfp3goHuknpcbiUH.exe 22->41         started        43 dnqDjUIH3xpdyNJumX9vG9XN.exe 22->43         started        188 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->188 190 Maps a DLL or memory area into another process 27->190 192 Checks if the current machine is a virtual machine (disk enumeration) 27->192 194 Creates a thread in another existing process (thread injection) 27->194 45 explorer.exe 27->45 injected 196 Writes to foreign memory regions 29->196 198 Allocates memory in foreign processes 29->198 200 Injects a PE file into a foreign processes 29->200 48 vbc.exe 29->48         started        50 conhost.exe 29->50         started        124 185.225.74.51 MAYAKBG Germany 33->124 126 185.225.73.32 MAYAKBG Germany 33->126 128 162.159.130.233 CLOUDFLARENETUS United States 33->128 108 C:\Users\user\AppData\Local\Temp\...\RH~wT4.w, PE32 33->108 dropped 202 Found many strings related to Crypto-Wallets (likely being stolen) 33->202 204 Found Tor onion address 33->204 206 Tries to steal Crypto Currency Wallets 33->206 52 cmd.exe 33->52         started        54 2 other processes 33->54 file9 signatures10 process11 dnsIp12 90 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 35->90 dropped 92 C:\Users\user\AppData\Local\Temp\opee37.exe, PE32+ 35->92 dropped 94 C:\Users\user\AppData\Local\Temp\kos1.exe, PE32 35->94 dropped 100 2 other malicious files 35->100 dropped 56 e0cbefcb1af40c7d4aff4aca26621a98.exe 35->56         started        160 Writes to foreign memory regions 38->160 162 Allocates memory in foreign processes 38->162 164 Injects a PE file into a foreign processes 38->164 59 AppLaunch.exe 38->59         started        62 conhost.exe 38->62         started        166 Adds a directory exclusion to Windows Defender 41->166 168 Disables UAC (registry) 41->168 64 powershell.exe 41->64         started        96 C:\Users\user\AppData\Local\...\geimkjg.dat, PE32+ 43->96 dropped 66 cmd.exe 43->66         started        140 189.159.189.79 UninetSAdeCVMX Mexico 45->140 142 175.119.10.231 SKB-ASSKBroadbandCoLtdKR Korea Republic of 45->142 144 211.181.24.133 LGDACOMLGDACOMCorporationKR Korea Republic of 45->144 98 C:\Users\user\AppData\Roaming\icjerdf, PE32 45->98 dropped 170 System process connects to network (likely due to code injection or exploit) 45->170 172 Benign windows process drops PE files 45->172 174 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->174 146 176.123.4.46 ALEXHOSTMD Moldova Republic of 48->146 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->176 178 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->178 180 Tries to steal Crypto Currency Wallets 48->180 69 control.exe 52->69         started        71 conhost.exe 52->71         started        73 conhost.exe 54->73         started        file13 signatures14 process15 dnsIp16 208 Antivirus detection for dropped file 56->208 210 Multi AV Scanner detection for dropped file 56->210 212 Detected unpacking (changes PE section rights) 56->212 222 2 other signatures 56->222 138 5.42.65.101 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 59->138 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->214 216 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 59->216 218 Tries to harvest and steal browser information (history, passwords, etc) 59->218 220 Tries to steal Crypto Currency Wallets 59->220 75 conhost.exe 64->75         started        88 C:\Users\user\AppData\...\fqfeooosxq.exe, PE32 66->88 dropped 77 conhost.exe 66->77         started        79 fqfeooosxq.exe 66->79         started        81 rundll32.exe 69->81         started        file17 signatures18 process19 signatures20 148 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 81->148 150 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 81->150 84 rundll32.exe 81->84         started        process21 process22 86 rundll32.exe 84->86         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 12:37:09 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
10 of 38 (26.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25dinsd7a535d2ge7taywqh6htux23stdyr3mzsqg7svtg3sviza._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader spyware stealer themida trojan
Link:
https://tria.ge/reports/230929-ptf99saf4t/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
PrivateLoader
Unpacked files
SH256 hash:
d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32
MD5 hash:
a7ee1f4bf11bdfab2327d098c6583af1
SHA1 hash:
b59a2989c0f48597f691d3ead8f549f2327c6d0a
Link:
https://www.unpac.me/results/062cf4c1-0fab-4f78-98d3-241d76b99e26/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d74686c87f07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:Privateloader_Main_Component
Create hunting rule
Description:Detects PrivateLoader Main Component
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:win_privateloader
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715050/
Cape
Cape
https://www.capesandbox.com/analysis/451982/

Comments


Avatar
zbet commented on 2023-09-29 12:36:50 UTC

url : hxxp://171.22.28.226/download/WWW14_64.exe