MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1
SHA3-384 hash: e9d412016842aa49189a5eecea840a2d4634283809f896c9a546438bb2018a8570f2e07a1651acd593f1762ae502750b
SHA1 hash: cdc9c56159c24492c4f5f8f968e9b5ab16171bda
MD5 hash: 434e131214711a082fb458ddf1d18c2a
humanhash: high-foxtrot-equal-sixteen
File name:file
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:6'283'792 bytes
First seen:2023-03-07 13:59:23 UTC
Last seen:2023-03-07 15:50:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f15e282c9ab32f785ec67df78e330eb (7 x PrivateLoader)
ssdeep 98304:2wb0bWHT4Ld9bHpNSFwjfEgNCdkkBQEiCgXyh6246:Lo8q5vsw1N0BTjj
Threatray 149 similar samples on MalwareBazaar
TLSH T196569DAD6B0B5AAFD1D2357499C35522E314639A42047D2F99ECFC34FAF38491EC4B88
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f6f6f2f2cce6e4e4 (1 x PrivateLoader)
Reporter andretavare5
Tags:exe PrivateLoader


Avatar
andretavare5
Sample downloaded from https://vk.com/doc139074685_657276600?hash=v21s4i46aYNUlbv6GLkKE1jbhc7k3evOQc2hgSOnSus&dl=GEZTSMBXGQ3DQNI:1678127806:FLRPAb2dENf3rdrNNoG2osLaRqieUo99AWiZTkcJZF8&api=1&no_preview=1#kis_crypto

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-07 14:02:00 UTC
Tags:
evasion risepro
Link:
https://app.any.run/tasks/e9b24b68-600a-4e4d-8968-58dd59a1db8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372294/
Detection(s):
SecuriteInfo.com.Win32.AdwareX-gen.18241.10950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/64074364f0e60f7e2db8c53c/reports/d882de03-f4f6-4130-9f6d-a2b98f23f627/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ae53986-2486-4494-84ad-ee74e4490a84
Result
Threat name:
PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1188622
Signature
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1/
Threat name:
Win32.Spyware.Mufila
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 14:19:01 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
14 of 25 (56.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pwpvxgbtf3fukwtnfqv5ql3lok4wd22fhgel2zoruxj2v2ya7iq._file
Verdict:
unknown
Similar samples:
0c9fb8f1b3f23df7b5773ef9b4d79faf80fcc3f4a0e2a7b6d36d304e1801cdc3
PrivateLoader
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
PrivateLoader
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
PrivateLoader
2ee350a3c3c03283a1458ff5e3e142d91b46a8fecd846ec8df0d1edca7c1e4cf
PrivateLoader
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
PrivateLoader
420148025ec21333fa89a72ee35309621aa1e7248d08d51e4384d267aef1518c
PrivateLoader
4ba96ecdcdfa746de28a0ee3ef474842e829917c9486ace35ec4cc2fa1ad956f
PrivateLoader
927a4dddb1e5ffe4ba3a9a8ba4183c092eb350fb07ea79fecd84042c812f6dbc
PrivateLoader
f5c245bd4d7eb95f9a2afde8960ef9c9640ad426a8e438b52caca1541b928954
PrivateLoader
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
PrivateLoader
+ 139 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader themida trojan
Link:
https://tria.ge/reports/230307-raznlshf8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
PrivateLoader
Unpacked files
SH256 hash:
e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1
MD5 hash:
434e131214711a082fb458ddf1d18c2a
SHA1 hash:
cdc9c56159c24492c4f5f8f968e9b5ab16171bda
Link:
https://www.unpac.me/results/ad5a15cf-c798-407b-b00f-b51f75360cec/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3ecfadcc199/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/372294/

Comments