MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9
SHA3-384 hash: 6724fd5ac8b7b3bf5b3260b2bfe26c9e585df16238afaa30415d7e0341f3ef5485d098cbd8a6b7d8c161b19746814638
SHA1 hash: 68dcc2e8b215c21fc72b95469723df28aa0e8414
MD5 hash: 51efb943607029e784b16250cb30c04d
humanhash: network-avocado-king-foxtrot
File name:51efb943607029e784b16250cb30c04d
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:391'168 bytes
First seen:2023-04-08 15:27:22 UTC
Last seen:2023-06-13 15:01:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8eaeaee9e4e4c899dd50ffac2cff753f (2 x PrivateLoader, 1 x Amadey)
ssdeep 6144:y6Dc1/3iNyv1i/hS9ltiO22dM0vp04S0pA0Jd0R0ola+15Uieq0sAEIDxYsPUqnq:y9MyvSylF2xLlaoMYIDFpngMMFnn
Threatray 49 similar samples on MalwareBazaar
TLSH T13C845B34E600F027E4F314359C5ED3BAA428AB30675548EFB7D89EAA57B56C1E230B17
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe PrivateLoader

Intelligence

File Origin
# of uploads :
139
# of downloads :
269
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51efb943607029e784b16250cb30c04d
Verdict:
Malicious activity
Analysis date:
2023-04-08 15:30:48 UTC
Tags:
privateloader opendir evasion loader
Link:
https://app.any.run/tasks/8a2c8b0d-67e2-4cd3-8f5b-79b7bc05fb32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380924/
Detection(s):
SecuriteInfo.com.Heur.20230408172937440569474.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Searching for analyzing tools
Creating a file in the Windows subdirectories
Modifying a system file
Replacing files
Reading critical registry keys
Sending a UDP request
Forced system process termination
Creating a process with a hidden window
Creating a window
Enabling autorun for a service
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware privateloader setupapi.dll shell32.dll windows zusy
Link:
https://www.filescan.io/uploads/64318803da5bf6666c9d2e75/reports/80338093-5fed-45ca-98cd-edf210375918/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a595f8fa-ffd7-46e3-9eea-e59605e35fbe
Result
Threat name:
Amadey, Fabookie, Glupteba, Nymaim, Priv
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1210621
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found C&C like URL pattern
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Fabookie
Yara detected Glupteba
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 843537 Sample: fXO5EFgrtQ.exe Startdate: 08/04/2023 Architecture: WINDOWS Score: 100 149 45.12.253.98 CMCSUS Germany 2->149 151 www.facebook.com 2->151 153 5 other IPs or domains 2->153 183 Snort IDS alert for network traffic 2->183 185 Multi AV Scanner detection for domain / URL 2->185 187 Malicious sample detected (through community Yara rule) 2->187 189 32 other signatures 2->189 11 fXO5EFgrtQ.exe 19 2->11         started        16 PowerControl_Svc.exe 16 2->16         started        18 svchost.exe 2->18         started        20 11 other processes 2->20 signatures3 process4 dnsIp5 177 94.142.138.113, 49707, 80 IHOR-ASRU Russian Federation 11->177 179 telegram.org 149.154.167.99, 443, 49706 TELEGRAMRU United Kingdom 11->179 181 2 other IPs or domains 11->181 131 C:\Users\...\1bKk2Cz3atMMUnJwr6483NNM.exe, MS-DOS 11->131 dropped 133 C:\Users\user\AppData\Local\...\WWW14[1].bmp, MS-DOS 11->133 dropped 135 C:\...\PowerControl_Svc.exe, PE32 11->135 dropped 137 C:\...\PowerControl_Svc.exe:Zone.Identifier, ASCII 11->137 dropped 235 Drops PE files to the document folder of the user 11->235 237 May check the online IP address of the machine 11->237 239 Uses schtasks.exe or at.exe to add and modify task schedules 11->239 22 1bKk2Cz3atMMUnJwr6483NNM.exe 11 44 11->22         started        27 schtasks.exe 1 11->27         started        139 C:\Users\...\gMGR68BJ4eeOD_nnoG7Wfa95.exe, MS-DOS 16->139 dropped 141 C:\Users\user\AppData\Local\...\WWW14[1].bmp, MS-DOS 16->141 dropped 29 gMGR68BJ4eeOD_nnoG7Wfa95.exe 36 16->29         started        31 schtasks.exe 16->31         started        241 Changes security center settings (notifications, updates, antivirus, firewall) 18->241 243 Query firmware table information (likely to detect VMs) 20->243 33 WerFault.exe 20->33         started        35 WerFault.exe 20->35         started        file6 signatures7 process8 dnsIp9 161 94.142.138.131 IHOR-ASRU Russian Federation 22->161 163 vk.com 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 22->163 169 14 other IPs or domains 22->169 115 C:\Users\...\sxScg3qFpX4gIpcx1nKdDQPB.exe, PE32 22->115 dropped 117 C:\Users\...\fYJQkSAsctbzKJHHc3HYndIx.exe, PE32 22->117 dropped 119 C:\Users\...\Z4qEXueVnQFcAO6POzuisON5.exe, PE32 22->119 dropped 127 13 other malicious files 22->127 dropped 193 Multi AV Scanner detection for dropped file 22->193 195 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->195 197 Query firmware table information (likely to detect VMs) 22->197 205 7 other signatures 22->205 37 81MLoG1a2dFuYRMSZxThdtGT.exe 22->37         started        40 ASqTm3hNXAinimeAF8dXKBU_.exe 22->40         started        43 Z4qEXueVnQFcAO6POzuisON5.exe 22->43         started        49 7 other processes 22->49 45 conhost.exe 27->45         started        165 104.21.29.224 CLOUDFLARENETUS United States 29->165 167 ipinfo.io 29->167 121 C:\Users\...\ehzvkaftTdKpUZFdMAdxY3Rm.exe, PE32 29->121 dropped 123 C:\Users\...\ZVbZPCar6CeW3EXsh8mJ7BVC.exe, PE32+ 29->123 dropped 125 C:\Users\...\ZASm7Sq89ecEimEeHGTBwQrM.exe, PE32 29->125 dropped 129 12 other malicious files 29->129 dropped 199 May check the online IP address of the machine 29->199 201 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->201 203 Creates HTML files with .exe extension (expired dropper behavior) 29->203 47 conhost.exe 31->47         started        file10 signatures11 process12 dnsIp13 103 C:\Users\user\AppData\Local\...\is-TITCJ.tmp, PE32 37->103 dropped 52 is-TITCJ.tmp 37->52         started        207 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->207 209 Maps a DLL or memory area into another process 40->209 211 Checks if the current machine is a virtual machine (disk enumeration) 40->211 213 Creates a thread in another existing process (thread injection) 40->213 55 explorer.exe 40->55 injected 105 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->105 dropped 59 Install.exe 43->59         started        143 188.119.113.104 SERVERIUS-ASNL Russian Federation 49->143 145 45.81.243.48 LVLT-10753US Germany 49->145 147 10 other IPs or domains 49->147 107 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 49->107 dropped 215 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 49->215 217 Disables Windows Defender (deletes autostart) 49->217 219 Tries to harvest and steal browser information (history, passwords, etc) 49->219 221 3 other signatures 49->221 61 cmd.exe 49->61         started        63 ipconfig.exe 49->63         started        65 conhost.exe 49->65         started        67 2 other processes 49->67 file14 signatures15 process16 dnsIp17 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->89 dropped 91 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 52->91 dropped 93 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 52->93 dropped 101 7 other files (5 malicious) 52->101 dropped 69 FRec48.exe 52->69         started        171 187.212.236.255 UninetSAdeCVMX Mexico 55->171 173 175.126.109.15 SKB-ASSKBroadbandCoLtdKR Korea Republic of 55->173 175 3 other IPs or domains 55->175 95 C:\Users\user\AppData\Roaming\vehvjbs, PE32 55->95 dropped 97 C:\Users\user\AppData\Local\Temp\524F.exe, PE32 55->97 dropped 223 System process connects to network (likely due to code injection or exploit) 55->223 225 Benign windows process drops PE files 55->225 227 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->227 73 rundll32.exe 55->73         started        99 C:\Users\user\AppData\Local\...\Install.exe, PE32 59->99 dropped 229 Multi AV Scanner detection for dropped file 59->229 75 Install.exe 59->75         started        231 Drops PE files with a suspicious file extension 61->231 78 cmd.exe 61->78         started        80 conhost.exe 61->80         started        82 conhost.exe 63->82         started        file18 signatures19 process20 dnsIp21 155 45.12.253.56 CMCSUS Germany 69->155 157 45.12.253.72 CMCSUS Germany 69->157 159 45.12.253.75 CMCSUS Germany 69->159 109 C:\Users\user\AppData\...\ipmG21Gdb95s.exe, PE32 69->109 dropped 84 ipmG21Gdb95s.exe 69->84         started        111 C:\Users\user\AppData\Local\...\XaQEPSv.exe, PE32 75->111 dropped 233 Multi AV Scanner detection for dropped file 75->233 113 C:\Users\user\AppData\Local\...\Co.exe.pif, PE32 78->113 dropped 87 powershell.exe 78->87         started        file22 signatures23 process24 signatures25 191 Multi AV Scanner detection for dropped file 84->191
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 13:30:20 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qnzghbuj3thkodcw5hz5h52cyzgi3lhgdzh5evcdjutz6z7t34q._file
Verdict:
malicious
Similar samples:
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
PrivateLoader
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
PrivateLoader
b02e208c505340db8fa3ebd470bea3872bd2790443596a20f119a7667aab1af6
PrivateLoader
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
PrivateLoader
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
PrivateLoader
e4cfaf2310c8aa89c4ccbc38a70aaa1cd3a61f41313f220800068c91c7dbacfb
PrivateLoader
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
PrivateLoader
+ 39 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader
Link:
https://tria.ge/reports/230408-swbdksdh36/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Looks up external IP address via web service
Malware Config
C2 Extraction:
94.142.138.113
94.142.138.131
208.67.104.60
Unpacked files
SH256 hash:
e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9
MD5 hash:
51efb943607029e784b16250cb30c04d
SHA1 hash:
68dcc2e8b215c21fc72b95469723df28aa0e8414
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/783f5dd3-9785-48d5-9524-0550a04b7a5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:Windows_Trojan_PrivateLoader_96ac2734
Create hunting rule
Author:Elastic Security
Rule name:win_privateloader
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2602451/
Cape
Cape
https://www.capesandbox.com/analysis/380924/

Comments


Avatar
zbet commented on 2023-04-08 15:27:32 UTC

url : hxxp://163.123.143.4/download/Service_.vmp