MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e614bd80dce4697792d9c6eef6c07a2d3f5cd912b48cca27869e809305845714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e614bd80dce4697792d9c6eef6c07a2d3f5cd912b48cca27869e809305845714
SHA3-384 hash: aa22f1473f576edbaaae532c6bcfdb6f644df375ee7876d80d5a09e151a46527beb43ba05db0a31a96eaba75ec0a1da9
SHA1 hash: af3218c73dac3eb2127f06839bb0a4eb77e5f049
MD5 hash: e96d05f3379cca7a6877bd9e56efdf5c
humanhash: utah-alanine-louisiana-sixteen
File name:file
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:2'994'704 bytes
First seen:2023-06-30 23:04:00 UTC
Last seen:2023-07-05 18:35:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a2d46086c374c42d1560f4bbef810708 (2 x PrivateLoader, 1 x RaccoonStealer)
ssdeep 49152:bZaX1sSgBVsFGeL6felXWxduJYnRnA1FDc0oJ/y3hjfgMPVYR+4OhCa/64wtfb:9G1QVAL6zxduJY6Xo0oJepfzNYQzoV4W
Threatray 267 similar samples on MalwareBazaar
TLSH T100D533BA37805B45D2B511394A61C63406086DC42AE487E773B35FAE6833BAEFB0D753
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon ece4a4b8eaaee888 (1 x RedLineStealer, 1 x PrivateLoader)
Reporter andretavare5
Tags:exe PrivateLoader


Avatar
andretavare5
Sample downloaded from https://vk.com/doc808950829_663544630?hash=PR0I5wHiNHxSim3Xza2Xpw6vFrdZ1rtUlSo7qAYxE4g&dl=zKhFUpyPC7HBEnU2OsXKG2uCPFyjT5tGDb6EiQM6re4&api=1&no_preview=1#rise_bet365

Intelligence

File Origin
# of uploads :
81
# of downloads :
287
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/404512/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.31807.1124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto lolbin packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/649f5f632299d2688263ad02/reports/5576ab02-0021-4ccd-aef0-b2f349bad92d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e614bd80dce4697792d9c6eef6c07a2d3f5cd912b48cca27869e809305845714
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e7e5d442-3ffb-496f-8e57-f4df68bf2e14
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1264348
Signature
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e614bd80dce4697792d9c6eef6c07a2d3f5cd912b48cca27869e809305845714/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ykl3ag44ruxpewzy3xpnqd2fu7vzwiswsgmuj4gt2ajgbmek4ka._file
Verdict:
unknown
Similar samples:
134ee19e860f2c229787a6e2b954c79bde7831e4865f27c00ca9c84fcb0e2c1f
PrivateLoader
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
PrivateLoader
48f3ce042f7d2404e0921a249e454bccb1a2ce231adc1780aa7c3b2130af2088
PrivateLoader
6d6a5f70a5f8d597d4074ac0c2d84dd9ed5f41aa39305f4260b831a03bec4569
PrivateLoader
7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d
PrivateLoader
99a8e03d303efb09fa70f48f23cfd65ce56049d6b2e9755d415f0ae14d17530e
PrivateLoader
c17002f0e688dd34ca4bde9cc512df3ee4d5b1a069b20f908ba653ff02853be4
PrivateLoader
da7f9295ea96e5490723111c7aeb2263f724a550e4780b91af918b63d8c9ffbf
PrivateLoader
e1c77078463da33af7cfe8ddd17942773df369903b5b92cd92c090fc5749e17d
PrivateLoader
+ 257 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader discovery evasion loader spyware stealer themida trojan
Link:
https://tria.ge/reports/230630-218z3sfa28/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
PrivateLoader
Unpacked files
SH256 hash:
13b2a76275e0eb828b1ff8d6ad841de9a0c42416c3b5141a5a66e0e415f2a805
MD5 hash:
9685435988a02a6fc398915cf76d558e
SHA1 hash:
f1cdc8044d288e085dbd8cf863cfa89447fc95fd
Detections:
RiseProXorStr
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/2c01ec5b-f337-4528-8fa5-e4c208f68d12/
SH256 hash:
e614bd80dce4697792d9c6eef6c07a2d3f5cd912b48cca27869e809305845714
MD5 hash:
e96d05f3379cca7a6877bd9e56efdf5c
SHA1 hash:
af3218c73dac3eb2127f06839bb0a4eb77e5f049
Link:
https://www.unpac.me/results/2c01ec5b-f337-4528-8fa5-e4c208f68d12/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e614bd80dce4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e614bd80dce4697792d9c6eef6c07a2d3f5cd912b48cca27869e809305845714

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:win_privateloader
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/404512/

Comments