MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3
SHA3-384 hash: 2db5e9466c6bcb0c0ff59314fbc16561faadbd8ba890effed427860eb8f20ff36e5b6750dfae36a30db7c18bf8fd2731
SHA1 hash: d31dff9e56df945247cbb0598bf0c1d27aedcccf
MD5 hash: cb4118382e3f97f0db04938a4e31e3e1
humanhash: uncle-william-autumn-undress
File name:cb4118382e3f97f0db04938a4e31e3e1
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:4'334'016 bytes
First seen:2024-04-20 03:46:05 UTC
Last seen:2024-04-20 04:20:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 023aae353653db016d3a89da454d1d86 (3 x PrivateLoader)
ssdeep 98304:Ie7PCLZ0+LSlhnzXRhtvbp6DdM0NwIwUd3iXGNZ:IeDCsVzX3xoDhNbfd3iKZ
Threatray 7 similar samples on MalwareBazaar
TLSH T19216235776A3DDF9C016C3F8E086A66D3260BF417C1D8D13368A461C1E72AC62EBA35D
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 626060e8e0cac2c1 (1 x PrivateLoader)
Reporter zbetcheckin
Tags:64 exe Glupteba LummaStealer PrivateLoader PureLogStealer RedLineStealer RiseProStealer signed SmokeLoader Stealc vidar

Code Signing Certificate

Organisation:œáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åz
Issuer:œáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åzœáz±åz±åz±æz±åz±åz±åz
Algorithm:sha1WithRSAEncryption
Valid from:2024-04-13T09:26:20Z
Valid to:2034-04-14T09:26:20Z
Serial number: 3a02069d084a9bae4554635c0db95a8d
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7518998411e11feba2b334a8272475f043647d34ba731c223e012bd81917bdd0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3.exe
Verdict:
Malicious activity
Analysis date:
2024-04-20 03:47:24 UTC
Tags:
evasion privateloader
Link:
https://app.any.run/tasks/84c2d9e0-9c7a-4bb0-a5a1-63bea791cf04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Modifying a system file
Connection attempt
Sending an HTTP GET request
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Replacing files
Launching a service
Launching a process
Reading critical registry keys
Sending a UDP request
Forced system process termination
Moving a file to the Program Files subdirectory
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin overlay packed packed shell32 themidawinlicense
Link:
https://www.filescan.io/uploads/66233ab714ba3ce8289725fe/reports/d0538f22-f6d1-4adc-b1cb-2955846df5e8/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2df745e3-a6f4-4a07-8648-421ad07a5ffa
Result
Threat name:
LummaC, Glupteba, Mars Stealer, PureLog
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1429030
Signature
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429030 Sample: qk9TaBBxh8.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 113 Multi AV Scanner detection for domain / URL 2->113 115 Found malware configuration 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 19 other signatures 2->119 8 qk9TaBBxh8.exe 11 55 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 99 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->99 101 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->101 103 20 other IPs or domains 8->103 83 C:\Users\...\zFe0EAtgy56yDxXht4nmozfb.exe, PE32 8->83 dropped 85 C:\Users\...\tXlQ3NLbQqxBkFS_TfaDHWX4.exe, PE32 8->85 dropped 87 C:\Users\...\ooon0i8sg2EZy1pci_ppgkth.exe, PE32 8->87 dropped 89 27 other malicious files 8->89 dropped 167 Query firmware table information (likely to detect VMs) 8->167 169 Drops PE files to the document folder of the user 8->169 171 Creates HTML files with .exe extension (expired dropper behavior) 8->171 173 11 other signatures 8->173 19 Jsakr_KmqehdR6ptAH1OzwuM.exe 90 8->19         started        23 zFe0EAtgy56yDxXht4nmozfb.exe 6 74 8->23         started        25 NyiVs23yIO_0wMOj5TwwBpJ5.exe 8->25         started        30 14 other processes 8->30 28 WerFault.exe 13->28         started        file5 signatures6 process7 dnsIp8 47 C:\Users\...\backend_c.cp38-win_amd64.pyd, PE32+ 19->47 dropped 49 C:\Users\user\...\_cffi.cp38-win_amd64.pyd, PE32+ 19->49 dropped 51 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 19->51 dropped 57 74 other files (34 malicious) 19->57 dropped 121 Found pyInstaller with non standard icon 19->121 32 conhost.exe 19->32         started        53 C:\Users\user\...\JpL3YVeZ0uQ2FWGpg5WG.exe, PE32 23->53 dropped 59 4 other malicious files 23->59 dropped 123 Query firmware table information (likely to detect VMs) 23->123 125 Tries to steal Mail credentials (via file / registry access) 23->125 127 Found many strings related to Crypto-Wallets (likely being stolen) 23->127 141 8 other signatures 23->141 105 185.172.128.23 NADYMSS-ASRU Russian Federation 25->105 61 12 other files (8 malicious) 25->61 dropped 129 Detected unpacking (changes PE section rights) 25->129 131 Detected unpacking (overwrites its own PE header) 25->131 133 Tries to harvest and steal browser information (history, passwords, etc) 25->133 143 2 other signatures 25->143 107 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 30->107 109 193.233.132.226 FREE-NET-ASFREEnetEU Russian Federation 30->109 111 2 other IPs or domains 30->111 55 C:\Users\user\AppData\Local\...\is-P287H.tmp, PE32 30->55 dropped 63 14 other malicious files 30->63 dropped 135 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->135 137 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->137 139 Disables Windows Defender (deletes autostart) 30->139 145 17 other signatures 30->145 34 RegAsm.exe 30->34         started        39 is-P287H.tmp 30->39         started        41 explorer.exe 30->41 injected 43 12 other processes 30->43 file9 signatures10 process11 dnsIp12 91 37.27.87.155 UNINETAZ Iran (ISLAMIC Republic Of) 34->91 93 184.30.122.179 AKAMAI-ASUS United States 34->93 65 C:\Users\user\AppData\Local\...\sqln[1].dll, PE32 34->65 dropped 67 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 34->67 dropped 69 C:\Users\user\AppData\...\mozglue[1].dll, PE32 34->69 dropped 79 2 other files (1 malicious) 34->79 dropped 147 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->147 149 Installs new ROOT certificates 34->149 151 Tries to harvest and steal ftp login credentials 34->151 165 2 other signatures 34->165 71 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->71 dropped 73 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 39->73 dropped 75 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 39->75 dropped 81 10 other files (9 malicious) 39->81 dropped 95 102.53.9.151 IAM-ASMA Morocco 41->95 77 C:\Users\user\AppData\Roaming\btswgej, PE32 41->77 dropped 153 System process connects to network (likely due to code injection or exploit) 41->153 155 Benign windows process drops PE files 41->155 157 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->157 97 5.42.65.50 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 43->97 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->161 163 Tries to harvest and steal browser information (history, passwords, etc) 43->163 45 conhost.exe 43->45         started        file13 signatures14 process15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-04-19 18:34:19 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tkglp5stli65hbtitbhanp6m4q7prruvzyu3oaiivfs2fhg5tjq._file
Verdict:
malicious
Similar samples:
176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83
PrivateLoader
1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213
PrivateLoader
bc84c3a9cfeb083fe41a238c55ea3163b5c9e5103fee0a7d7f4d8a1236b6d22d
PrivateLoader
fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6
PrivateLoader
fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3
PrivateLoader
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/240420-eb7pdsff32/
Behaviour
Modifies system certificate store
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
Unpacked files
SH256 hash:
fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3
MD5 hash:
cb4118382e3f97f0db04938a4e31e3e1
SHA1 hash:
d31dff9e56df945247cbb0598bf0c1d27aedcccf
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/c5d6fd0b-a92c-4fe1-acc5-74896fff3e89/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fcd465bfb29a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2810562/
  
URLhaus
https://urlhaus.abuse.ch/url/2819127/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA

Comments


Avatar
zbet commented on 2024-04-20 03:46:07 UTC

url : hxxp://77.221.151.32/server/ww16/AppGate2103v01_16.exe