MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12
SHA3-384 hash: dd9eeb4ca5ea01d105b68e14a630664adb7d975d31e220862f222f5ef2ebad9611342a86e6755ebf4bdb6742f4ab513c
SHA1 hash: 426e0a6231d75e6bd9be1abd8a25104f162f0a2a
MD5 hash: 9e575ff2f94976a6e73a0a219bbf2495
humanhash: october-violet-lemon-alanine
File name:1720605557.036432_setup.exe
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:4'844'712 bytes
First seen:2024-07-10 17:39:26 UTC
Last seen:2024-07-10 18:21:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 448b6888b26145ced7ce018aab459303 (4 x PrivateLoader, 2 x RiseProStealer, 2 x Stealc)
ssdeep 98304:YdJFj+HRyphoM7jEYB2aqAcpL/3Pq2EMA2TaZjpGLX:YdJFuRUEK235pL/fqiupG
Threatray 2 similar samples on MalwareBazaar
TLSH T1E426F094B481C9E8F0D68AF0817010B971296EA7CAEC78D2268DFB067F6FD306875577
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e0b0b0c2d2c0cc3a (2 x RaccoonStealer, 2 x RecordBreaker, 1 x PrivateLoader)
Reporter Chainskilabs
Tags:exe PrivateLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
393
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12.exe
Verdict:
Malicious activity
Analysis date:
2024-07-10 17:41:02 UTC
Tags:
evasion privateloader
Link:
https://app.any.run/tasks/ee81eb7d-5645-4273-b06f-c06d0f55b45b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.21310.9073.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668ec77450cbfd4734a894c7win10vpnfull_triage
Tags:
Encryption Heur
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4e4322f7-1950-4615-95c8-b4f9e3de937a
Result
Threat name:
LummaC Stealer, Mars Stealer, PureLog St
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1470976
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Stop EventLog
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected MSILDownloaderGeneric
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Stealerium
Yara detected Vidar
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1470976 Sample: 1720605557.036432_setup.exe Startdate: 10/07/2024 Architecture: WINDOWS Score: 100 118 service-domain.xyz 2->118 120 api2.check-data.xyz 2->120 122 28 other IPs or domains 2->122 150 Found malware configuration 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 Antivirus detection for URL or domain 2->154 158 31 other signatures 2->158 10 1720605557.036432_setup.exe 11 45 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 signatures3 156 Performs DNS queries to domains with low reputation 120->156 process4 dnsIp5 138 WAIqpCKkHw.WAIqpCKkHw 10->138 140 vk.com 87.240.132.78, 49738, 49740, 49744 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->140 144 14 other IPs or domains 10->144 110 C:\Users\...\qg_4OFUknYPdi8RiJYzi4jmn.exe, PE32 10->110 dropped 112 C:\Users\...\gR2Znn5gG0tYmT7xe9fdRUGb.exe, PE32 10->112 dropped 114 C:\Users\...\e2wVJGpUnc9KuogLxSSy5jb9.exe, PE32+ 10->114 dropped 116 17 other malicious files 10->116 dropped 196 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->196 198 Drops PE files to the document folder of the user 10->198 200 Creates HTML files with .exe extension (expired dropper behavior) 10->200 202 7 other signatures 10->202 21 MUCquQIJ6ozsArbXZaG5zlii.exe 2 10->21         started        24 c2725vnic2fyyMQwIsgwSDgn.exe 35 10->24         started        28 Dfi0y0L_UOFgd7kYAWZN2G19.exe 10->28         started        34 8 other processes 10->34 30 cmd.exe 15->30         started        32 conhost.exe 15->32         started        142 127.0.0.1 unknown unknown 17->142 file6 signatures7 process8 dnsIp9 92 C:\Users\...\MUCquQIJ6ozsArbXZaG5zlii.tmp, PE32 21->92 dropped 36 MUCquQIJ6ozsArbXZaG5zlii.tmp 21->36         started        132 85.28.47.30 GES-ASRU Russian Federation 24->132 134 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 24->134 94 C:\Users\user\AppData\...\softokn3[1].dll, PE32 24->94 dropped 96 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 24->96 dropped 98 C:\Users\user\AppData\...\mozglue[1].dll, PE32 24->98 dropped 106 9 other files (5 malicious) 24->106 dropped 172 Detected unpacking (changes PE section rights) 24->172 174 Creates HTML files with .exe extension (expired dropper behavior) 24->174 176 Tries to steal Mail credentials (via file / registry access) 24->176 192 5 other signatures 24->192 178 Writes to foreign memory regions 28->178 180 Allocates memory in foreign processes 28->180 182 Injects a PE file into a foreign processes 28->182 39 MSBuild.exe 28->39         started        184 Suspicious powershell command line found 30->184 43 powershell.exe 30->43         started        45 Conhost.exe 30->45         started        136 discord.com 162.159.136.232 CLOUDFLARENETUS United States 34->136 100 C:\Users\user\AppData\Local\...\Install.exe, PE32 34->100 dropped 102 C:\Users\user\AppData\Local\...\Install.exe, PE32 34->102 dropped 104 C:\ProgramData\...\eqtpkqwqodik.exe, PE32+ 34->104 dropped 186 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->186 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->188 190 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 34->190 194 3 other signatures 34->194 47 cmd.exe 34->47         started        49 Install.exe 34->49         started        51 MSBuild.exe 34->51         started        53 13 other processes 34->53 file10 signatures11 process12 dnsIp13 78 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->78 dropped 80 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 36->80 dropped 82 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 36->82 dropped 90 34 other files (23 malicious) 36->90 dropped 55 audioshell32_64.exe 36->55         started        58 audioshell32_64.exe 36->58         started        124 tea.arpdabl.org 172.93.194.59 NEXEONUS United States 39->124 126 survey-smiles.com 199.59.243.226 BODIS-NJUS United States 39->126 160 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->160 162 Tries to harvest and steal ftp login credentials 39->162 164 Tries to harvest and steal browser information (history, passwords, etc) 39->164 170 2 other signatures 39->170 84 C:\Users\user\AppData\Local\...\Valve.pif, PE32 47->84 dropped 166 Suspicious powershell command line found 47->166 168 Drops PE files with a suspicious file extension 47->168 61 conhost.exe 47->61         started        86 C:\Users\user\AppData\Local\...\Install.exe, PE32 49->86 dropped 63 Install.exe 49->63         started        128 steamcommunity.com 104.102.42.29 AKAMAI-ASUS United States 51->128 130 65.109.241.221 ALABANZA-BALTUS United States 51->130 88 C:\Users\user\AppData\Local\...\Install.exe, PE32 53->88 dropped 66 conhost.exe 53->66         started        68 Install.exe 53->68         started        70 conhost.exe 53->70         started        72 8 other processes 53->72 file14 signatures15 process16 dnsIp17 108 C:\ProgramData\...\ARM Core Mode 7.10.66.exe, PE32 55->108 dropped 146 89.105.201.183 NOVOSERVE-ASNL Netherlands 58->146 148 aquaswi.ru 94.156.8.80 NET1-ASBG Bulgaria 58->148 74 Conhost.exe 61->74         started        204 Multi AV Scanner detection for dropped file 63->204 76 forfiles.exe 63->76         started        file18 signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12/
Threat name:
Win64.Trojan.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2024-07-10 13:01:19 UTC
File Type:
PE+ (Exe)
Extracted files:
34
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73h73d3m3wfnsucqppv3wi5bi3wfeuxdlpqunban5wmn74mjz4ja._file
Verdict:
malicious
Similar samples:
4bdfd59b483a10eb95136609e25962884d8c6c4c97249fde304dc19b504768c9
PrivateLoader
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/240710-v8vdbs1arl/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Modifies firewall policy service
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8a96acd9-801a-4bbb-b224-28383087d750
Unpacked files
SH256 hash:
fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12
MD5 hash:
9e575ff2f94976a6e73a0a219bbf2495
SHA1 hash:
426e0a6231d75e6bd9be1abd8a25104f162f0a2a
Link:
https://www.unpac.me/results/90f55581-eb69-4a94-8bfb-cfc9724ca9bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fecffd8f6cdd8ad950507bebbb23a146ec5252e35be146840ded98dff189cf12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments