privateloader | be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1

General

Target

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Size

197KB
MD5

1de223e856e80958bda73c56c85c232e
SHA1

b357102a4dc4217c11e9e1f2f96e2c1feaa3f4d6
SHA256

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1
SHA512

d1bde2a8f7560f62ed1032436ef0bab12d72b7038ffd740738e4ca6fa1ece7e4ddbcf1ba6c2d34d5a65152c72163c1fd98527ee9b3dd8bfdeb602489e9137bd1

Score

10^/10

privateloader evasion loader spyware stealer suricata trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Puu9lXFYbbl_amkfKioYXS65.exe

pid process

624 Puu9lXFYbbl_amkfKioYXS65.exe

pid	process
624	Puu9lXFYbbl_amkfKioYXS65.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

Loads dropped DLL 1 IoCs

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

pid process

1668 be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ipinfo.io
21 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1980 1668 WerFault.exe be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

flow	ioc
20	ipinfo.io
21	ipinfo.io

pid	pid_target	process	target process
1980	1668	WerFault.exe	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exePuu9lXFYbbl_amkfKioYXS65.exe

pid	process
1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe
624	Puu9lXFYbbl_amkfKioYXS65.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

description	pid	process	target process
PID 1668 wrote to memory of 624	1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	Puu9lXFYbbl_amkfKioYXS65.exe
PID 1668 wrote to memory of 624	1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	Puu9lXFYbbl_amkfKioYXS65.exe
PID 1668 wrote to memory of 624	1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	Puu9lXFYbbl_amkfKioYXS65.exe
PID 1668 wrote to memory of 624	1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	Puu9lXFYbbl_amkfKioYXS65.exe
PID 1668 wrote to memory of 1980	1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	WerFault.exe
PID 1668 wrote to memory of 1980	1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	WerFault.exe
PID 1668 wrote to memory of 1980	1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	WerFault.exe
PID 1668 wrote to memory of 1980	1668	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
"C:\Users\Admin\AppData\Local\Temp\be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\Pictures\Adobe Films\Puu9lXFYbbl_amkfKioYXS65.exe
  "C:\Users\Admin\Pictures\Adobe Films\Puu9lXFYbbl_amkfKioYXS65.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1396
  2⤵
  - Program crash
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Adobe Films\Puu9lXFYbbl_amkfKioYXS65.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
\Users\Admin\Pictures\Adobe Films\Puu9lXFYbbl_amkfKioYXS65.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
memory/624-58-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000003AA0000-0x0000000003C5C000-memory.dmp

Filesize
1.7MB

Download
memory/1668-56-0x0000000003AA0000-0x0000000003C5C000-memory.dmp

Filesize
1.7MB

Download
memory/1980-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads