privateloader | 470f22bc90c7fd2ab337440e9b275fef1ce977a7189524e27c3acf3f105276cf

Analysis

max time kernel
368s
max time network
372s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
26-07-2022 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f_00626b.exe
Size

5.8MB
MD5

f7370171deba5ea5285fe49031690ef8
SHA1

d03621cf3cb55cc3918b29b2250dbe5ff505155b
SHA256

470f22bc90c7fd2ab337440e9b275fef1ce977a7189524e27c3acf3f105276cf
SHA512

50da056c5b9ae0aef50057628d83ea47facc6b53aa05215f8a623734798e1934ad951e1088aae5a752ea83a1b74757475d2a45a738460f63941a4fde450d4170

Score

10^/10

privateloader evasion loader themida trojan

Malware Config

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://193.233.185.125/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

85.202.169.116

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f_00626b.exef_00626b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f_00626b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f_00626b.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f_00626b.exef_00626b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f_00626b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f_00626b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f_00626b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f_00626b.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2068-127-0x0000000000400000-0x0000000001437000-memory.dmp	themida
behavioral1/memory/2068-151-0x0000000000400000-0x0000000001437000-memory.dmp	themida
behavioral1/memory/2068-152-0x0000000000400000-0x0000000001437000-memory.dmp	themida
behavioral1/memory/2040-220-0x0000000000400000-0x0000000001437000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f_00626b.exef_00626b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f_00626b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f_00626b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

f_00626b.exef_00626b.exe

pid process

2068 f_00626b.exe
2040 f_00626b.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f_00626b.exef_00626b.exe

pid process

2068 f_00626b.exe
2068 f_00626b.exe
2040 f_00626b.exe
2040 f_00626b.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f_00626b.exe

pid process

2040 f_00626b.exe

pid	process
2068	f_00626b.exe
2040	f_00626b.exe

pid	process
2068	f_00626b.exe
2068	f_00626b.exe
2040	f_00626b.exe
2040	f_00626b.exe

pid	process
2040	f_00626b.exe

C:\Users\Admin\AppData\Local\Temp\f_00626b.exe
"C:\Users\Admin\AppData\Local\Temp\f_00626b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\f_00626b.exe
"C:\Users\Admin\AppData\Local\Temp\f_00626b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-187-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2040-188-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2040-220-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2040-229-0x0000000001540000-0x000000000168A000-memory.dmp

Filesize
1.3MB

Download
memory/2040-230-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2040-244-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2040-243-0x0000000001540000-0x000000000168A000-memory.dmp

Filesize
1.3MB

Download
memory/2040-242-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2068-150-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-125-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-122-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-123-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-124-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-155-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-126-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-128-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-129-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-127-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2068-156-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-131-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-132-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-133-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-134-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-136-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-137-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-138-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-139-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-140-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-141-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-135-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-142-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-143-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-144-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-145-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-147-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-146-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-148-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-154-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-120-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-151-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2068-152-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2068-153-0x0000000000401000-0x000000000043C000-memory.dmp

Filesize
236KB

Download
memory/2068-149-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-121-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-130-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-157-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-158-0x00000000017C0000-0x00000000017E7000-memory.dmp

Filesize
156KB

Download
memory/2068-159-0x00000000016C0000-0x0000000001719000-memory.dmp

Filesize
356KB

Download
memory/2068-160-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2068-161-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-162-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-163-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-164-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-165-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-166-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-167-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-168-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-169-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-170-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-171-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-172-0x00000000017C0000-0x00000000017E7000-memory.dmp

Filesize
156KB

Download
memory/2068-173-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2068-174-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-175-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-176-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-177-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-178-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-179-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-180-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-181-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-119-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-118-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-117-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-182-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-183-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-184-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2068-185-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/2068-186-0x00000000017C0000-0x00000000017E7000-memory.dmp

Filesize
156KB

Download