privateloader | hxxps://oneqanatclub[.]com/O4uYeU5lV6dN_0UrzBx4sNtDjheJnvEjQ8xUsiyyfa0/?clck=1580b126227a97924669dc06f0c24968&sid=17357599 | Triage

Submit
Reports

Overview

overview

Static

static

URLScan

urlscan

1

https://oneqanatclub...

windows7-x64

https://oneqanatclub...

windows10-2004-x64

8

Sharing

General

Target

https://oneqanatclub.com/O4uYeU5lV6dN_0UrzBx4sNtDjheJnvEjQ8xUsiyyfa0/?clck=1580b126227a97924669dc06f0c24968&sid=17357599
Sample

221005-22txjsgbbr

Score

10^/10

privateloader redline smokeloader backdoor evasion infostealer loader themida trojan upx vmprotect

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://oneqanatclub.com/O4uYeU5lV6dN_0UrzBx4sNtDjheJnvEjQ8xUsiyyfa0/?clck=1580b126227a97924669dc06f0c24968&sid=17357599

Resource

win7-20220901-en

privateloader redline smokeloader backdoor evasion infostealer loader themida trojan upx vmprotect

windows7-x64

31 signatures

150 seconds

Behavioral task

behavioral2

Sample

https://oneqanatclub.com/O4uYeU5lV6dN_0UrzBx4sNtDjheJnvEjQ8xUsiyyfa0/?clck=1580b126227a97924669dc06f0c24968&sid=17357599

Resource

win10v2004-20220812-en

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

privateloader

C2

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

Attributes

payload_url
https://vipsofts.xyz/files/mega.bmp

Targets

- Target
  
  https://oneqanatclub.com/O4uYeU5lV6dN_0UrzBx4sNtDjheJnvEjQ8xUsiyyfa0/?clck=1580b126227a97924669dc06f0c24968&sid=17357599
Score

10^/10

privateloader redline smokeloader backdoor evasion infostealer loader themida trojan upx vmprotect
- Detects Smokeloader packer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

urlscan1

behavioral1

privateloaderredlinesmokeloaderbackdoorevasioninfostealerloaderthemidatrojanupxvmprotect

behavioral2

© 2018-2024

Terms | Privacy