privateloader | file[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

file.exe
Size

7.8MB
MD5

e6b0e14676e5b72a638a142e46f658d9
SHA1

77723f0e3c933eff00e0ce1c823aee668d5c3bea
SHA256

2d34e214cbb14456357d2e3381692d188b1004d8ff26280e430c716e6e3730b6
SHA512

e7aab7f21bfbe3e30a0822fc468e3aad1b47c3b358ec46378be3672f1f98708537ebd21cabb2848792f1fb9324b4c2936f9c117c382822206cd28f0b19e28342
SSDEEP

196608:mDbJflIYiWpSsqF10P1CPwDvt3uFTDC7LIKcosI3jhMSNZL:muWpSfF1s1CPwDvt3uF/CfIKcossn

Score

10^/10

privateloader

Malware Config

Extracted

Family

privateloader

http://108.174.200.11/MWTSL

http://108.174.198.132/MWTSL

http://108.174.199.249/MWTSL

Signatures

Privateloader family
privateloader

Files

file.exe
.exe windows x86

5e2ecd56911cee8bace571b4976864cd

Code Sign

01:95:c2:00:d3:be:b4:97:68:05:ac:d3:97:3b:b6:df
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

31/01/2019, 00:00

Not After

03/02/2021, 12:00

Subject

SERIALNUMBER=2748129,CN=Adobe Inc.,OU=CCM,O=Adobe Inc.,L=San Jose,ST=ca,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

27:53:6f:2f:ae:41:3c:71:1f:f8:4b:4f:f8:4f:33:85:02:70:93:67:b8:90:0d:8b:24:ad:fc:2e:ed:81:d2:ef
Signer

Actual PE Digest

27:53:6f:2f:ae:41:3c:71:1f:f8:4b:4f:f8:4f:33:85:02:70:93:67:b8:90:0d:8b:24:ad:fc:2e:ed:81:d2:ef

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=2748129,CN=Adobe Inc.,OU=CCM,O=Adobe Inc.,L=San Jose,ST=ca,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

06/01/2021, 00:07
Valid: true

Chain 1

SERIALNUMBER=2748129,CN=Adobe Inc.,OU=CCM,O=Adobe Inc.,L=San Jose,ST=ca,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FreeResource
CreateToolhelp32Snapshot
MultiByteToWideChar
Sleep
GetTempPathA
GetModuleHandleExA
GetTimeZoneInformation
GetTickCount64
CopyFileA
GetLastError
GetFileAttributesA
TzSpecificLocalTimeToSystemTime
CreateFileA
LoadLibraryA
GetVersionExA
LockResource
DeleteFileA
Process32Next
CloseHandle
GetSystemInfo
GetWindowsDirectoryA
LoadResource
SetFileAttributesA
GetLocalTime
GetProcAddress
LocalFree
RemoveDirectoryA
GetCurrentProcessId
GlobalMemoryStatusEx
FreeLibrary
WideCharToMultiByte
CreateDirectoryA
GetSystemTime
GetPrivateProfileStringA
IsWow64Process
GetComputerNameA
lstrcpynA
ReadFile
SetFilePointer
CreateFileW
AreFileApisANSI
TryEnterCriticalSection
HeapCreate
GetLocaleInfoA
EnterCriticalSection
lstrlenA
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
LeaveCriticalSection
InitializeCriticalSection
GetFullPathNameA
SetEndOfFile
UnlockFileEx
GetTempPathW
CreateMutexW
WaitForSingleObject
GetFileAttributesW
UnmapViewOfFile
HeapValidate
HeapSize
FormatMessageW
GetDiskFreeSpaceA
GetFileAttributesExW
OutputDebugStringW
FlushViewOfFile
WaitForSingleObjectEx
DeleteFileW
HeapReAlloc
LoadLibraryW
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
LockFileEx
GetFileSize
DeleteCriticalSection
GetProcessHeap
SystemTimeToFileTime
GetSystemTimeAsFileTime
FormatMessageA
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
VirtualQuery
VirtualProtect
WriteConsoleW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
LoadLibraryExA
GetModuleHandleA
GetCurrentThreadId
LocalAlloc
GetVolumeInformationA
HeapFree
FindClose
FindResourceA
FindNextFileA
GetUserDefaultLocaleName
TerminateProcess
WriteFile
GetCurrentProcess
FindFirstFileA
Process32First
GetPrivateProfileSectionNamesA
GetACP
IsValidCodePage
SizeofResource
GetFullPathNameW
GetModuleFileNameA
SetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetFileSizeEx
GetConsoleOutputCP
ReadConsoleW
GetConsoleMode
GetStdHandle
GetModuleFileNameW
FindFirstFileExW
FindNextFileW
GetFinalPathNameByHandleW
SetFilePointerEx
GetFileInformationByHandleEx
LCMapStringEx
InitializeCriticalSectionEx
EncodePointer
DecodePointer
CompareStringEx
GetCPInfo
GetStringTypeW
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
GetModuleHandleW
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
InitializeSListHead
RtlUnwind
RaiseException
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetFileType
ExitProcess
GetModuleHandleExW
CreateThread
ExitThread
FreeLibraryAndExitThread

user32

GetSystemMetrics
GetDC
GetWindowRect
EnumDisplayDevicesA
GetDesktopWindow
GetKeyboardLayoutList
ReleaseDC
wsprintfA

gdi32

CreateCompatibleBitmap
SelectObject
CreateCompatibleDC
DeleteObject
BitBlt

advapi32

RegQueryValueExA
RegOpenKeyExA
GetUserNameA
RegCloseKey
GetCurrentHwProfileA
RegEnumKeyExA
CredEnumerateA
CredFree

shell32

ShellExecuteA
SHGetFolderPathA

crypt32

CryptUnprotectData
CryptStringToBinaryA

gdiplus

GdipSaveImageToFile
GdipFree
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipAlloc
GdipCloneImage
GdipGetImageEncoders
GdiplusShutdown
GdiplusStartup
GdipGetImageEncodersSize

setupapi

SetupDiGetDeviceInterfaceDetailA
SetupDiGetClassDevsA
SetupDiEnumDeviceInterfaces
SetupDiEnumDeviceInfo

Sections

.text
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 151KB - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5.8MB - Virtual size: 5.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

5e2ecd56911cee8bace571b4976864cd

Code Sign

01:95:c2:00:d3:be:b4:97:68:05:ac:d3:97:3b:b6:dfCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

27:53:6f:2f:ae:41:3c:71:1f:f8:4b:4f:f8:4f:33:85:02:70:93:67:b8:90:0d:8b:24:ad:fc:2e:ed:81:d2:efSigner

Signature Validations

Verification

06/01/2021, 00:07 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

crypt32

gdiplus

setupapi

Sections

.text Size: 1.7MB - Virtual size: 1.7MB

.rdata Size: 151KB - Virtual size: 151KB

.data Size: 10KB - Virtual size: 15KB

.rsrc Size: 5.8MB - Virtual size: 5.8MB

.reloc Size: 29KB - Virtual size: 28KB

01:95:c2:00:d3:be:b4:97:68:05:ac:d3:97:3b:b6:df
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

27:53:6f:2f:ae:41:3c:71:1f:f8:4b:4f:f8:4f:33:85:02:70:93:67:b8:90:0d:8b:24:ad:fc:2e:ed:81:d2:ef
Signer

06/01/2021, 00:07
Valid: true

.text
Size: 1.7MB - Virtual size: 1.7MB

.rdata
Size: 151KB - Virtual size: 151KB

.data
Size: 10KB - Virtual size: 15KB

.rsrc
Size: 5.8MB - Virtual size: 5.8MB

.reloc
Size: 29KB - Virtual size: 28KB