privateloader | f96864b6f9c6af50b4f71073ea5396e96c5b80bc3024a1531064f43b34497d12

General

Target

SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
Size

6.7MB
MD5

4b9e8b2f3ea2608442a84b93c3b04545
SHA1

8b4d08b15fc86adf6c7783b8e88cd313f012674e
SHA256

f96864b6f9c6af50b4f71073ea5396e96c5b80bc3024a1531064f43b34497d12
SHA512

0248bee7ba26dcbd086a9c719b8463e013e0121ebcfe3b70f04fb7cd99f2e3da54b243aed3c1e59f7df9fd54717d153999f72a58f53dddcfc757a9ccbb85d811
SSDEEP

196608:7ZH239wkNJymM3IhIKrO1lrG6uFuCkSZnb7d:NH239zTywng8J1Zb7d

Score

10^/10

privateloader evasion loader spyware stealer themida trojan vmprotect

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/820-55-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect
behavioral1/memory/820-56-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect
behavioral1/memory/820-57-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect
behavioral1/memory/820-59-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect
behavioral1/memory/820-58-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect
behavioral1/memory/820-62-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect
behavioral1/memory/820-63-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect
behavioral1/memory/820-60-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect
behavioral1/memory/820-64-0x0000000000AC0000-0x0000000001558000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/820-55-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida
behavioral1/memory/820-56-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida
behavioral1/memory/820-57-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida
behavioral1/memory/820-59-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida
behavioral1/memory/820-58-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida
behavioral1/memory/820-62-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida
behavioral1/memory/820-63-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida
behavioral1/memory/820-60-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida
behavioral1/memory/820-64-0x0000000000AC0000-0x0000000001558000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ipinfo.io
10 ipinfo.io

flow	ioc
9	ipinfo.io
10	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

pid process

820 SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

pid process

820 SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
820 SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

pid	process
820	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

pid	process
820	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
820	SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.64834682.13016.3433.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/820-55-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-56-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-57-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-59-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-58-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-62-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-63-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-60-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-61-0x0000000077280000-0x0000000077400000-memory.dmp

Filesize
1.5MB

Download
memory/820-64-0x0000000000AC0000-0x0000000001558000-memory.dmp

Filesize
10.6MB

Download
memory/820-65-0x0000000077280000-0x0000000077400000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads