General
-
Target
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
-
Size
1.1MB
-
Sample
230113-x8cvdscc33
-
MD5
842ae8e819177105e1a1af934b1ee520
-
SHA1
17104eca148dcd0e15ffb31e4c7a3defdd406d12
-
SHA256
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
-
SHA512
b92ecfb5c89996332dd674682694a111aee2bc26b21678c9e60dc592272b91a0f6e9d2a478528b6f257290c5ef43ed9d87d7fac3b8314e768144951333e4916d
-
SSDEEP
24576:zXdmFGXOGXlTztlj3RbjO7jlUIixAWLc7ARpTLzVONY/tx4:rdfLVTLjxwjlQntT/VO2x4
Behavioral task
behavioral1
Sample
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
Resource
win7-20220812-en
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
gcleaner
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
Targets
-
-
Target
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
-
Size
1.1MB
-
MD5
842ae8e819177105e1a1af934b1ee520
-
SHA1
17104eca148dcd0e15ffb31e4c7a3defdd406d12
-
SHA256
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
-
SHA512
b92ecfb5c89996332dd674682694a111aee2bc26b21678c9e60dc592272b91a0f6e9d2a478528b6f257290c5ef43ed9d87d7fac3b8314e768144951333e4916d
-
SSDEEP
24576:zXdmFGXOGXlTztlj3RbjO7jlUIixAWLc7ARpTLzVONY/tx4:rdfLVTLjxwjlQntT/VO2x4
-
Detects Smokeloader packer
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-