privateloader | d2046e7907d430c57564fd882814a9786efe8b6fba8d5c0b5090068c3b66c7ff | Triage

Analysis

max time kernel
26s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 17:12

Sharing

Report Analysis Logs

General

Target

file.exe
Size

5.0MB
MD5

c0eed8d7cff4a9b56b014b87ef779937
SHA1

3e3e2c02bedaa92bac010de4e0358e01d6a38438
SHA256

d2046e7907d430c57564fd882814a9786efe8b6fba8d5c0b5090068c3b66c7ff
SHA512

56b0a94bb6ee0eea0ddf81e65449943fb120a531ebd922d9922d6f7fb3d1f1158f0961a586059e1d8c493d21eb8c54bd6bbdf71046946cd89ba9399aac56dfd0
SSDEEP

98304:kUpUQp1iu+I3+gu/aUCl2zjii+CDOpzRVddpyeQENSsLJdNlJPBl/U:Zguh3XKe+iiCVtR5NS0jL/U

Score

10^/10

privateloader loader vmprotect

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1476-54-0x00000000008E0000-0x0000000001D2A000-memory.dmp	vmprotect

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.db-ip.com
1 ipinfo.io
5 api.db-ip.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1668 1476 WerFault.exe file.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1476 wrote to memory of 1668	1476	file.exe	WerFault.exe
PID 1476 wrote to memory of 1668	1476	file.exe	WerFault.exe
PID 1476 wrote to memory of 1668	1476	file.exe	WerFault.exe
PID 1476 wrote to memory of 1668	1476	file.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 932
2⤵
- Program crash
PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1476-54-0x00000000008E0000-0x0000000001D2A000-memory.dmp

Filesize
20.3MB

Download