Resubmissions
24-08-2023 16:00
230824-tflp2sdf88 1024-08-2023 14:39
230824-r1mrqseg2s 1024-08-2023 12:33
230824-prb8jaeb2z 1024-05-2023 05:51
230524-gj57msbf4v 10Analysis
-
max time kernel
28s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2023 05:51
Static task
static1
Behavioral task
behavioral1
Sample
b71c6ec1ffe67a613e7ba6dc9d440165.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b71c6ec1ffe67a613e7ba6dc9d440165.exe
Resource
win10v2004-20230220-en
General
-
Target
b71c6ec1ffe67a613e7ba6dc9d440165.exe
-
Size
10.8MB
-
MD5
b71c6ec1ffe67a613e7ba6dc9d440165
-
SHA1
dd5b3e94bec631d9a72f43af2ec01cf12232c548
-
SHA256
e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4
-
SHA512
d36ccc35f7b567ceeba01f412ae5462f6c62da7d0cb41063ff0b957f89e95d0c15c3ad3f17d4017658dfd8ee45733148249f2496f13ab5a6360e1645087b5389
-
SSDEEP
98304:OUuKtfJjoWdSgeD6KF7t3H26JyQ6IeoMnq6Kw7KpE3OtMeV+xDMAyYL64Z:wKDjoZYKv3PR6IfMq6v74EEMeCDzjt
Malware Config
Extracted
privateloader
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
85.208.136.10
94.142.138.131
94.142.138.113
208.67.104.60
-
payload_url
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io 8 api.db-ip.com 9 api.db-ip.com 3 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
b71c6ec1ffe67a613e7ba6dc9d440165.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy b71c6ec1ffe67a613e7ba6dc9d440165.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini b71c6ec1ffe67a613e7ba6dc9d440165.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol b71c6ec1ffe67a613e7ba6dc9d440165.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI b71c6ec1ffe67a613e7ba6dc9d440165.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1048 1624 WerFault.exe b71c6ec1ffe67a613e7ba6dc9d440165.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b71c6ec1ffe67a613e7ba6dc9d440165.exedescription pid process target process PID 1624 wrote to memory of 1048 1624 b71c6ec1ffe67a613e7ba6dc9d440165.exe WerFault.exe PID 1624 wrote to memory of 1048 1624 b71c6ec1ffe67a613e7ba6dc9d440165.exe WerFault.exe PID 1624 wrote to memory of 1048 1624 b71c6ec1ffe67a613e7ba6dc9d440165.exe WerFault.exe PID 1624 wrote to memory of 1048 1624 b71c6ec1ffe67a613e7ba6dc9d440165.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b71c6ec1ffe67a613e7ba6dc9d440165.exe"C:\Users\Admin\AppData\Local\Temp\b71c6ec1ffe67a613e7ba6dc9d440165.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 9562⤵
- Program crash