privateloader

General

Target

https://www.youtube.com/results?search_query=roblox+free+cheat+injector+no+virus
Sample

230602-qh2bqsbh7v

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\HOW TO DECRYPT FILES.txt

Ransom Note

All your important files were encrypted on this computer. You can verify this by click on see files an try open them. Encrtyption was produced using unique KEY generated for this computer. To decrypted files, you need to otbtain private key. The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet; The server will destroy the key within 24 hours after encryption completed. Payment have to be made in maxim 24 hours To retrieve the private key, you need to pay 3 BITCOINS Bitcoins have to be sent to this address: 1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK After you've sent the payment send us an email to : fast_decrypt_and_protect@tutanota.com with subject : ERROR-ID-63100778(3BITCOINS) If you are not familiar with bitcoin you can buy it from here : SITE : www.localbitcoin.com After we confirm the payment , we send the private key so you can decrypt your system.

Emails

fast_decrypt_and_protect@tutanota.com

Wallets

1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK

Targets

- Target
  
  https://www.youtube.com/results?search_query=roblox+free+cheat+injector+no+virus
Score

10^/10

privateloader xorist discovery loader persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Renames multiple (12395) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops Chrome extension
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1