privateloader | e5b44a18698e291d8d61f824918eb92f23947c45d48779ee414135e3a5f1fca8

General

Target

file.exe
Size

6.4MB
MD5

205b945f0aaa50763bc3ad9443467e08
SHA1

23239e6992179befbf9dd7a5c71adc180eb86c9c
SHA256

e5b44a18698e291d8d61f824918eb92f23947c45d48779ee414135e3a5f1fca8
SHA512

41e55e3f9fbd0ff0129a8e44bdec3712310aa6c371b2de522c3e5a780efc3ce69d8d36a9951e120bc1116c5f6e59dd0e15f19c93e83572787955cab6a2860485
SSDEEP

196608:l+a4cnPo9/gSymVTzs6qJEaxovaotkyzxBW:sajnP/SymBo6qJE8ovaotksxBW

Score

10^/10

privateloader risepro evasion loader stealer themida trojan vmprotect

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2104-0-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-1-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-23-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-24-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-25-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-26-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-27-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-28-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-29-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-30-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-31-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-33-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-32-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-34-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-35-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida
behavioral1/memory/2104-80-0x0000000001190000-0x0000000001FA1000-memory.dmp	themida

VMProtect packed file 16 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2104-0-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-1-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-23-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-24-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-25-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-26-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-27-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-28-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-29-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-30-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-31-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-33-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-32-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-34-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-35-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect
behavioral1/memory/2104-80-0x0000000001190000-0x0000000001FA1000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.myip.com
8	ipinfo.io
9	ipinfo.io
4	api.myip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	file.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	file.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	file.exe
File opened for modification	C:\Windows\System32\GroupPolicy	file.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2104	file.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1896	2104	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2104	file.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1896	2104	file.exe	28
PID 2104 wrote to memory of 1896	2104	file.exe	28
PID 2104 wrote to memory of 1896	2104	file.exe	28
PID 2104 wrote to memory of 1896	2104	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 244
  2⤵
  - Program crash
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab717A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7258.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/2104-23-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-8-0x00000000765A0000-0x00000000765E7000-memory.dmp

Filesize
284KB

Download
memory/2104-9-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-10-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-11-0x00000000765A0000-0x00000000765E7000-memory.dmp

Filesize
284KB

Download
memory/2104-12-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-13-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-14-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-15-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-16-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-17-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-18-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-19-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-20-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-21-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-22-0x0000000077580000-0x0000000077582000-memory.dmp

Filesize
8KB

Download
memory/2104-24-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-0-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-35-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-26-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-27-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-28-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-29-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-30-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-31-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-33-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-32-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-34-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-25-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-42-0x00000000765A0000-0x00000000765E7000-memory.dmp

Filesize
284KB

Download
memory/2104-44-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-43-0x00000000765A0000-0x00000000765E7000-memory.dmp

Filesize
284KB

Download
memory/2104-45-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-7-0x0000000075260000-0x0000000075370000-memory.dmp

Filesize
1.1MB

Download
memory/2104-1-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download
memory/2104-80-0x0000000001190000-0x0000000001FA1000-memory.dmp

Filesize
14.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads