privateloader

General

Target

ff64e527b265254f6bc1c7574f2dcc4e46884d21ca359cb300914652b9845c4b
Size

1.7MB
Sample

231212-ex3bsseggp
MD5

3ed257e35e82eae5cbe8ece2528f08d5
SHA1

6da07109e1d75e034c221a5c611b7bc92e768bad
SHA256

ff64e527b265254f6bc1c7574f2dcc4e46884d21ca359cb300914652b9845c4b
SHA512

63b4c2c90c1247fd247f814324513e77b5cf2d8695573ee51b8b44e63321a1783ad8ff4135c36b8298e6f3870494386468e75e868b7ce9f821a580e56e349b30
SSDEEP

24576:ZyfZUwBDzYPAksrQTnk3+rh9PtA0R3jmhbbHShJOsJH0PF5ni+MEVEOcK:MfPBD8Ybronkw9W0Rz2HmJO+x8o

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

risepro

C2

193.233.132.51

Targets

- Target
  
  ff64e527b265254f6bc1c7574f2dcc4e46884d21ca359cb300914652b9845c4b
- Size
  
  1.7MB
- MD5
  
  3ed257e35e82eae5cbe8ece2528f08d5
- SHA1
  
  6da07109e1d75e034c221a5c611b7bc92e768bad
- SHA256
  
  ff64e527b265254f6bc1c7574f2dcc4e46884d21ca359cb300914652b9845c4b
- SHA512
  
  63b4c2c90c1247fd247f814324513e77b5cf2d8695573ee51b8b44e63321a1783ad8ff4135c36b8298e6f3870494386468e75e868b7ce9f821a580e56e349b30
- SSDEEP
  
  24576:ZyfZUwBDzYPAksrQTnk3+rh9PtA0R3jmhbbHShJOsJH0PF5ni+MEVEOcK:MfPBD8Ybronkw9W0Rz2HmJO+x8o
Score

10^/10

privateloader risepro smokeloader backdoor collection discovery evasion loader persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1