privateloader | 57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5 | Triage

Submit
Reports

Overview

overview

Static

static

3

d4359d5d0b...74.exe

windows7-x64

d4359d5d0b...74.exe

windows10-2004-x64

Sharing

General

Target

d4359d5d0bbe9828a1340fb1d8537a74
Size

6.7MB
Sample

240318-w3sg8afb39
MD5

d4359d5d0bbe9828a1340fb1d8537a74
SHA1

5c8805bd3c08d9866748ac033d9e0497bb84761c
SHA256

57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
SHA512

3ea8565784f17f44f1236d4176146e335e409f84514fff3c8d3a0099d8e7fe02dde340319e910b04296010df5e050835aa68bb62b40c1d18cd2c985ab23c2751
SSDEEP

98304:pAI+SlhLuZHUt0eb4gECc3TKnUESV/eqRrqmfgSmhML0CzSbquFwa1//NbAxg6gJ:itBUieh7c56qRTL0oLKw+NcA4BzicQ

Score

10^/10

privateloader vidar 916 discovery loader persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d4359d5d0bbe9828a1340fb1d8537a74.exe

Resource

win7-20240220-en

vidar 916 discovery persistence stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

d4359d5d0bbe9828a1340fb1d8537a74.exe

Resource

win10v2004-20240226-en

privateloader vidar 916 discovery loader persistence stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

916

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
916

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Targets

- Target
  
  d4359d5d0bbe9828a1340fb1d8537a74
- Size
  
  6.7MB
- MD5
  
  d4359d5d0bbe9828a1340fb1d8537a74
- SHA1
  
  5c8805bd3c08d9866748ac033d9e0497bb84761c
- SHA256
  
  57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
- SHA512
  
  3ea8565784f17f44f1236d4176146e335e409f84514fff3c8d3a0099d8e7fe02dde340319e910b04296010df5e050835aa68bb62b40c1d18cd2c985ab23c2751
- SSDEEP
  
  98304:pAI+SlhLuZHUt0eb4gECc3TKnUESV/eqRrqmfgSmhML0CzSbquFwa1//NbAxg6gJ:itBUieh7c56qRTL0oLKw+NcA4BzicQ
Score

10^/10

vidar 916 discovery persistence stealer privateloader loader
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

vidar916discoverypersistencestealer

behavioral2

privateloadervidar916discoveryloaderpersistencestealer

© 2018-2024

Terms | Privacy