privateloader | Spotify[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Spotify.exe
Size

32.9MB
MD5

56f0677c462716a2edc23656d12a9c6a
SHA1

db5d214a85a8797bae52bd138f0b8ab9ec228d27
SHA256

43667ad3fb8488233b70b4229343ad7f7a0974a4b5b859672c13858938cfd042
SHA512

0a46c7fcd705fc11198d01f7bc2640378e2b5877f2be2e3449cddd7c38511d54f395fc2fe2f0b31a9c1bdea3e4d97b657fc89d0dd8342e733f09701e2bca0b0d
SSDEEP

393216:rMaGSIXxWpSbmVLRMP4eRe+JwPsUo2JB51aBvuAZc:zGLXx74Ra9sh1gvuec

Score

10^/10

privateloader

Malware Config

Signatures

Privateloader family
privateloader

Files

Spotify.exe
.exe windows:6 windows x64 arch:x64

13105a60be786d1c5158e1bc86920b72

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ff
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

04/10/2023, 00:00

Not After

03/10/2024, 23:59

Subject

SERIALNUMBER=556703-7485,CN=Spotify AB,O=Spotify AB,L=Stockholm,C=SE,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13025345

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

2e:5d:7b:38:cd:6a:8e:6d:65:1f:86:55:c5:bd:3e:0a:b2:64:49:4e:3c:90:4b:d6:2e:84:05:ce:4a:c9:f6:55
Signer

Actual PE Digest

2e:5d:7b:38:cd:6a:8e:6d:65:1f:86:55:c5:bd:3e:0a:b2:64:49:4e:3c:90:4b:d6:2e:84:05:ce:4a:c9:f6:55

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\src\desktop\shell\build\desktop\Release\Spotify.pdb

Imports

ws2_32

WSASetEvent
shutdown
setsockopt
select
ntohs
send
ntohl
WSAStartup
WSACloseEvent
WSACreateEvent
inet_addr
recvfrom
recv
freeaddrinfo
WSASetLastError
gethostbyname
WSAGetLastError
WSASend
getprotobyname
getpeername
WSARecvFrom
WSARecv
WSAIoctl
listen
getsockopt
getsockname
connect
htons
htonl
WSASendTo
ioctlsocket
getservbyname
getservbyport
sendto
closesocket
gethostbyaddr
WSAEventSelect
bind
inet_ntoa
WSAEnumNetworkEvents
getaddrinfo
WSACleanup
WSAWaitForMultipleEvents
socket
accept
__WSAFDIsSet
WSAStringToAddressW
WSAAddressToStringW
WSASocketW

gdiplus

GdipSetStringFormatLineAlign
GdipSetStringFormatAlign
GdipCloneStringFormat
GdipDeleteStringFormat
GdipStringFormatGetGenericDefault
GdipDrawString
GdipDeleteFont
GdipCreateFont
GdipGetGenericFontFamilySansSerif
GdipDeleteFontFamily
GdipCreateFontFamilyFromName
GdipFillEllipse
GdipSetTextRenderingHint
GdipSetSmoothingMode
GdipDeleteGraphics
GdipCreateHICONFromBitmap
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromScan0
GdipGetImageHeight
GdipGetImageWidth
GdipGetImageGraphicsContext
GdipDisposeImage
GdipCloneImage
GdipBitmapUnlockBits
GdipSetInterpolationMode
GdipDrawImageRectRectI
GdipCreateBitmapFromStream
GdipLoadImageFromStream
GdipCreateSolidFill
GdipDeleteBrush
GdipCloneBrush
GdipFree
GdipAlloc
GdiplusShutdown
GdiplusStartup
GdipBitmapLockBits

dbghelp

SymGetSearchPathW
SymSetOptions
SymCleanup
SymFromAddr
SymGetLineFromAddr64
SymInitialize
SymSetSearchPathW

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
RtlUnwind
VerSetConditionMask
RtlInitUnicodeString
RtlCaptureStackBackTrace

oleaut32

SetErrorInfo
SysAllocString
SysAllocStringByteLen
SysFreeString
VariantClear
SysStringLen
GetErrorInfo

userenv

CreateAppContainerProfile
DeriveAppContainerSidFromAppContainerName

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
InitializeProcThreadAttributeList
SetThreadPriority
QueueUserAPC
UpdateProcThreadAttribute
TlsGetValue
GetThreadId
TlsAlloc
GetCurrentProcessId
TlsSetValue
GetCurrentThread
ExitThread
GetExitCodeProcess
DeleteProcThreadAttributeList
SwitchToThread
GetExitCodeThread
GetProcessTimes
TerminateThread
CreateThread
TlsFree
ResumeThread
TerminateProcess
ExitProcess
GetCurrentProcess
GetStartupInfoW
CreateProcessW
CreateRemoteThread

api-ms-win-core-sysinfo-l1-1-0

GetLocalTime
GetSystemTime
GetWindowsDirectoryW
GetVersionExW
GetTickCount64
GetTickCount
GetSystemInfo
GetSystemTimeAsFileTime
GetVersion
GetSystemDirectoryA

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringA
OutputDebugStringW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
GetProcessHandleCount
OpenProcess
SetProcessMitigationPolicy
IsProcessorFeaturePresent
GetCurrentProcessorNumber

api-ms-win-core-libraryloader-l1-2-0

SetDefaultDllDirectories
LoadStringW
GetProcAddress
FreeLibrary
FreeLibraryAndExitThread
LoadLibraryExW
GetModuleHandleA
LoadResource
LockResource
SizeofResource
GetModuleHandleExW
LoadLibraryExA
GetModuleFileNameW
GetModuleHandleW

api-ms-win-core-synch-l1-1-0

ReleaseMutex
ReleaseSRWLockShared
CreateMutexA
ResetEvent
AcquireSRWLockShared
ReleaseSRWLockExclusive
CreateMutexW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TryAcquireSRWLockExclusive
CreateEventExW
InitializeCriticalSectionEx
OpenMutexW
AcquireSRWLockExclusive
InitializeSRWLock
WaitForSingleObjectEx
WaitForMultipleObjectsEx
CreateEventA
InitializeCriticalSection
SetEvent
WaitForSingleObject
SleepEx
CreateEventW
ReleaseSemaphore
SetWaitableTimer
OpenEventA

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle
FreeEnvironmentStringsW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetCommandLineW
SetStdHandle
ExpandEnvironmentStringsW
GetEnvironmentStringsW
SetEnvironmentVariableW
GetEnvironmentVariableW
GetCommandLineA

api-ms-win-core-file-l1-1-0

LockFile
GetFileAttributesW
FindFirstFileW
GetLongPathNameW
GetDiskFreeSpaceExW
GetVolumePathNameW
GetFileInformationByHandle
RemoveDirectoryW
GetDriveTypeW
UnlockFile
WriteFile
FindNextFileW
FindFirstFileExW
FindClose
GetFullPathNameW
GetFileAttributesExW
FlushFileBuffers
SetFileAttributesW
SetEndOfFile
GetFileSizeEx
SetFilePointerEx
ReadFile
GetFileSize
CreateFileW
GetFileTime
GetFileType
CreateDirectoryW
DeleteFileW
GetTempFileNameW

api-ms-win-core-heap-l1-1-0

HeapDestroy
GetProcessHeap
HeapFree
HeapSetInformation
HeapAlloc
HeapSize
GetProcessHeaps
HeapReAlloc

api-ms-win-core-localization-l1-2-0

LCMapStringEx
IsValidLocale
GetLocaleInfoW
GetLocaleInfoEx
FormatMessageW
LCMapStringW
FormatMessageA
GetOEMCP
EnumSystemLocalesW
GetUserDefaultLCID
IsValidCodePage
GetACP
GetUserDefaultLocaleName
GetUserDefaultLangID
GetCPInfo

api-ms-win-core-string-l1-1-0

GetStringTypeW
CompareStringEx
MultiByteToWideChar
WideCharToMultiByte
CompareStringW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-fibers-l1-1-0

FlsGetValue
FlsAlloc
FlsFree
FlsSetValue

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-console-l1-1-0

SetConsoleMode
SetConsoleCtrlHandler
WriteConsoleW
ReadConsoleW
ReadConsoleA
AllocConsole
GetConsoleMode
GetConsoleOutputCP
WriteConsoleA

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle
SetHandleInformation

api-ms-win-core-heap-l2-1-0

GlobalAlloc
GlobalFree
LocalFree
LocalAlloc

api-ms-win-core-file-l2-1-0

MoveFileExW
ReplaceFileW
CreateDirectoryExW
CopyFileExW
ReadDirectoryChangesW

api-ms-win-core-com-l1-1-0

CoUninitialize
CoInitializeEx
PropVariantClear
CoCreateInstance
CoGetApartmentType
CoTaskMemFree
StringFromGUID2
CLSIDFromString
CoTaskMemAlloc
StringFromCLSID
CoSetProxyBlanket
CoCreateFreeThreadedMarshaler
CoGetObjectContext
CoInitializeSecurity

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime
GetTimeZoneInformation
SystemTimeToTzSpecificLocalTime

api-ms-win-core-io-l1-1-0

GetQueuedCompletionStatus
DeviceIoControl
PostQueuedCompletionStatus
CancelIoEx
CreateIoCompletionPort

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects
CreateWaitableTimerW

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW
LoadLibraryA

api-ms-win-core-console-l2-1-0

SetConsoleTextAttribute
GetConsoleScreenBufferInfo

api-ms-win-core-synch-l1-2-0

WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
InitializeConditionVariable
Sleep
InitOnceComplete
InitOnceBeginInitialize

mswsock

GetAcceptExSockaddrs
AcceptEx

api-ms-win-core-io-l1-1-1

CancelIo

bcrypt

BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptGenRandom

api-ms-win-core-toolhelp-l1-1-0

Process32FirstW
Process32NextW
CreateToolhelp32Snapshot

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
MoveFileW
GetSystemPowerStatus
CreateFileMappingA
GetComputerNameW
UnregisterWait

api-ms-win-core-psapi-l1-1-0

K32GetModuleInformation
K32GetModuleFileNameExW
QueryFullProcessImageNameW
K32GetProcessMemoryInfo

iphlpapi

GetExtendedTcpTable
GetAdaptersAddresses

api-ms-win-ntuser-sysparams-l1-1-0

GetSystemMetrics
SystemParametersInfoW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo
GetProductInfo

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-heap-obsolete-l1-1-0

GlobalSize
GlobalUnlock
GlobalLock

api-ms-win-core-file-l1-2-2

GetTempPathA
AreFileApisANSI

api-ms-win-core-memory-l1-1-0

VirtualFreeEx
VirtualProtect
CreateFileMappingW
VirtualAllocEx
VirtualQuery
WriteProcessMemory
UnmapViewOfFile
VirtualFree
VirtualProtectEx
MapViewOfFile
ReadProcessMemory

api-ms-win-core-synch-ansi-l1-1-0

OpenMutexA
CreateSemaphoreA

api-ms-win-core-kernel32-legacy-l1-1-2

OpenFileMappingA

api-ms-win-core-console-l1-2-0

AttachConsole

api-ms-win-core-console-l3-2-0

GetCurrentConsoleFont

api-ms-win-core-job-l2-1-0

AssignProcessToJobObject
SetInformationJobObject
CreateJobObjectW

crypt32

CertOpenStore
CertFindCertificateInStore
CertFreeCertificateContext
CertDuplicateCertificateContext
CertGetNameStringA
CertEnumCertificatesInStore
CertCloseStore
CertGetCertificateContextProperty

wintrust

WinVerifyTrust
WTHelperGetProvSignerFromChain
WTHelperGetProvCertFromChain
WTHelperProvDataFromStateData

api-ms-win-core-fibers-l2-1-0

SwitchToFiber
DeleteFiber
ConvertFiberToThread

api-ms-win-core-fibers-l2-1-1

ConvertThreadToFiberEx
CreateFiberEx

winhttp

WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpOpen
WinHttpCloseHandle
WinHttpSetTimeouts

api-ms-win-core-processthreads-l1-1-3

SetThreadDescription

api-ms-win-core-localization-l1-2-1

EnumSystemLocalesEx

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-processthreads-l1-1-2

SetThreadInformation

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-processtopology-obsolete-l1-1-0

SetThreadAffinityMask

api-ms-win-mm-time-l1-1-0

timeGetTime

kernel32

RegisterApplicationRestart
PowerCreateRequest
PowerSetRequest
PowerClearRequest
K32EnumProcessModules
TerminateJobObject
QueryInformationJobObject
QueryDosDeviceW

dsound

ord2
ord11

avrt

AvSetMmThreadPriority
AvRevertMmThreadCharacteristics
AvSetMmThreadCharacteristicsW

api-ms-win-core-namedpipe-l1-1-0

PeekNamedPipe

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolWork
FreeLibraryWhenCallbackReturns
TrySubmitThreadpoolCallback

Exports

Exports

GetHandleVerifier
IsSandboxedProcess

Sections

.text
Size: 19.3MB - Virtual size: 19.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.8MB - Virtual size: 4.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7.4MB - Virtual size: 7.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1021KB - Virtual size: 1021KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 72KB - Virtual size: 71KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 266KB - Virtual size: 266KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

13105a60be786d1c5158e1bc86920b72

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ffCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

2e:5d:7b:38:cd:6a:8e:6d:65:1f:86:55:c5:bd:3e:0a:b2:64:49:4e:3c:90:4b:d6:2e:84:05:ce:4a:c9:f6:55Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

gdiplus

dbghelp

ntdll

oleaut32

userenv

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-fibers-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-console-l2-1-0

api-ms-win-core-synch-l1-2-0

mswsock

api-ms-win-core-io-l1-1-1

bcrypt

api-ms-win-core-toolhelp-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-psapi-l1-1-0

iphlpapi

api-ms-win-ntuser-sysparams-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-memory-l1-1-0

api-ms-win-core-synch-ansi-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-2

api-ms-win-core-console-l1-2-0

api-ms-win-core-console-l3-2-0

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ff
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

2e:5d:7b:38:cd:6a:8e:6d:65:1f:86:55:c5:bd:3e:0a:b2:64:49:4e:3c:90:4b:d6:2e:84:05:ce:4a:c9:f6:55
Signer

.text
Size: 19.3MB - Virtual size: 19.3MB

.rdata
Size: 4.8MB - Virtual size: 4.8MB

.data
Size: 7.4MB - Virtual size: 7.7MB

.pdata
Size: 1021KB - Virtual size: 1021KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 72KB - Virtual size: 71KB

.reloc
Size: 266KB - Virtual size: 266KB