privateloader | 046dd3e5190fd5fd304920b5388087f82b86df15061de3cbdd51c7a53d74b7cf

Analysis

max time kernel
3s
max time network
32s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

'.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2556	1664	'.exe	28
PID 1664 wrote to memory of 2556	1664	'.exe	28
PID 1664 wrote to memory of 2556	1664	'.exe	28
PID 1664 wrote to memory of 2556	1664	'.exe	28
PID 1664 wrote to memory of 2580	1664	'.exe	29
PID 1664 wrote to memory of 2580	1664	'.exe	29
PID 1664 wrote to memory of 2580	1664	'.exe	29
PID 1664 wrote to memory of 2580	1664	'.exe	29

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-service
  2⤵
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-control
  2⤵
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
d9a41169227eec0fcc5cc849acb186e1

SHA1
95b1f4c090aa130889b64dd83fc547a711c50fe9

SHA256
dc672a7710d09d9f1ccebfe3f77dd77df5cd378b372c62cee511b65b8991e261

SHA512
da11f3b7d603e3888407e8bd04d732c3883c4a993a366a84b132c99abcc7bff25abcf18b9e54feb03f3fe08413ae2435682a8ef3b0a1715523dec89231396471

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
d2e6ca755f22f6f12b8bd5726893900b

SHA1
a54586c61b8a4c9c818d70f3cf6ded2c9fc8e16d

SHA256
9fdee844922127af26bbf9eed54904490cd08849a1561e88f5caba405376ef31

SHA512
225a01e3665416e867fc4f21e5748e332274c9e114fc2581048d3901f8b6fad26ef11f1b3ad7808b5e67a898ec87d9b9c84eb825acd1fa905ff8a78553693de0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
29c9fbce2103f9a0c670c52d7bfe01ff

SHA1
98c81d59a1e96f93b1e9a7c2a0cda050d9613747

SHA256
77e7a1644cbce35e1b5dfd7f578f8a17945331a7c40f26b3dd671d52072f81e3

SHA512
1a5c99653875b7859b5cfca1733bee74c73e8599ee322a2f1cbf98f0a6537884ee8f7e24061d4942b8f4b076794d19ca3d0ff43fe97d7d92a55256b1a2be633c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0834fe93cfb03be8e3992ab550d7c63f

SHA1
3b3b167a9bffdb1262d3805cb17874c90babb159

SHA256
9768bd1bceda287ea5bc311c6c81a208e5ce4370c28433bc8ef77e37b1230e58

SHA512
7ebaff09fb4fdd322a7bb32896e5197d9ff6f12519239539e6e802d337e0db9892162c94fcb00e2afd825845f66460a9f4544024fb158a381ba04e89228b1c64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
c758c936c22ed30f5a8ce29e73c483ca

SHA1
295277f006c181c5670d94d968ef00b043618833

SHA256
5aaea6ebc1a3aab49f870b84bfd2521e32c078b1da6018b10da2afd503f1f796

SHA512
1b1f6292c1e0ee11aa321c1a7a633728b4d2ce782a80f8face8c6683825381f3ad35c1bdd2203a5bd78bfe494d1f5923934048348c81acd7d30af9587c400205

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
3aa337210236fe597784c5c296493c58

SHA1
c149a681aaa7f9af65837694122dc3704452503f

SHA256
e592e3b25806bcf7f9ff77d3a8d82ecdd1a7e7bb2eacfb735c466dd29d54c4fd

SHA512
10dc1191eb36329308bd80bbb8b03f8dd22679097af1f2f51a40b9591b9ef59275ecd9574fec605c00ae56643d62688ae377664656507e46fe7d36fa75ddf3ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
9772cb1c81ee796eb0218c0ca2e23f3f

SHA1
732b5fd1724db5c79f99132619dd369cef94e1c6

SHA256
210eb68c3b5fa89a22603ad7f5965c62c88747b13f745c3971619acb42247160

SHA512
f3a5cec4f1227816db22de8a377a68b98ca1a86057f76dd4bf3d47fd2899c6a0b8942899511a2d17884182ded9b5f34fbee6aaee130b64e891b6138a7b7a7c42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1fb1d387dd73cab4a7622f80761f2d02

SHA1
3fefbebb62d681c0d151aff1e4428710d2853e7a

SHA256
5e6256f5cc445f120a1607f1f2056b759ba076a00e04a0f3c3011ad8fd855169

SHA512
4136ddb836489513969c3e858e26477a02b4ac0cebf227a310d15192087d869c5f74c68383c843943f74fc8a9ceb1ec6cff888a93532d68f5d394b2ee10b51ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f32d0ff556e86904723429a8cc98271d

SHA1
dbbf1ef5946abafc1774e0575335291b6d854cd9

SHA256
35dc02a612f600caf3c765a206c4039495aa08d3fd0c42e41960cd692c2e01b9

SHA512
ec49ea17f131bf993456c44e6df17d8854b9430963a5e1f02096cddc5d4b95c5951e09e47db77e697a3e50015b362ceaef6d9f47da14f76728b6c5af13bc122e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
78377ce1c22d3bb4c27a659bf513e8bf

SHA1
7caaefd8c34c3b8b7c1c7fcdde3935913e98c031

SHA256
2a0315bd282cf780d98abb473036ae9ecc81c4365c8e2d438102d2483409a3ef

SHA512
6966f8e5f8e02b8dbc92acd96431d1908aec4f18028e319287f6f845b8e46a845e47fd507d84d3f6f964a8a8dd45553807d67f1cf5f1914315cb5ea37fb7d96f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0ebef14e1d04f47685b0f2bad1a8f252

SHA1
327ea7578a2fe31be0073e8e911737f1c2750790

SHA256
6e6ab2b100739294ced550d6052d362457fb7b0fc93d5bd14f45c38c78872117

SHA512
c0ecca90686e79ebd1d6d78a23224ff5e6916d0b8262082fdbf52385cb1703b150bb4100f7a74cdd1e5f8a0442b9980a82e81bf71d0def6d603b7d79d2189c0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f68b8b3d22590e973157ed3f21103d2e

SHA1
66412f1192274a23550cd49ddd3fb69fa921a458

SHA256
2ccb16a1411c7390250993d6a31aa2b093d8f8ed4fdfaa734759045fad06f2a7

SHA512
c5f18de60a4ac41ad1296d45c998ab81b7436260324b53a1d8648269ce18696dacf914526b7998877617a6ab1d6078f99dae5034d9c102650852b78d14d78efc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
972282290d436adced8bd59e5122de3d

SHA1
641fc5f9eaaefa050238480a1b02a96790210413

SHA256
d1468cbaf3c2a708fb5bc525b22cc7b9b8933bbff1f2830fb76f68713ad64754

SHA512
b4b3c852892e85a16264a383e37f2f33a8f8e6cf1b7d7c5f79b004b5bb69770286cd17ed8ed1b052bd3880a09620dd0c262929b78436c30397b9faafd559160a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
667e48317d0d16b3bb0662664098f90c

SHA1
87b870156ea9f513c7aa25f20f04a0b6ad627c77

SHA256
36b06b1752adcf802be3965d02e648575153a9ff3cdb2e1b432c93e722cd9d6c

SHA512
403ff4b9369b99601063d7fe2ab9d5ccb26051b76b75210e56ce5cdd641514bd1cf025007bd3d904e907bdcd15c378cbb50ea670a67c92352f09014814f7186b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
77e050cd30f0cefaa8e98d425d630dfd

SHA1
4b94e616c8a33c86686800461174cdb39536c295

SHA256
fa4490d54722bc2110f53383009c56e94cdb204ae7e5400ea8bae4869a12cc2d

SHA512
a900239e8dc5ac375c2049d1598a7031ecee10d985d1943eec3dfa0810ac976d4d4f3357f0cac8abccc3c5d2a179908db5d27de5e073d65809683c2e46da86e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a72a684d0cb8d268ad18207b13bbbd3d

SHA1
b213275ffc28b97261dab44adec4c0f1a334264b

SHA256
903de1adf95e489e9dbc29e97a4a2fd816e17ea779438c8dfd54d3aa503fdb26

SHA512
be75901f8aee606a4c2cc41b381cf5cf43b26fb3bc60da7554149bf8f8734ca7f0079932c102e7d821990c970e7d768f015569b37275e7d76e31477ef0121a61

Download Submit
memory/1664-257-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/1664-6-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/1664-2-0x0000000001064000-0x00000000022A3000-memory.dmp

Filesize
18.2MB

Download
memory/1664-0-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/1664-263-0x0000000001064000-0x00000000022A3000-memory.dmp

Filesize
18.2MB

Download
memory/2556-17-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2556-258-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2580-19-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2580-259-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download