privateloader

General

Target

fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
Size

1.8MB
Sample

240524-ljr28scg37
MD5

7ff8c26a36f5a4566990745dff1594f3
SHA1

5d73bbd168fb9b1e43051340a415d95f28c40f4d
SHA256

fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
SHA512

d97be45d80e85722e74b44aeff834b2ccc219520c7d1632452c4a361b9dea59439f0f0ba27af6444132147c7bc30ccd5582bb0a0e246baf00f61e16195706b2d
SSDEEP

24576:jynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52eOXuq01dKqOF7:ujN3CdJ81nEQhs30eWuqsrOF7

Score

10^/10

Malware Config

Targets

- Target
  
  fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
- Size
  
  1.8MB
- MD5
  
  7ff8c26a36f5a4566990745dff1594f3
- SHA1
  
  5d73bbd168fb9b1e43051340a415d95f28c40f4d
- SHA256
  
  fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
- SHA512
  
  d97be45d80e85722e74b44aeff834b2ccc219520c7d1632452c4a361b9dea59439f0f0ba27af6444132147c7bc30ccd5582bb0a0e246baf00f61e16195706b2d
- SSDEEP
  
  24576:jynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52eOXuq01dKqOF7:ujN3CdJ81nEQhs30eWuqsrOF7
Score

10^/10

privateloader bootkit discovery evasion execution loader persistence spyware stealer themida trojan
- Modifies firewall policy service
  evasion
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2