privateloader | 3a1d2daef3617f82a5d3f5a91f4f78d9ff5e2a2125f9f524d3d0bcd0bf3d43ed | Triage

Sharing

General

Target

1_setup-rem_ovl.exe
Size

4.4MB
Sample

240731-sdfkkstfld
MD5

58563fab8999891e35869b2cf6fdd67d
SHA1

172706bd7e83f8e832af5214295c9931a4981abb
SHA256

3a1d2daef3617f82a5d3f5a91f4f78d9ff5e2a2125f9f524d3d0bcd0bf3d43ed
SHA512

705bf4179bc13793fdea11365f2b8f64d97db9e66536355e0e8927e6b27d1956b7fb98d87cbf890cff5e55bdf36a514eea9c90bff0567104d9195c4a527deaaa
SSDEEP

98304:5Enod59JLovWfw6JzPocNK52w8dudhWhAKiVGRM:RDT948zA12w8du3oOVG

Score

10^/10

privateloader stealc credential_access discovery evasion loader spyware stealer

Malware Config

Targets

- Target
  
  1_setup-rem_ovl.exe
- Size
  
  4.4MB
- MD5
  
  58563fab8999891e35869b2cf6fdd67d
- SHA1
  
  172706bd7e83f8e832af5214295c9931a4981abb
- SHA256
  
  3a1d2daef3617f82a5d3f5a91f4f78d9ff5e2a2125f9f524d3d0bcd0bf3d43ed
- SHA512
  
  705bf4179bc13793fdea11365f2b8f64d97db9e66536355e0e8927e6b27d1956b7fb98d87cbf890cff5e55bdf36a514eea9c90bff0567104d9195c4a527deaaa
- SSDEEP
  
  98304:5Enod59JLovWfw6JzPocNK52w8dudhWhAKiVGRM:RDT948zA12w8du3oOVG
Score

10^/10

privateloader stealc credential_access discovery evasion loader spyware stealer
- Modifies firewall policy service
  evasion
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

privateloaderstealccredential_accessdiscoveryevasionloaderspywarestealer

behavioral2

privateloaderevasionloader