Overview

overview

10

Static

static

7

6ca26fbe13...46.exe

windows7-x64

10

6ca26fbe13...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 07:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe

  • Size

    5.1MB

  • MD5

    bddbc9360dfb7c83b96437a0ca77aae1

  • SHA1

    88c82298dd32e2826743caeca5b82acf6583eee7

  • SHA256

    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46

  • SHA512

    2a066a7e0b38d1c755d67757e4fe67eb12fefcce4aca078ae5f3f554cfd60415a5676c82a0d9eb6de9eef9327cee8eb1038f45d730fa2314e561ea2120f21224

  • SSDEEP

    98304:YNd6oQypwQq73QOB6+KPZtshYIyVGf+GBycKgeE7lXK:Yb6oQewQqbQO0+KPLsiVs+GVKjE7l6

Score
10/10
privateloaderdiscoveryevasionloaderthemidatrojan

Malware Config

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://85.202.169.116/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

85.202.169.116

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Privateloader family
    privateloader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    "C:\Users\Admin\AppData\Local\Temp\6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2644

Network

  • flag-us
    DNS
    pastebin.com
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    172.67.19.24
    pastebin.com
    IN A
    104.20.4.235
  • flag-us
    GET
    https://pastebin.com/raw/A7dSG1te
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    Remote address:
    104.20.3.235:443
    Request
    GET /raw/A7dSG1te HTTP/1.1
    Connection: Keep-Alive
    User-Agent: 
    Host: pastebin.com
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 07 Nov 2024 07:51:10 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 161
    Server: cloudflare
    CF-RAY: 8debbc8fbde2cd85-LHR
  • flag-us
    DNS
    wfsdragon.ru
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    Remote address:
    8.8.8.8:53
    Request
    wfsdragon.ru
    IN A
    Response
    wfsdragon.ru
    IN A
    172.67.133.215
    wfsdragon.ru
    IN A
    104.21.5.208
  • flag-us
    GET
    http://wfsdragon.ru/api/setStats.php
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    Remote address:
    172.67.133.215:80
    Request
    GET /api/setStats.php HTTP/1.1
    Connection: Keep-Alive
    User-Agent: ????ll
    Host: wfsdragon.ru
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 07 Nov 2024 07:51:10 GMT
    Content-Type: text/html; charset=iso-8859-1
    Transfer-Encoding: chunked
    Connection: keep-alive
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j%2BNR%2FiMyjjC1T9JvH1bcqDLRg4XogHhAW21fG1vVKHFbnomIKqGE6Yw%2BBNt9V3dA%2BbQwRDANDCOX5qS3U%2BQP2K1FNy8IV0FkqdIdF0MxbUxiy55RMkNAIM5y3UFmLPE%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8debbc907de76511-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=22282&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=98&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • 212.193.30.45:80
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    152 B
     3
  • 85.202.169.116:80
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    152 B
     3
  • 104.20.3.235:443
    https://pastebin.com/raw/A7dSG1te
    tls, http
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    769 B
     6.1kB
     9
    9

    HTTP Request

    GET https://pastebin.com/raw/A7dSG1te

    HTTP Response

    404
  • 172.67.133.215:80
    http://wfsdragon.ru/api/setStats.php
    http
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    374 B
     2.1kB
     6
    5

    HTTP Request

    GET http://wfsdragon.ru/api/setStats.php

    HTTP Response

    404
  • 85.202.169.116:80
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    152 B
     3
  • 85.202.169.116:80
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    152 B
     3
  • 85.202.169.116:80
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    152 B
     3
  • 85.202.169.116:80
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    152 B
     3
  • 85.202.169.116:80
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    152 B
     3
  • 8.8.8.8:53
    pastebin.com
    dns
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.3.235
    172.67.19.24
    104.20.4.235

  • 8.8.8.8:53
    wfsdragon.ru
    dns
    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    58 B
     90 B
     1
    1

    DNS Request

    wfsdragon.ru

    DNS Response

    172.67.133.215
    104.21.5.208

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2644-0-0x0000000000400000-0x00000000016D3000-memory.dmp

    Filesize

    18.8MB

    Download

  • memory/2644-1-0x0000000077C00000-0x0000000077C02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2644-2-0x0000000000400000-0x00000000016D3000-memory.dmp

    Filesize

    18.8MB

    Download

  • memory/2644-4-0x0000000001840000-0x0000000001940000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2644-5-0x0000000000240000-0x0000000000275000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2644-6-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2644-7-0x0000000000400000-0x00000000016D3000-memory.dmp

    Filesize

    18.8MB

    Download

  • memory/2644-9-0x0000000001840000-0x0000000001940000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2644-10-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2644-14-0x0000000000400000-0x00000000016D3000-memory.dmp

    Filesize

    18.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.