Overview

overview

10

Static

static

7

6ca26fbe13...46.exe

windows7-x64

10

6ca26fbe13...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 07:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe

  • Size

    5.1MB

  • MD5

    bddbc9360dfb7c83b96437a0ca77aae1

  • SHA1

    88c82298dd32e2826743caeca5b82acf6583eee7

  • SHA256

    6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46

  • SHA512

    2a066a7e0b38d1c755d67757e4fe67eb12fefcce4aca078ae5f3f554cfd60415a5676c82a0d9eb6de9eef9327cee8eb1038f45d730fa2314e561ea2120f21224

  • SSDEEP

    98304:YNd6oQypwQq73QOB6+KPZtshYIyVGf+GBycKgeE7lXK:Yb6oQewQqbQO0+KPLsiVs+GVKjE7l6

Score
10/10
privateloaderdiscoveryevasionloaderthemidatrojan

Malware Config

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://85.202.169.116/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

85.202.169.116

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Privateloader family
    privateloader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe
    "C:\Users\Admin\AppData\Local\Temp\6ca26fbe131ceb76d05709c5df672110dc50148c791d8079eeb7d988025aef46.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2644-0-0x0000000000400000-0x00000000016D3000-memory.dmp

    Filesize

    18.8MB

    Download

  • memory/2644-1-0x0000000077C00000-0x0000000077C02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2644-2-0x0000000000400000-0x00000000016D3000-memory.dmp

    Filesize

    18.8MB

    Download

  • memory/2644-4-0x0000000001840000-0x0000000001940000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2644-5-0x0000000000240000-0x0000000000275000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2644-6-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2644-7-0x0000000000400000-0x00000000016D3000-memory.dmp

    Filesize

    18.8MB

    Download

  • memory/2644-9-0x0000000001840000-0x0000000001940000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2644-10-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2644-14-0x0000000000400000-0x00000000016D3000-memory.dmp

    Filesize

    18.8MB

    Download