SYMBOLCOMMON_NAMEaka. SYNONYMS
win.privateloader (Back to overview)

PrivateLoader

There is no description at this point.

References
2022-11-30BitSightAndré Tavares
@online{tavares:20221130:unpacking:a15d3e0, author = {André Tavares}, title = {{Unpacking Colibri Loader: A Russian APT linked Campaign}}, date = {2022-11-30}, organization = {BitSight}, url = {https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign}, language = {English}, urldate = {2022-12-02} } Unpacking Colibri Loader: A Russian APT linked Campaign
Colibri Loader PrivateLoader
2022-10-05BitSightStanislas Arnoud, João Godinho
@online{arnoud:20221005:sinkholing:8a928c6, author = {Stanislas Arnoud and João Godinho}, title = {{Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1}}, date = {2022-10-05}, organization = {BitSight}, url = {https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1}, language = {English}, urldate = {2022-10-07} } Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1
PrivateLoader PseudoManuscrypt
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2023-02-06} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-31BitSightAndré Tavares
@online{tavares:20220831:tracking:5b4130e, author = {André Tavares}, title = {{Tracking PrivateLoader: Malware Distribution Service}}, date = {2022-08-31}, organization = {BitSight}, url = {https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service}, language = {English}, urldate = {2022-08-31} } Tracking PrivateLoader: Malware Distribution Service
PrivateLoader RedLine Stealer SmokeLoader
2022-08-29SekoiaThreat & Detection Research Team
@online{team:20220829:traffers:8b7930b, author = {Threat & Detection Research Team}, title = {{Traffers: a deep dive into the information stealer ecosystem}}, date = {2022-08-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem}, language = {English}, urldate = {2022-08-31} } Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-04Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20220804:icedid:546c931, author = {Joshua Platt and Jason Reaves}, title = {{IcedID leverages PrivateLoader}}, date = {2022-08-04}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f}, language = {English}, urldate = {2022-08-11} } IcedID leverages PrivateLoader
IcedID PrivateLoader
2022-07-27DarktraceSam Lister, Shuh Chin Goh
@online{lister:20220727:privateloader:e408698, author = {Sam Lister and Shuh Chin Goh}, title = {{PrivateLoader: Network-Based Indicators of Compromise}}, date = {2022-07-27}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise}, language = {English}, urldate = {2022-08-30} } PrivateLoader: Network-Based Indicators of Compromise
PrivateLoader SmokeLoader
2022-06-06André Tavares
@online{tavares:20220606:hunting:9e20d11, author = {André Tavares}, title = {{Hunting PrivateLoader: Pay-Per-Install Service}}, date = {2022-06-06}, url = {https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/}, language = {English}, urldate = {2022-06-09} } Hunting PrivateLoader: Pay-Per-Install Service
PrivateLoader
2022-05-05Trend MicroAliakbar Zahravi, Leandro Froes, Trend Micro Research
@online{zahravi:20220505:netdooka:93197bf, author = {Aliakbar Zahravi and Leandro Froes and Trend Micro Research}, title = {{NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service}}, date = {2022-05-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html}, language = {English}, urldate = {2022-05-05} } NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service
NetDooka PrivateLoader
2022-04-29Intel 471Souhail Hammou
@online{hammou:20220429:privateloader:1378b6b, author = {Souhail Hammou}, title = {{Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service}}, date = {2022-04-29}, organization = {Intel 471}, url = {https://www.youtube.com/watch?v=Ldp7eESQotM}, language = {English}, urldate = {2022-05-09} } Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service
PrivateLoader
2022-04-28ZscalerDennis Schwarz, Brett Stone-Gross
@online{schwarz:20220428:peeking:f8226bb, author = {Dennis Schwarz and Brett Stone-Gross}, title = {{Peeking into PrivateLoader}}, date = {2022-04-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/peeking-privateloader}, language = {English}, urldate = {2022-05-04} } Peeking into PrivateLoader
PrivateLoader
2022-02-14Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220214:privateloader:e7e062e, author = {Jason Reaves and Joshua Platt}, title = {{PrivateLoader to Anubis Loader}}, date = {2022-02-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e}, language = {English}, urldate = {2022-08-05} } PrivateLoader to Anubis Loader
Anubis Loader PrivateLoader
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
Yara Rules
[TLP:WHITE] win_privateloader_auto (20230125 | Detects win.privateloader.)
rule win_privateloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.privateloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45e8 8945e4 8b4de4 034df4 8a5508 8811 c645ff00 }
            // n = 7, score = 600
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   034df4               | add                 ecx, dword ptr [ebp - 0xc]
            //   8a5508               | mov                 dl, byte ptr [ebp + 8]
            //   8811                 | mov                 byte ptr [ecx], dl
            //   c645ff00             | mov                 byte ptr [ebp - 1], 0

        $sequence_1 = { 83ec18 894df8 8b45f8 8b4d08 3b4814 776d }
            // n = 6, score = 600
            //   83ec18               | sub                 esp, 0x18
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3b4814               | cmp                 ecx, dword ptr [eax + 0x14]
            //   776d                 | ja                  0x6f

        $sequence_2 = { 52 50 e8???????? 8bf0 8bfa 6a00 }
            // n = 6, score = 600
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8bfa                 | mov                 edi, edx
            //   6a00                 | push                0

        $sequence_3 = { 8b4df8 83791410 7209 c745e801000000 eb07 c745e800000000 0fb655e8 }
            // n = 7, score = 600
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83791410             | cmp                 dword ptr [ecx + 0x14], 0x10
            //   7209                 | jb                  0xb
            //   c745e801000000       | mov                 dword ptr [ebp - 0x18], 1
            //   eb07                 | jmp                 9
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   0fb655e8             | movzx               edx, byte ptr [ebp - 0x18]

        $sequence_4 = { 8b45e8 8945e4 8b4df4 8b55e4 }
            // n = 4, score = 600
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]

        $sequence_5 = { 8b45d8 8b4ddc 8b55d0 8b75d4 }
            // n = 4, score = 600
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_6 = { 8b4df8 83791408 7209 c745f001000000 eb07 c745f000000000 0fb655f0 }
            // n = 7, score = 600
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83791408             | cmp                 dword ptr [ecx + 0x14], 8
            //   7209                 | jb                  0xb
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   eb07                 | jmp                 9
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   0fb655f0             | movzx               edx, byte ptr [ebp - 0x10]

        $sequence_7 = { 8b45e8 8945e4 8b4d08 51 0fbe550c 52 8b45e4 }
            // n = 7, score = 600
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   0fbe550c             | movsx               edx, byte ptr [ebp + 0xc]
            //   52                   | push                edx
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_8 = { 83e4f0 83c404 55 8b6b04 896c2404 8bec 81ec68010000 }
            // n = 7, score = 500
            //   83e4f0               | and                 esp, 0xfffffff0
            //   83c404               | add                 esp, 4
            //   55                   | push                ebp
            //   8b6b04               | mov                 ebp, dword ptr [ebx + 4]
            //   896c2404             | mov                 dword ptr [esp + 4], ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec68010000         | sub                 esp, 0x168

        $sequence_9 = { e8???????? 33d2 b93f000000 f7f1 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b93f000000           | mov                 ecx, 0x3f
            //   f7f1                 | div                 ecx

        $sequence_10 = { e8???????? 6bc007 33c9 41 6bc90e }
            // n = 5, score = 400
            //   e8????????           |                     
            //   6bc007               | imul                eax, eax, 7
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx
            //   6bc90e               | imul                ecx, ecx, 0xe

        $sequence_11 = { e8???????? 40 83ef08 a907000000 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   83ef08               | sub                 edi, 8
            //   a907000000           | test                eax, 7

        $sequence_12 = { a3???????? 33c0 5e c3 3b0d???????? }
            // n = 5, score = 400
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   3b0d????????         |                     

        $sequence_13 = { 8b4590 8b4d94 8b5588 8b758c }
            // n = 4, score = 400
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   8b4d94               | mov                 ecx, dword ptr [ebp - 0x6c]
            //   8b5588               | mov                 edx, dword ptr [ebp - 0x78]
            //   8b758c               | mov                 esi, dword ptr [ebp - 0x74]

        $sequence_14 = { 8bec 81ec68010000 a1???????? 33c5 8945fc 56 57 }
            // n = 7, score = 400
            //   8bec                 | mov                 ebp, esp
            //   81ec68010000         | sub                 esp, 0x168
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_15 = { c9 b8ffffffff 99 c3 56 8b35???????? }
            // n = 6, score = 400
            //   c9                   | leave               
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   99                   | cdq                 
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8b35????????         |                     

        $sequence_16 = { e8???????? c9 c3 8bff 56 8bf1 807e1400 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   807e1400             | cmp                 byte ptr [esi + 0x14], 0

        $sequence_17 = { 83c201 8955e0 83d600 8975e4 }
            // n = 4, score = 300
            //   83c201               | add                 edx, 1
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   83d600               | adc                 esi, 0
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi

        $sequence_18 = { 6a04 8d4310 50 6a06 }
            // n = 4, score = 300
            //   6a04                 | push                4
            //   8d4310               | lea                 eax, [ebx + 0x10]
            //   50                   | push                eax
            //   6a06                 | push                6

        $sequence_19 = { 8b4598 03d0 8b4d9c 13f1 }
            // n = 4, score = 300
            //   8b4598               | mov                 eax, dword ptr [ebp - 0x68]
            //   03d0                 | add                 edx, eax
            //   8b4d9c               | mov                 ecx, dword ptr [ebp - 0x64]
            //   13f1                 | adc                 esi, ecx

        $sequence_20 = { 7507 6800008000 eb02 6a00 }
            // n = 4, score = 300
            //   7507                 | jne                 9
            //   6800008000           | push                0x800000
            //   eb02                 | jmp                 4
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 3670016
}
[TLP:WHITE] win_privateloader_w0   (20220824 | No description)
rule win_privateloader_w0 {
  meta:
    author =    "andretavare5"
    org =       "BitSight"
    date =      "2022-06-06"
    md5 =       "8f70a0f45532261cb4df2800b141551d"
    reference = "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service"
    license =   "CC BY-NC-SA 4.0"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
    malpedia_version = "20220824"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $code = { 66 0F EF (4?|8?) } // pxor xmm(1/0) - str chunk decryption
    $str =  "Content-Type: application/x-www-form-urlencoded" wide ascii
    $ua1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" wide ascii
    $ua2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" wide ascii
                              
  condition:
    uint16(0) == 0x5A4D and // MZ
    $str and
    any of ($ua*) and
    #code > 100
}
Download all Yara Rules