PrivateLoader (Malware Family)

PrivateLoader

VTCollection

According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.

References

2024-01-30 ⋅ ANY.RUN ⋅ Lena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP

Yara Rules

[TLP:WHITE] win_privateloader_auto (20260504 | Detects win.privateloader.)

rule win_privateloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.privateloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45d8 8b4ddc 8b55d0 8b75d4 }
            // n = 4, score = 600
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_1 = { 7408 8b45fc 8b08 894df0 }
            // n = 4, score = 600
            //   7408                 | je                  0xa
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

        $sequence_2 = { 8b45e4 0345f4 50 e8???????? 83c40c c645ff00 8b4df4 }
            // n = 7, score = 600
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   0345f4               | add                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c645ff00             | mov                 byte ptr [ebp - 1], 0
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_3 = { 8b5508 895110 8b4508 8945e4 }
            // n = 4, score = 600
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   895110               | mov                 dword ptr [ecx + 0x10], edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_4 = { 8b45f4 894210 eb2f 837d0808 7329 }
            // n = 5, score = 600
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   894210               | mov                 dword ptr [edx + 0x10], eax
            //   eb2f                 | jmp                 0x31
            //   837d0808             | cmp                 dword ptr [ebp + 8], 8
            //   7329                 | jae                 0x2b

        $sequence_5 = { 8b45ec 8945f8 8b4df8 894df0 8b55f8 837a1410 7209 }
            // n = 7, score = 600
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   837a1410             | cmp                 dword ptr [edx + 0x14], 0x10
            //   7209                 | jb                  0xb

        $sequence_6 = { 8b4de0 8b75e4 52 50 56 51 e8???????? }
            // n = 7, score = 600
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   52                   | push                edx
            //   50                   | push                eax
            //   56                   | push                esi
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { 7408 8b45f8 8b08 894de4 8b55e4 8955d4 }
            // n = 6, score = 600
            //   7408                 | je                  0xa
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   8955d4               | mov                 dword ptr [ebp - 0x2c], edx

        $sequence_8 = { e8???????? 33d2 b93f000000 f7f1 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b93f000000           | mov                 ecx, 0x3f
            //   f7f1                 | div                 ecx

        $sequence_9 = { e8???????? 40 83ef08 a907000000 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   83ef08               | sub                 edi, 8
            //   a907000000           | test                eax, 7

        $sequence_10 = { 8b4590 8b4d94 8b5588 8b758c }
            // n = 4, score = 400
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   8b4d94               | mov                 ecx, dword ptr [ebp - 0x6c]
            //   8b5588               | mov                 edx, dword ptr [ebp - 0x78]
            //   8b758c               | mov                 esi, dword ptr [ebp - 0x74]

        $sequence_11 = { a3???????? 33c0 5e c3 3b0d???????? }
            // n = 5, score = 400
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   3b0d????????         |                     

        $sequence_12 = { e8???????? 6bc007 33c9 41 c1e102 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   6bc007               | imul                eax, eax, 7
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx
            //   c1e102               | shl                 ecx, 2

        $sequence_13 = { 896c2404 8bec 81ec68010000 a1???????? 33c5 8945fc 56 }
            // n = 7, score = 400
            //   896c2404             | mov                 dword ptr [esp + 4], ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec68010000         | sub                 esp, 0x168
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi

        $sequence_14 = { 8b45e4 50 51 52 }
            // n = 4, score = 300
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_15 = { 51 6a00 6813000020 50 }
            // n = 4, score = 300
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6813000020           | push                0x20000013
            //   50                   | push                eax

        $sequence_16 = { 8bf0 e8???????? 8bc8 8bfa 8bc6 }
            // n = 5, score = 300
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8bfa                 | mov                 edi, edx
            //   8bc6                 | mov                 eax, esi

        $sequence_17 = { 13f1 83c201 8955e0 83d600 8975e4 }
            // n = 5, score = 300
            //   13f1                 | adc                 esi, ecx
            //   83c201               | add                 edx, 1
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   83d600               | adc                 esi, 0
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi

        $sequence_18 = { 03d0 8b4d9c 13f1 83c201 }
            // n = 4, score = 300
            //   03d0                 | add                 edx, eax
            //   8b4d9c               | mov                 ecx, dword ptr [ebp - 0x64]
            //   13f1                 | adc                 esi, ecx
            //   83c201               | add                 edx, 1

    condition:
        7 of them and filesize < 3670016
}

[TLP:WHITE] win_privateloader_w0 (20220824 | No description)

rule win_privateloader_w0 {
  meta:
    author =    "andretavare5"
    org =       "BitSight"
    date =      "2022-06-06"
    md5 =       "8f70a0f45532261cb4df2800b141551d"
    reference = "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service"
    license =   "CC BY-NC-SA 4.0"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
    malpedia_version = "20220824"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $code = { 66 0F EF (4?|8?) } // pxor xmm(1/0) - str chunk decryption
    $str =  "Content-Type: application/x-www-form-urlencoded" wide ascii
    $ua1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" wide ascii
    $ua2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" wide ascii
                              
  condition:
    uint16(0) == 0x5A4D and // MZ
    $str and
    any of ($ua*) and
    #code > 100
}

Download all Yara Rules

PrivateLoader Propose Change

References

Yara Rules

PrivateLoader