SYMBOLCOMMON_NAMEaka. SYNONYMS
win.privateloader (Back to overview)

PrivateLoader

VTCollection    

According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.

References
2024-02-27BitSightAndré Tavares
Hunting PrivateLoader: The malware behind InstallsKey PPI service
PrivateLoader RisePro
2024-01-30ANY.RUNLena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP
2023-11-26Twitter (@embee_research)Embee_research
Identifying Suspected PrivateLoader Servers with Censys
PrivateLoader
2023-11-02BitSightBitSight
Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey
Amadey PrivateLoader Socks5 Systemz
2023-11-02BitSightBitSight
Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey
Amadey PrivateLoader Socks5 Systemz
2023-04-18ANY.RUNANY.RUN
PrivateLoader: Analyzing the Encryption and Decryption of a Modern Loader
PrivateLoader
2022-11-30BitSightAndré Tavares
Unpacking Colibri Loader: A Russian APT linked Campaign
Colibri Loader PrivateLoader
2022-10-05BitSightJoão Godinho, Stanislas Arnoud
Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1
PrivateLoader PseudoManuscrypt
2022-09-26KasperskyArtem Ushkov, Haim Zigel, Oleg Kupreev
NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-31BitSightAndré Tavares
Tracking PrivateLoader: Malware Distribution Service
PrivateLoader RedLine Stealer SmokeLoader
2022-08-29SekoiaThreat & Detection Research Team
Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-04Medium walmartglobaltechJason Reaves, Joshua Platt
IcedID leverages PrivateLoader
IcedID PrivateLoader
2022-07-27DarktraceSam Lister, Shuh Chin Goh
PrivateLoader: Network-Based Indicators of Compromise
PrivateLoader SmokeLoader
2022-06-06André Tavares
Hunting PrivateLoader: Pay-Per-Install Service
PrivateLoader
2022-05-05Trend MicroAliakbar Zahravi, Leandro Froes, Trend Micro Research
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service
NetDooka PrivateLoader
2022-04-29Intel 471Souhail Hammou
Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service
PrivateLoader
2022-04-28ZscalerBrett Stone-Gross, Dennis Schwarz
Peeking into PrivateLoader
PrivateLoader
2022-02-14Medium walmartglobaltechJason Reaves, Joshua Platt
PrivateLoader to Anubis Loader
Anubis Loader PrivateLoader
2022-02-08Intel 471Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
Yara Rules
[TLP:WHITE] win_privateloader_auto (20230808 | Detects win.privateloader.)
rule win_privateloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.privateloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8965ec 8b55ec 8955e8 8d45f8 }
            // n = 4, score = 600
            //   8965ec               | mov                 dword ptr [ebp - 0x14], esp
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_1 = { 894df4 8b55fc 837a1410 7209 }
            // n = 4, score = 600
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   837a1410             | cmp                 dword ptr [edx + 0x14], 0x10
            //   7209                 | jb                  0xb

        $sequence_2 = { 0fb64dec 85c9 7408 8b55fc 8b02 8945e8 }
            // n = 6, score = 600
            //   0fb64dec             | movzx               ecx, byte ptr [ebp - 0x14]
            //   85c9                 | test                ecx, ecx
            //   7408                 | je                  0xa
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_3 = { 8b4dec 8b5508 895110 8b4508 8945e4 8b4de8 034de4 }
            // n = 7, score = 600
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   895110               | mov                 dword ptr [ecx + 0x10], edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   034de4               | add                 ecx, dword ptr [ebp - 0x1c]

        $sequence_4 = { 8b45d8 8b4ddc 8b55d0 8b75d4 }
            // n = 4, score = 600
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_5 = { 8b4dec e8???????? 8b4df0 e8???????? 8845fc }
            // n = 5, score = 600
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   8845fc               | mov                 byte ptr [ebp - 4], al

        $sequence_6 = { 8975d4 8b45d0 8b55d4 5e }
            // n = 4, score = 600
            //   8975d4               | mov                 dword ptr [ebp - 0x2c], esi
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]
            //   5e                   | pop                 esi

        $sequence_7 = { 8b4de8 8b75ec 2bc8 1bf2 894de0 8975e4 a1???????? }
            // n = 7, score = 600
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   2bc8                 | sub                 ecx, eax
            //   1bf2                 | sbb                 esi, edx
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   a1????????           |                     

        $sequence_8 = { e8???????? 33d2 b93f000000 f7f1 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b93f000000           | mov                 ecx, 0x3f
            //   f7f1                 | div                 ecx

        $sequence_9 = { 8b4590 8b4d94 8b5588 8b758c }
            // n = 4, score = 400
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   8b4d94               | mov                 ecx, dword ptr [ebp - 0x6c]
            //   8b5588               | mov                 edx, dword ptr [ebp - 0x78]
            //   8b758c               | mov                 esi, dword ptr [ebp - 0x74]

        $sequence_10 = { a3???????? 33c0 5e c3 3b0d???????? }
            // n = 5, score = 400
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   3b0d????????         |                     

        $sequence_11 = { 896c2404 8bec 81ec68010000 a1???????? 33c5 8945fc 56 }
            // n = 7, score = 400
            //   896c2404             | mov                 dword ptr [esp + 4], ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec68010000         | sub                 esp, 0x168
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi

        $sequence_12 = { d81d???????? c9 b8ffffffff 99 c3 56 8b35???????? }
            // n = 7, score = 400
            //   d81d????????         |                     
            //   c9                   | leave               
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   99                   | cdq                 
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8b35????????         |                     

        $sequence_13 = { 13f1 83c201 8955e0 83d600 }
            // n = 4, score = 300
            //   13f1                 | adc                 esi, ecx
            //   83c201               | add                 edx, 1
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   83d600               | adc                 esi, 0

        $sequence_14 = { 6a04 8d4310 50 6a06 }
            // n = 4, score = 300
            //   6a04                 | push                4
            //   8d4310               | lea                 eax, [ebx + 0x10]
            //   50                   | push                eax
            //   6a06                 | push                6

        $sequence_15 = { 7507 6800008000 eb02 6a00 }
            // n = 4, score = 300
            //   7507                 | jne                 9
            //   6800008000           | push                0x800000
            //   eb02                 | jmp                 4
            //   6a00                 | push                0

        $sequence_16 = { 8b45e4 50 51 52 }
            // n = 4, score = 300
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_17 = { 0bc8 56 57 7529 }
            // n = 4, score = 300
            //   0bc8                 | or                  ecx, eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   7529                 | jne                 0x2b

        $sequence_18 = { 03d0 8b4d9c 13f1 83c201 }
            // n = 4, score = 300
            //   03d0                 | add                 edx, eax
            //   8b4d9c               | mov                 ecx, dword ptr [ebp - 0x64]
            //   13f1                 | adc                 esi, ecx
            //   83c201               | add                 edx, 1

    condition:
        7 of them and filesize < 3670016
}
[TLP:WHITE] win_privateloader_w0   (20220824 | No description)
rule win_privateloader_w0 {
  meta:
    author =    "andretavare5"
    org =       "BitSight"
    date =      "2022-06-06"
    md5 =       "8f70a0f45532261cb4df2800b141551d"
    reference = "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service"
    license =   "CC BY-NC-SA 4.0"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
    malpedia_version = "20220824"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $code = { 66 0F EF (4?|8?) } // pxor xmm(1/0) - str chunk decryption
    $str =  "Content-Type: application/x-www-form-urlencoded" wide ascii
    $ua1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" wide ascii
    $ua2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" wide ascii
                              
  condition:
    uint16(0) == 0x5A4D and // MZ
    $str and
    any of ($ua*) and
    #code > 100
}
Download all Yara Rules