SYMBOLCOMMON_NAMEaka. SYNONYMS
win.privateloader (Back to overview)

PrivateLoader


According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.

References
2023-04-18ANY.RUNANY.RUN
@online{anyrun:20230418:privateloader:464df80, author = {ANY.RUN}, title = {{PrivateLoader: Analyzing the Encryption and Decryption of a Modern Loader}}, date = {2023-04-18}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/}, language = {English}, urldate = {2023-05-26} } PrivateLoader: Analyzing the Encryption and Decryption of a Modern Loader
PrivateLoader
2022-11-30BitSightAndré Tavares
@online{tavares:20221130:unpacking:a15d3e0, author = {André Tavares}, title = {{Unpacking Colibri Loader: A Russian APT linked Campaign}}, date = {2022-11-30}, organization = {BitSight}, url = {https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign}, language = {English}, urldate = {2022-12-02} } Unpacking Colibri Loader: A Russian APT linked Campaign
Colibri Loader PrivateLoader
2022-10-05BitSightStanislas Arnoud, João Godinho
@online{arnoud:20221005:sinkholing:8a928c6, author = {Stanislas Arnoud and João Godinho}, title = {{Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1}}, date = {2022-10-05}, organization = {BitSight}, url = {https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1}, language = {English}, urldate = {2022-10-07} } Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1
PrivateLoader PseudoManuscrypt
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2023-02-06} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-31BitSightAndré Tavares
@online{tavares:20220831:tracking:5b4130e, author = {André Tavares}, title = {{Tracking PrivateLoader: Malware Distribution Service}}, date = {2022-08-31}, organization = {BitSight}, url = {https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service}, language = {English}, urldate = {2022-08-31} } Tracking PrivateLoader: Malware Distribution Service
PrivateLoader RedLine Stealer SmokeLoader
2022-08-29SekoiaThreat & Detection Research Team
@online{team:20220829:traffers:8b7930b, author = {Threat & Detection Research Team}, title = {{Traffers: a deep dive into the information stealer ecosystem}}, date = {2022-08-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem}, language = {English}, urldate = {2022-08-31} } Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-04Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20220804:icedid:546c931, author = {Joshua Platt and Jason Reaves}, title = {{IcedID leverages PrivateLoader}}, date = {2022-08-04}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f}, language = {English}, urldate = {2022-08-11} } IcedID leverages PrivateLoader
IcedID PrivateLoader
2022-07-27DarktraceSam Lister, Shuh Chin Goh
@online{lister:20220727:privateloader:e408698, author = {Sam Lister and Shuh Chin Goh}, title = {{PrivateLoader: Network-Based Indicators of Compromise}}, date = {2022-07-27}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise}, language = {English}, urldate = {2022-08-30} } PrivateLoader: Network-Based Indicators of Compromise
PrivateLoader SmokeLoader
2022-06-06André Tavares
@online{tavares:20220606:hunting:9e20d11, author = {André Tavares}, title = {{Hunting PrivateLoader: Pay-Per-Install Service}}, date = {2022-06-06}, url = {https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/}, language = {English}, urldate = {2022-06-09} } Hunting PrivateLoader: Pay-Per-Install Service
PrivateLoader
2022-05-05Trend MicroAliakbar Zahravi, Leandro Froes, Trend Micro Research
@online{zahravi:20220505:netdooka:93197bf, author = {Aliakbar Zahravi and Leandro Froes and Trend Micro Research}, title = {{NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service}}, date = {2022-05-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html}, language = {English}, urldate = {2022-05-05} } NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service
NetDooka PrivateLoader
2022-04-29Intel 471Souhail Hammou
@online{hammou:20220429:privateloader:1378b6b, author = {Souhail Hammou}, title = {{Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service}}, date = {2022-04-29}, organization = {Intel 471}, url = {https://www.youtube.com/watch?v=Ldp7eESQotM}, language = {English}, urldate = {2022-05-09} } Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service
PrivateLoader
2022-04-28ZscalerDennis Schwarz, Brett Stone-Gross
@online{schwarz:20220428:peeking:f8226bb, author = {Dennis Schwarz and Brett Stone-Gross}, title = {{Peeking into PrivateLoader}}, date = {2022-04-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/peeking-privateloader}, language = {English}, urldate = {2022-05-04} } Peeking into PrivateLoader
PrivateLoader
2022-02-14Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220214:privateloader:e7e062e, author = {Jason Reaves and Joshua Platt}, title = {{PrivateLoader to Anubis Loader}}, date = {2022-02-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e}, language = {English}, urldate = {2022-08-05} } PrivateLoader to Anubis Loader
Anubis Loader PrivateLoader
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
Yara Rules
[TLP:WHITE] win_privateloader_auto (20230715 | Detects win.privateloader.)
rule win_privateloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.privateloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4810 894de0 8b5508 8955fc }
            // n = 4, score = 600
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_1 = { 8a45ff 88040a 8b45f8 eb1f 33c9 }
            // n = 5, score = 600
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   eb1f                 | jmp                 0x21
            //   33c9                 | xor                 ecx, ecx

        $sequence_2 = { 8b45d8 8b4ddc 8b55d0 8b75d4 }
            // n = 4, score = 600
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_3 = { 894de8 8955ec a1???????? 99 }
            // n = 4, score = 600
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   a1????????           |                     
            //   99                   | cdq                 

        $sequence_4 = { 0fb6c8 85c9 7514 c645fd00 8d4d10 e8???????? 8a45fd }
            // n = 7, score = 600
            //   0fb6c8               | movzx               ecx, al
            //   85c9                 | test                ecx, ecx
            //   7514                 | jne                 0x16
            //   c645fd00             | mov                 byte ptr [ebp - 3], 0
            //   8d4d10               | lea                 ecx, [ebp + 0x10]
            //   e8????????           |                     
            //   8a45fd               | mov                 al, byte ptr [ebp - 3]

        $sequence_5 = { 8b4dec 8b5508 895110 8b4508 8945e4 }
            // n = 5, score = 600
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   895110               | mov                 dword ptr [ecx + 0x10], edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_6 = { 8b4810 894dd8 8b55ec 8955f8 8b45f8 8945e4 8b4df8 }
            // n = 7, score = 600
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

        $sequence_7 = { 8b4810 894dd8 8b55f0 8955f4 8b45f4 8945e8 8b4df4 }
            // n = 7, score = 600
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_8 = { 83e4f0 83c404 55 8b6b04 896c2404 8bec 81ec68010000 }
            // n = 7, score = 500
            //   83e4f0               | and                 esp, 0xfffffff0
            //   83c404               | add                 esp, 4
            //   55                   | push                ebp
            //   8b6b04               | mov                 ebp, dword ptr [ebx + 4]
            //   896c2404             | mov                 dword ptr [esp + 4], ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec68010000         | sub                 esp, 0x168

        $sequence_9 = { e8???????? 33d2 b93f000000 f7f1 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b93f000000           | mov                 ecx, 0x3f
            //   f7f1                 | div                 ecx

        $sequence_10 = { 8b4590 8b4d94 8b5588 8b758c }
            // n = 4, score = 400
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   8b4d94               | mov                 ecx, dword ptr [ebp - 0x6c]
            //   8b5588               | mov                 edx, dword ptr [ebp - 0x78]
            //   8b758c               | mov                 esi, dword ptr [ebp - 0x74]

        $sequence_11 = { e8???????? 40 83ef08 a907000000 75dc }
            // n = 5, score = 400
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   83ef08               | sub                 edi, 8
            //   a907000000           | test                eax, 7
            //   75dc                 | jne                 0xffffffde

        $sequence_12 = { d81d???????? c9 b8ffffffff 99 c3 56 }
            // n = 6, score = 400
            //   d81d????????         |                     
            //   c9                   | leave               
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   99                   | cdq                 
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_13 = { a3???????? 33c0 5e c3 3b0d???????? }
            // n = 5, score = 400
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   3b0d????????         |                     

        $sequence_14 = { 8b45e4 50 51 52 }
            // n = 4, score = 300
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_15 = { 13f1 83c201 8955e0 83d600 8975e4 }
            // n = 5, score = 300
            //   13f1                 | adc                 esi, ecx
            //   83c201               | add                 edx, 1
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   83d600               | adc                 esi, 0
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi

        $sequence_16 = { 8b4598 03d0 8b4d9c 13f1 }
            // n = 4, score = 300
            //   8b4598               | mov                 eax, dword ptr [ebp - 0x68]
            //   03d0                 | add                 edx, eax
            //   8b4d9c               | mov                 ecx, dword ptr [ebp - 0x64]
            //   13f1                 | adc                 esi, ecx

        $sequence_17 = { 7507 6800008000 eb02 6a00 6a00 }
            // n = 5, score = 300
            //   7507                 | jne                 9
            //   6800008000           | push                0x800000
            //   eb02                 | jmp                 4
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_18 = { 660fef4de0 0f294dc0 0f284dd0 50 }
            // n = 4, score = 300
            //   660fef4de0           | pxor                xmm1, xmmword ptr [ebp - 0x20]
            //   0f294dc0             | movaps              xmmword ptr [ebp - 0x40], xmm1
            //   0f284dd0             | movaps              xmm1, xmmword ptr [ebp - 0x30]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 3670016
}
[TLP:WHITE] win_privateloader_w0   (20220824 | No description)
rule win_privateloader_w0 {
  meta:
    author =    "andretavare5"
    org =       "BitSight"
    date =      "2022-06-06"
    md5 =       "8f70a0f45532261cb4df2800b141551d"
    reference = "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service"
    license =   "CC BY-NC-SA 4.0"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
    malpedia_version = "20220824"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $code = { 66 0F EF (4?|8?) } // pxor xmm(1/0) - str chunk decryption
    $str =  "Content-Type: application/x-www-form-urlencoded" wide ascii
    $ua1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" wide ascii
    $ua2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" wide ascii
                              
  condition:
    uint16(0) == 0x5A4D and // MZ
    $str and
    any of ($ua*) and
    #code > 100
}
Download all Yara Rules