SYMBOLCOMMON_NAMEaka. SYNONYMS
win.privateloader (Back to overview)

PrivateLoader


There is no description at this point.

References
2022-10-05BitSightStanislas Arnoud, João Godinho
@online{arnoud:20221005:sinkholing:8a928c6, author = {Stanislas Arnoud and João Godinho}, title = {{Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1}}, date = {2022-10-05}, organization = {BitSight}, url = {https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1}, language = {English}, urldate = {2022-10-07} } Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1
PrivateLoader PseudoManuscrypt
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2022-10-05} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-31BitSightAndré Tavares
@online{tavares:20220831:tracking:5b4130e, author = {André Tavares}, title = {{Tracking PrivateLoader: Malware Distribution Service}}, date = {2022-08-31}, organization = {BitSight}, url = {https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service}, language = {English}, urldate = {2022-08-31} } Tracking PrivateLoader: Malware Distribution Service
PrivateLoader RedLine Stealer SmokeLoader
2022-08-29SekoiaThreat & Detection Research Team
@online{team:20220829:traffers:8b7930b, author = {Threat & Detection Research Team}, title = {{Traffers: a deep dive into the information stealer ecosystem}}, date = {2022-08-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem}, language = {English}, urldate = {2022-08-31} } Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-04Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20220804:icedid:546c931, author = {Joshua Platt and Jason Reaves}, title = {{IcedID leverages PrivateLoader}}, date = {2022-08-04}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f}, language = {English}, urldate = {2022-08-11} } IcedID leverages PrivateLoader
IcedID PrivateLoader
2022-07-27DarktraceSam Lister, Shuh Chin Goh
@online{lister:20220727:privateloader:e408698, author = {Sam Lister and Shuh Chin Goh}, title = {{PrivateLoader: Network-Based Indicators of Compromise}}, date = {2022-07-27}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise}, language = {English}, urldate = {2022-08-30} } PrivateLoader: Network-Based Indicators of Compromise
PrivateLoader SmokeLoader
2022-06-06André Tavares
@online{tavares:20220606:hunting:9e20d11, author = {André Tavares}, title = {{Hunting PrivateLoader: Pay-Per-Install Service}}, date = {2022-06-06}, url = {https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/}, language = {English}, urldate = {2022-06-09} } Hunting PrivateLoader: Pay-Per-Install Service
PrivateLoader
2022-05-05Trend MicroAliakbar Zahravi, Leandro Froes, Trend Micro Research
@online{zahravi:20220505:netdooka:93197bf, author = {Aliakbar Zahravi and Leandro Froes and Trend Micro Research}, title = {{NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service}}, date = {2022-05-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html}, language = {English}, urldate = {2022-05-05} } NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service
NetDooka PrivateLoader
2022-04-29Intel 471Souhail Hammou
@online{hammou:20220429:privateloader:1378b6b, author = {Souhail Hammou}, title = {{Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service}}, date = {2022-04-29}, organization = {Intel 471}, url = {https://www.youtube.com/watch?v=Ldp7eESQotM}, language = {English}, urldate = {2022-05-09} } Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service
PrivateLoader
2022-04-28ZscalerDennis Schwarz, Brett Stone-Gross
@online{schwarz:20220428:peeking:f8226bb, author = {Dennis Schwarz and Brett Stone-Gross}, title = {{Peeking into PrivateLoader}}, date = {2022-04-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/peeking-privateloader}, language = {English}, urldate = {2022-05-04} } Peeking into PrivateLoader
PrivateLoader
2022-02-14Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220214:privateloader:e7e062e, author = {Jason Reaves and Joshua Platt}, title = {{PrivateLoader to Anubis Loader}}, date = {2022-02-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e}, language = {English}, urldate = {2022-08-05} } PrivateLoader to Anubis Loader
Anubis Loader PrivateLoader
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
Yara Rules
[TLP:WHITE] win_privateloader_auto (20221125 | Detects win.privateloader.)
rule win_privateloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.privateloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7209 c745ec01000000 eb07 c745ec00000000 0fb645ec 85c0 }
            // n = 6, score = 600
            //   7209                 | jb                  0xb
            //   c745ec01000000       | mov                 dword ptr [ebp - 0x14], 1
            //   eb07                 | jmp                 9
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   0fb645ec             | movzx               eax, byte ptr [ebp - 0x14]
            //   85c0                 | test                eax, eax

        $sequence_1 = { 894810 8b5508 52 0fbe450c }
            // n = 4, score = 600
            //   894810               | mov                 dword ptr [eax + 0x10], ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   0fbe450c             | movsx               eax, byte ptr [ebp + 0xc]

        $sequence_2 = { 8b4810 894de0 8b5508 8955fc 8b45fc 8945f0 }
            // n = 6, score = 600
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_3 = { 8945fc 8b4dfc 894df4 8b55fc 837a1410 }
            // n = 5, score = 600
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   837a1410             | cmp                 dword ptr [edx + 0x14], 0x10

        $sequence_4 = { 8b45d8 8b4ddc 8b55d0 8b75d4 }
            // n = 4, score = 600
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_5 = { 8b02 89450c 8b4dfc 8b5110 }
            // n = 4, score = 600
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5110               | mov                 edx, dword ptr [ecx + 0x10]

        $sequence_6 = { 8b4dd8 8b75dc 2bc8 1bf2 894dd0 8975d4 8b45d0 }
            // n = 7, score = 600
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   2bc8                 | sub                 ecx, eax
            //   1bf2                 | sbb                 esi, edx
            //   894dd0               | mov                 dword ptr [ebp - 0x30], ecx
            //   8975d4               | mov                 dword ptr [ebp - 0x2c], esi
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]

        $sequence_7 = { e8???????? 33d2 b93f000000 f7f1 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b93f000000           | mov                 ecx, 0x3f
            //   f7f1                 | div                 ecx

        $sequence_8 = { 83e4f0 83c404 55 8b6b04 896c2404 8bec 81ec68010000 }
            // n = 7, score = 500
            //   83e4f0               | and                 esp, 0xfffffff0
            //   83c404               | add                 esp, 4
            //   55                   | push                ebp
            //   8b6b04               | mov                 ebp, dword ptr [ebx + 4]
            //   896c2404             | mov                 dword ptr [esp + 4], ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec68010000         | sub                 esp, 0x168

        $sequence_9 = { e8???????? 837b2400 7507 c7432401000000 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   837b2400             | cmp                 dword ptr [ebx + 0x24], 0
            //   7507                 | jne                 9
            //   c7432401000000       | mov                 dword ptr [ebx + 0x24], 1

        $sequence_10 = { e8???????? 6bc007 33c9 41 6bc906 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   6bc007               | imul                eax, eax, 7
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx
            //   6bc906               | imul                ecx, ecx, 6

        $sequence_11 = { 56 ff15???????? a3???????? 33c0 5e c3 3b0d???????? }
            // n = 7, score = 400
            //   56                   | push                esi
            //   ff15????????         |                     
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   3b0d????????         |                     

        $sequence_12 = { e8???????? 40 83ef08 a907000000 75dc 83c740 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   83ef08               | sub                 edi, 8
            //   a907000000           | test                eax, 7
            //   75dc                 | jne                 0xffffffde
            //   83c740               | add                 edi, 0x40

        $sequence_13 = { 81ec68010000 a1???????? 33c5 8945fc 56 57 }
            // n = 6, score = 400
            //   81ec68010000         | sub                 esp, 0x168
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_14 = { d81d???????? c9 b8ffffffff 99 c3 56 8b35???????? }
            // n = 7, score = 400
            //   d81d????????         |                     
            //   c9                   | leave               
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   99                   | cdq                 
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8b35????????         |                     

        $sequence_15 = { 8b4590 8b4d94 8b5588 8b758c }
            // n = 4, score = 400
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   8b4d94               | mov                 ecx, dword ptr [ebp - 0x6c]
            //   8b5588               | mov                 edx, dword ptr [ebp - 0x78]
            //   8b758c               | mov                 esi, dword ptr [ebp - 0x74]

        $sequence_16 = { e8???????? 8be5 5d 8be3 5b c23000 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   8be3                 | mov                 esp, ebx
            //   5b                   | pop                 ebx
            //   c23000               | ret                 0x30

        $sequence_17 = { 8bf0 e8???????? 8bc8 8bfa 8bc6 }
            // n = 5, score = 300
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8bfa                 | mov                 edi, edx
            //   8bc6                 | mov                 eax, esi

        $sequence_18 = { 6a04 8d4310 50 6a06 }
            // n = 4, score = 300
            //   6a04                 | push                4
            //   8d4310               | lea                 eax, [ebx + 0x10]
            //   50                   | push                eax
            //   6a06                 | push                6

        $sequence_19 = { e8???????? c9 c3 8bff 56 8bf1 807e1400 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   807e1400             | cmp                 byte ptr [esi + 0x14], 0

        $sequence_20 = { 660fef4de0 0f294dc0 0f284dd0 50 }
            // n = 4, score = 300
            //   660fef4de0           | pxor                xmm1, xmmword ptr [ebp - 0x20]
            //   0f294dc0             | movaps              xmmword ptr [ebp - 0x40], xmm1
            //   0f284dd0             | movaps              xmm1, xmmword ptr [ebp - 0x30]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 3670016
}
[TLP:WHITE] win_privateloader_w0   (20220824 | No description)
rule win_privateloader_w0 {
  meta:
    author =    "andretavare5"
    org =       "BitSight"
    date =      "2022-06-06"
    md5 =       "8f70a0f45532261cb4df2800b141551d"
    reference = "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service"
    license =   "CC BY-NC-SA 4.0"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
    malpedia_version = "20220824"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $code = { 66 0F EF (4?|8?) } // pxor xmm(1/0) - str chunk decryption
    $str =  "Content-Type: application/x-www-form-urlencoded" wide ascii
    $ua1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" wide ascii
    $ua2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" wide ascii
                              
  condition:
    uint16(0) == 0x5A4D and // MZ
    $str and
    any of ($ua*) and
    #code > 100
}
Download all Yara Rules