PrivateLoader (Malware Family)

PrivateLoader

VTCollection

According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.

References

2024-01-30 ⋅ ANY.RUN ⋅ Lena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP

Yara Rules

[TLP:WHITE] win_privateloader_auto (20230808 | Detects win.privateloader.)

rule win_privateloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.privateloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8965ec 8b55ec 8955e8 8d45f8 }
            // n = 4, score = 600
            //   8965ec               | mov                 dword ptr [ebp - 0x14], esp
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_1 = { 894df4 8b55fc 837a1410 7209 }
            // n = 4, score = 600
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   837a1410             | cmp                 dword ptr [edx + 0x14], 0x10
            //   7209                 | jb                  0xb

        $sequence_2 = { 0fb64dec 85c9 7408 8b55fc 8b02 8945e8 }
            // n = 6, score = 600
            //   0fb64dec             | movzx               ecx, byte ptr [ebp - 0x14]
            //   85c9                 | test                ecx, ecx
            //   7408                 | je                  0xa
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_3 = { 8b4dec 8b5508 895110 8b4508 8945e4 8b4de8 034de4 }
            // n = 7, score = 600
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   895110               | mov                 dword ptr [ecx + 0x10], edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   034de4               | add                 ecx, dword ptr [ebp - 0x1c]

        $sequence_4 = { 8b45d8 8b4ddc 8b55d0 8b75d4 }
            // n = 4, score = 600
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_5 = { 8b4dec e8???????? 8b4df0 e8???????? 8845fc }
            // n = 5, score = 600
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   8845fc               | mov                 byte ptr [ebp - 4], al

        $sequence_6 = { 8975d4 8b45d0 8b55d4 5e }
            // n = 4, score = 600
            //   8975d4               | mov                 dword ptr [ebp - 0x2c], esi
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]
            //   5e                   | pop                 esi

        $sequence_7 = { 8b4de8 8b75ec 2bc8 1bf2 894de0 8975e4 a1???????? }
            // n = 7, score = 600
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   2bc8                 | sub                 ecx, eax
            //   1bf2                 | sbb                 esi, edx
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   a1????????           |                     

        $sequence_8 = { e8???????? 33d2 b93f000000 f7f1 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b93f000000           | mov                 ecx, 0x3f
            //   f7f1                 | div                 ecx

        $sequence_9 = { 8b4590 8b4d94 8b5588 8b758c }
            // n = 4, score = 400
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   8b4d94               | mov                 ecx, dword ptr [ebp - 0x6c]
            //   8b5588               | mov                 edx, dword ptr [ebp - 0x78]
            //   8b758c               | mov                 esi, dword ptr [ebp - 0x74]

        $sequence_10 = { a3???????? 33c0 5e c3 3b0d???????? }
            // n = 5, score = 400
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   3b0d????????         |                     

        $sequence_11 = { 896c2404 8bec 81ec68010000 a1???????? 33c5 8945fc 56 }
            // n = 7, score = 400
            //   896c2404             | mov                 dword ptr [esp + 4], ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec68010000         | sub                 esp, 0x168
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi

        $sequence_12 = { d81d???????? c9 b8ffffffff 99 c3 56 8b35???????? }
            // n = 7, score = 400
            //   d81d????????         |                     
            //   c9                   | leave               
            //   b8ffffffff           | mov                 eax, 0xffffffff
            //   99                   | cdq                 
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8b35????????         |                     

        $sequence_13 = { 13f1 83c201 8955e0 83d600 }
            // n = 4, score = 300
            //   13f1                 | adc                 esi, ecx
            //   83c201               | add                 edx, 1
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   83d600               | adc                 esi, 0

        $sequence_14 = { 6a04 8d4310 50 6a06 }
            // n = 4, score = 300
            //   6a04                 | push                4
            //   8d4310               | lea                 eax, [ebx + 0x10]
            //   50                   | push                eax
            //   6a06                 | push                6

        $sequence_15 = { 7507 6800008000 eb02 6a00 }
            // n = 4, score = 300
            //   7507                 | jne                 9
            //   6800008000           | push                0x800000
            //   eb02                 | jmp                 4
            //   6a00                 | push                0

        $sequence_16 = { 8b45e4 50 51 52 }
            // n = 4, score = 300
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_17 = { 0bc8 56 57 7529 }
            // n = 4, score = 300
            //   0bc8                 | or                  ecx, eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   7529                 | jne                 0x2b

        $sequence_18 = { 03d0 8b4d9c 13f1 83c201 }
            // n = 4, score = 300
            //   03d0                 | add                 edx, eax
            //   8b4d9c               | mov                 ecx, dword ptr [ebp - 0x64]
            //   13f1                 | adc                 esi, ecx
            //   83c201               | add                 edx, 1

    condition:
        7 of them and filesize < 3670016
}

[TLP:WHITE] win_privateloader_w0 (20220824 | No description)

rule win_privateloader_w0 {
  meta:
    author =    "andretavare5"
    org =       "BitSight"
    date =      "2022-06-06"
    md5 =       "8f70a0f45532261cb4df2800b141551d"
    reference = "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service"
    license =   "CC BY-NC-SA 4.0"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
    malpedia_version = "20220824"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
  strings:
    $code = { 66 0F EF (4?|8?) } // pxor xmm(1/0) - str chunk decryption
    $str =  "Content-Type: application/x-www-form-urlencoded" wide ascii
    $ua1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" wide ascii
    $ua2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" wide ascii
                              
  condition:
    uint16(0) == 0x5A4D and // MZ
    $str and
    any of ($ua*) and
    #code > 100
}

Download all Yara Rules

PrivateLoader Propose Change

References

Yara Rules

PrivateLoader