![\"PrivateLoader\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-21.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
PrivateLoader analysis introduction<\/strong> <\/h2>\n\n\n\nPrivateLoader is a malicious loader family, written in C++ and first discovered in early 2021. <\/p>\n\n\n\n
It is known for distributing a wide range of malware, from simple information stealers to complex rootkits and spyware, utilizing payloads. <\/p>\n\n\n\n
The distribution of this type of malware is managed by the Pay-Per-Install (PPI) service, a popular tool within the cybercriminal ecosystem that generates revenue by adding payloads to malware. <\/p>\n\n\n\n
\n- The code itself involves the decryption of loaded libraries. <\/li>\n\n\n\n
- At present, there are two versions of PrivateLoader available: one protected by VMProtect, and a regular version. <\/li>\n\n\n\n
- Every day, between 2 and 4 samples of this malware are uploaded. <\/li>\n<\/ul>\n\n\n\n
Static Analysis of the Source File <\/h2>\n\n\n\n
SHA256: 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4<\/strong> <\/p>\n\n\n\nUsing the Detect It Easy <\/strong>utility, we can see that the analyzed executable file is compiled in C++. There is no information about the packer, which could mean it was not possible to identify it. <\/p>\n\n\n\n![\"PrivateLoader's](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/image-1.png\")
Fig. 1 \u2013 PrivateLoader’s sample data <\/figcaption><\/figure>\n\n\n\n<\/p>\n\n\n\n
The next step is to search for unencrypted strings using the strings<\/strong> command: <\/p>\n\n\n\nstrings --encoding=l loader.exe<\/em> <\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n![\"Interesting](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-23-1024x198.png\")
Fig. 2 – Interesting strings detected in the executable file <\/figcaption><\/figure>\n\n\n\n<\/p>\n\n\n\n
Analyzing the discovered strings allows us to identify several interesting elements: <\/p>\n\n\n\n
\n- A user-agent, which is likely used to masquerade as a legitimate browser application <\/li>\n\n\n\n
- URL addresses for determining the current IP and geolocation <\/li>\n<\/ul>\n\n\n\n
PrivateLoader dynamic analysis with ANY.RUN<\/strong> <\/h2>\n\n\n\nWe analyzed the sample in ANY.RUN interactive malware sandbox<\/a>. <\/p>\n\n\n\nHere\u2019s a link to the task:
https:\/\/app.any.run\/tasks\/3e359dc7-934b-4ae1-89bf-ad33e346ed60<\/a> <\/p>\n\n\n\nThe process tree generated by the executable file appears as follows: <\/p>\n\n\n\n![\"PrivateLoader's](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/image-2.png\")
Fig 3. – PrivateLoader’s process tree <\/figcaption><\/figure>\n\n\n\nAnalyzing the process tree leads to the following conclusions:<\/strong> <\/p>\n\n\n\n1. The main PrivateLoader process creates a child process named “FhuC750omh76YtB1xgR7diEy.exe”, whose executable file is located in the user’s “Pictures” directory (T1564 \u2013 Hide Artifacts): <\/p>\n\n\n\n
C:\\Users\\admin\\Pictures<\/strong>\\Minor Policy <\/p>\n\n\n\n2. The created child process is added to the startup using Task Scheduler (T1053.005 – Scheduled Task\/Job: Scheduled Task): <\/p>\n\n\n\n
schtasks <\/strong>\/create \/f \/RU “admin” \/tr “”C:\\Program Files (x86)\\ClipManagerP0\\ClipManager_Svc.exe”” \/tn “LOLPA4DESK HR” \/sc HOURLY \/rl HIGHEST <\/p>\n\n\n\nThe executable file of the child process was downloaded from the Internet (T1105 \u2013 Ingress Tool Transfer). We will not go into the detailed analysis of it. <\/p>\n\n\n\n![\"PrivateLoader](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-24-1-1024x70.png\")
Fig 4. – PrivateLoader downloaded payload <\/figcaption><\/figure>\n\n\n\n<\/p>\n\n\n\n
Analyzing the HTTP requests, we can observe connections and data exchanges with the C2 server (T1071.001 – Application Layer Protocol): <\/p>\n\n\n\n![\"PrivateLoader](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-25-1-1024x86.png\")
Fig. 5 – \u04212 addresses <\/figcaption><\/figure>\n\n\n\nThe content sent (as well as received) in POST requests consists of BASE64-encoded strings (T1132.001 – Data Encoding: Standard Encoding). Decoding these strings does not yield any readable results: <\/p>\n\n\n\n
data=-kSYhy9HPjD5Jhn9y6Evty4XFfJ3JgIwrSzln5bGnLfKDmbXix2ebDEXy6Ty3Bb8Hz2GB8w0Y2SL2JeBSZ4G80iHAkSS7JJyeiPwZOpWJONOFzEBarRHP-ljR9hkvX_TJhqr1nNqQpYUB2lQ9i7NmmHeL_QSx8hUka_C3jOxi02ml5FyDDruXM_IWwPXvAGxtT8TV-i9wLtfd0mF1O369GUAEeI45sF1pKeyDfssmqE= <\/p>\n\n\n\n
Moving forward to the indicators, we can see that the malware steals user credentials from browsers (T1552.001 Credentials In Files): <\/p>\n\n\n\n![\"PrivateLoader](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/image-3.png\")
Fig. 6 – Stealing data <\/figcaption><\/figure>\n\n\n\n<\/p>\n\n\n\n
\n \n \n Free malware research<\/span> with ANY.RUN\n <\/p>\n \n \n Start Now!\n <\/a>\n <\/div>\n <\/div>\n <\/div>\n \n\n\n\nTechnical Analysis of PrivateLoader <\/strong> <\/h2>\n\n\n\nFor the technical analysis, the following tasks were set: <\/p>\n\n\n\n
\n- Locate the C2 server within the code <\/li>\n<\/ol>\n\n\n\n
\n- Identify the encryption algorithms for the C2 server and, if possible, for strings as well. <\/li>\n<\/ol>\n\n\n\n
\n- Automate the decryption of the C2 server and strings <\/li>\n<\/ol>\n\n\n\n
The analysis of the executable file revealed that string encryption is done using the XOR algorithm (T1027 – Obfuscated Files or Information). Initially, the data and key are loaded into the stack, and then decrypted using the SIMD instruction “PXOR” and the “XMM” register. The result of the XOR operation is also stored in the stack. <\/p>\n\n\n\n
The three stages of C2 server decryption are shown below. <\/strong><\/p>\n\n\n\n\n- Loading encrypted data into the stack: <\/li>\n<\/ol>\n\n\n\n
<\/p>\n\n\n\n![\"PrivateLoader](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-26-1024x431.png\")
Fig. 7 – Data <\/figcaption><\/figure>\n\n\n\n<\/p>\n\n\n\n
\n- Loading the encryption key into the stack: <\/li>\n<\/ol>\n\n\n\n
<\/p>\n\n\n\n![\"Key](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-27-1024x433.png\")
Fig. 8 – Key <\/figcaption><\/figure>\n\n\n\n<\/p>\n\n\n\n
\n- Decrypting the C2 server using the “PXOR” instruction and saving the results in the stack: <\/li>\n<\/ol>\n\n\n\n
<\/p>\n\n\n\n![\"Decrypting](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-28-1-1024x418.png\")
Fig. 9 \u2013 Decrypting <\/figcaption><\/figure>\n\n\n\nDuring the analysis process, it was also found that the method similar to C2 decryption is used to decrypt the following: <\/p>\n\n\n\n
\n- Used API functions (T1027.007 – Obfuscated Files or Information: Dynamic API Resolution) <\/li>\n\n\n\n
- Payloads <\/li>\n\n\n\n
- URLs and more<\/li>\n<\/ul>\n\n\n\n
Some of the analyzed samples are protected by VMProtect. The search for string decryption is complicated by the fact that the decryption data is located in one function, while the XOR and key are in another. Moreover, the key is always the same. <\/p>\n\n\n\n
<\/p>\n\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-30-1024x509.png\")
Fig 10. – Decript VMprotect sample<\/figcaption><\/figure>\n\n\n\nExample of automating C2 server decryption of PrivateLoader<\/strong> <\/h2>\n\n\n\nTo automate the extraction of data and configuration, we can use the Triton<\/a> framework. It will emulate code blocks that contain all the necessary encrypted information.<\/p>\n\n\n\nYou can find an example of a script<\/a> for emulating a specific block in our GitHub repository. The output of the script will be the decrypted C2 server. <\/p>\n\n\n\n![\"PrivateLoader](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/image-4.png\")
Fig 11. – Script output <\/figcaption><\/figure>\n\n\n\n<\/p>\n\n\n\n
Therefore, by emulating all the code blocks that contain encrypted data, we can obtain a set of strings with the necessary information, including the C2 server. <\/p>\n\n\n\n
Extracting the PrivateLoader configuration<\/strong> <\/h2>\n\n\n\nIn our service, you can view the configuration, which is extracted automatically: <\/p>\n\n\n\n
<\/p>\n\n\n\n![\"PrivateLoader](\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/04\/MicrosoftTeams-image-29-1.png\")
Fig. 12 – PrivateLoader configution and strings<\/figcaption><\/figure>\n\n\n\nThe decrypted data includes C2 addresses and strings. The strings contain information such as: used libraries and their functions, registry keys, paths to crypto wallets and browsers, etc. <\/p>\n\n\n\n
Conclusion<\/strong> <\/h2>\n\n\n\nIn this article, we discussed encryption in PrivateLoader. <\/p>\n\n\n\n
Its main feature is the XOR of all strings it interacts with (C2, URLs, DLLs). Also, some samples are protected by VMprotect, which makes the code a bit more complex due to the use of many functions. <\/p>\n\n\n\n
If you\u2019d like to read more content like this, read our LimeRAT Malware Analysis<\/a>. Or check out our deep dive into the encryption and decryption process of XLoader\/FormBook<\/a>. <\/p>\n\n\n\nMITRE (ARMATTACK) <\/h2>\n\n\n\nTactics<\/strong> <\/td>Techniques<\/strong> <\/td>Description<\/strong> <\/td><\/tr>TA0007:
Software discovery <\/td> T1518:
Software Discovery <\/td> Searches for installed software
in the system
in the \u201cUninstall\u201d key <\/td><\/tr>
<\/td> T1082:
System Information
Discovery <\/td> Collects system data <\/td><\/tr> TA0011:
Command and Control <\/td> T1071.001:
Application Layer
Protocol <\/td> Sending collected data
to the control server <\/td><\/tr> <\/td> T1105 Ingress Tool Transfer <\/td> requests binary from the Internet <\/td><\/tr> <\/td> T1132.001 – Data Encoding:
Standard Encoding <\/td> encode data with BASE64 <\/td><\/tr> TA0006: Credential Access <\/td> T1552.001: Credentials In Files <\/td> Stealing of personal data \u2013 login data <\/td><\/tr> TA0005: Defense Evasion <\/td> T1564 Hide Artifacts <\/td> attempt to hide artifacts in user folder <\/td><\/tr> <\/td> T1027.007 – Obfuscated Files or
Information: Dynamic
API Resolution <\/td> obfuscate then dynamically resolve API
functions called by their malware <\/td><\/tr> <\/td> T1027 – Obfuscated Files or Information <\/td> attempt to make an executable or
file difficult to discover or
analyze by encrypting XOR <\/td><\/tr> TA0002: Execution <\/td> T1053.005 – Scheduled
Task\/Job: Scheduled Task <\/td> abuse the Windows Task
Scheduler to create file in statup <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nIOCs<\/strong> <\/h2>\n\n\n\nTitle<\/strong> <\/td>Description<\/strong> <\/td><\/tr>Name <\/td> 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4 exe <\/td><\/tr> MD5 <\/td> 6cc7d9664c1a89c58549e57b5959bb38 <\/td><\/tr> SHA1 <\/td> 85b665c501b9ab38710050e9a5c1b6d2e96acccc <\/td><\/tr> SHA256 <\/td> 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4 <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nExtracted URLs <\/h2>\n\n\n\n\n- http:\/\/23[.]254[.]227[.]214\/api\/tracemap[.]php <\/li>\n\n\n\n
- http:\/\/23[.]254[.]227[.]205\/api\/tracemap[.]php <\/li>\n\n\n\n
- http:\/\/23[.]254[.]227[.]202\/api\/tracemap[.]php <\/li>\n<\/ul>\n\n\n\n
\n- http:\/\/208[.]67[.]104[.]60\/api\/tracemap[.]php <\/li>\n\n\n\n
- http:\/\/208[.]67[.]104[.]60\/api\/firegate[.]php <\/li>\n\n\n\n
- http:\/\/163[.]123[.]143[.]4\/download\/YT_Client[.]exe <\/li>\n<\/ul>\n\n\n\n
Dropped executable file <\/h2>\n\n\n\n
Static Analysis of the Source File <\/h2>\n\n\n\n
SHA256: 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4<\/strong> <\/p>\n\n\n\n Using the Detect It Easy <\/strong>utility, we can see that the analyzed executable file is compiled in C++. There is no information about the packer, which could mean it was not possible to identify it. <\/p>\n\n\n\n <\/p>\n\n\n\n The next step is to search for unencrypted strings using the strings<\/strong> command: <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n Analyzing the discovered strings allows us to identify several interesting elements: <\/p>\n\n\n\n We analyzed the sample in ANY.RUN interactive malware sandbox<\/a>. <\/p>\n\n\n\n Here\u2019s a link to the task: The process tree generated by the executable file appears as follows: <\/p>\n\n\n\n Analyzing the process tree leads to the following conclusions:<\/strong> <\/p>\n\n\n\n 1. The main PrivateLoader process creates a child process named “FhuC750omh76YtB1xgR7diEy.exe”, whose executable file is located in the user’s “Pictures” directory (T1564 \u2013 Hide Artifacts): <\/p>\n\n\n\n C:\\Users\\admin\\Pictures<\/strong>\\Minor Policy <\/p>\n\n\n\n 2. The created child process is added to the startup using Task Scheduler (T1053.005 – Scheduled Task\/Job: Scheduled Task): <\/p>\n\n\n\n schtasks <\/strong>\/create \/f \/RU “admin” \/tr “”C:\\Program Files (x86)\\ClipManagerP0\\ClipManager_Svc.exe”” \/tn “LOLPA4DESK HR” \/sc HOURLY \/rl HIGHEST <\/p>\n\n\n\n The executable file of the child process was downloaded from the Internet (T1105 \u2013 Ingress Tool Transfer). We will not go into the detailed analysis of it. <\/p>\n\n\n\n <\/p>\n\n\n\n Analyzing the HTTP requests, we can observe connections and data exchanges with the C2 server (T1071.001 – Application Layer Protocol): <\/p>\n\n\n\n The content sent (as well as received) in POST requests consists of BASE64-encoded strings (T1132.001 – Data Encoding: Standard Encoding). Decoding these strings does not yield any readable results: <\/p>\n\n\n\n data=-kSYhy9HPjD5Jhn9y6Evty4XFfJ3JgIwrSzln5bGnLfKDmbXix2ebDEXy6Ty3Bb8Hz2GB8w0Y2SL2JeBSZ4G80iHAkSS7JJyeiPwZOpWJONOFzEBarRHP-ljR9hkvX_TJhqr1nNqQpYUB2lQ9i7NmmHeL_QSx8hUka_C3jOxi02ml5FyDDruXM_IWwPXvAGxtT8TV-i9wLtfd0mF1O369GUAEeI45sF1pKeyDfssmqE= <\/p>\n\n\n\n Moving forward to the indicators, we can see that the malware steals user credentials from browsers (T1552.001 Credentials In Files): <\/p>\n\n\n\n <\/p>\n\n\n\n \n Free malware research<\/span> with ANY.RUN\n <\/p>\n For the technical analysis, the following tasks were set: <\/p>\n\n\n\n The analysis of the executable file revealed that string encryption is done using the XOR algorithm (T1027 – Obfuscated Files or Information). Initially, the data and key are loaded into the stack, and then decrypted using the SIMD instruction “PXOR” and the “XMM” register. The result of the XOR operation is also stored in the stack. <\/p>\n\n\n\n The three stages of C2 server decryption are shown below. <\/strong><\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n During the analysis process, it was also found that the method similar to C2 decryption is used to decrypt the following: <\/p>\n\n\n\n Some of the analyzed samples are protected by VMProtect. The search for string decryption is complicated by the fact that the decryption data is located in one function, while the XOR and key are in another. Moreover, the key is always the same. <\/p>\n\n\n\n <\/p>\n\n\n\n To automate the extraction of data and configuration, we can use the Triton<\/a> framework. It will emulate code blocks that contain all the necessary encrypted information.<\/p>\n\n\n\n You can find an example of a script<\/a> for emulating a specific block in our GitHub repository. The output of the script will be the decrypted C2 server. <\/p>\n\n\n\n <\/p>\n\n\n\n Therefore, by emulating all the code blocks that contain encrypted data, we can obtain a set of strings with the necessary information, including the C2 server. <\/p>\n\n\n\n In our service, you can view the configuration, which is extracted automatically: <\/p>\n\n\n\n <\/p>\n\n\n\n The decrypted data includes C2 addresses and strings. The strings contain information such as: used libraries and their functions, registry keys, paths to crypto wallets and browsers, etc. <\/p>\n\n\n\n In this article, we discussed encryption in PrivateLoader. <\/p>\n\n\n\n Its main feature is the XOR of all strings it interacts with (C2, URLs, DLLs). Also, some samples are protected by VMprotect, which makes the code a bit more complex due to the use of many functions. <\/p>\n\n\n\n If you\u2019d like to read more content like this, read our LimeRAT Malware Analysis<\/a>. Or check out our deep dive into the encryption and decryption process of XLoader\/FormBook<\/a>. <\/p>\n\n\n\nstrings --encoding=l loader.exe<\/em> <\/code><\/pre>\n\n\n\n\n
PrivateLoader dynamic analysis with ANY.RUN<\/strong> <\/h2>\n\n\n\n
https:\/\/app.any.run\/tasks\/3e359dc7-934b-4ae1-89bf-ad33e346ed60<\/a> <\/p>\n\n\n\nTechnical Analysis of PrivateLoader <\/strong> <\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
Example of automating C2 server decryption of PrivateLoader<\/strong> <\/h2>\n\n\n\n
Extracting the PrivateLoader configuration<\/strong> <\/h2>\n\n\n\n
Conclusion<\/strong> <\/h2>\n\n\n\n
MITRE (ARMATTACK) <\/h2>\n\n\n\n
Tactics<\/strong> <\/td> Techniques<\/strong> <\/td> Description<\/strong> <\/td><\/tr> TA0007:
Software discovery <\/td>T1518:
Software Discovery <\/td>Searches for installed software
in the system
in the \u201cUninstall\u201d key <\/td><\/tr>
<\/td>T1082:
System Information
Discovery <\/td>Collects system data <\/td><\/tr> TA0011:
Command and Control <\/td>T1071.001:
Application Layer
Protocol <\/td>Sending collected data
to the control server <\/td><\/tr> <\/td> T1105 Ingress Tool Transfer <\/td> requests binary from the Internet <\/td><\/tr> <\/td> T1132.001 – Data Encoding:
Standard Encoding <\/td>encode data with BASE64 <\/td><\/tr> TA0006: Credential Access <\/td> T1552.001: Credentials In Files <\/td> Stealing of personal data \u2013 login data <\/td><\/tr> TA0005: Defense Evasion <\/td> T1564 Hide Artifacts <\/td> attempt to hide artifacts in user folder <\/td><\/tr> <\/td> T1027.007 – Obfuscated Files or
Information: Dynamic
API Resolution <\/td>obfuscate then dynamically resolve API
functions called by their malware <\/td><\/tr> <\/td> T1027 – Obfuscated Files or Information <\/td> attempt to make an executable or
file difficult to discover or
analyze by encrypting XOR <\/td><\/tr>TA0002: Execution <\/td> T1053.005 – Scheduled
Task\/Job: Scheduled Task <\/td>abuse the Windows Task
Scheduler to create file in statup <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nIOCs<\/strong> <\/h2>\n\n\n\n
Title<\/strong> <\/td> Description<\/strong> <\/td><\/tr> Name <\/td> 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4 exe <\/td><\/tr> MD5 <\/td> 6cc7d9664c1a89c58549e57b5959bb38 <\/td><\/tr> SHA1 <\/td> 85b665c501b9ab38710050e9a5c1b6d2e96acccc <\/td><\/tr> SHA256 <\/td> 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4 <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Extracted URLs <\/h2>\n\n\n\n
\n
\n
Dropped executable file <\/h2>\n\n\n\n