BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

PrivateLoader

55
Global rank
26 infographic chevron month
Month rank
29 infographic chevron week
Week rank
727
IOCs

PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware.

Loader
Type
ex-USSR
Origin
1 May, 2021
First seen
22 May, 2024
Last seen

How to analyze PrivateLoader with ANY.RUN

Type
ex-USSR
Origin
1 May, 2021
First seen
22 May, 2024
Last seen

IOCs

IP addresses
5.42.96.55
94.142.138.113
208.67.104.60
94.142.138.131
91.92.243.151
23.254.227.202
23.254.227.214
23.254.227.205
193.42.32.118
85.208.136.10
37.0.11.41
1.1.1.1
45.15.156.229
185.216.70.235
194.49.94.113
195.123.219.158
5.181.80.133
94.131.106.196
163.123.143.12
37.0.11.9
Hashes
ddb5ba02620ff537ab1fa4de5db434bd155fa3cc288d1a7e5c15422b493fdc81
3d9d9746dab8d68d2149a28c8790910c9f0593a75bc42d61652b09ae97a3d691
93112b749d371ad66f0f856a1c0c93d14f67960c644b6634a5d78dc33d0d8e0e
3c755f1a6e43039854120e7cc2d88f52c2bb6471a18aa47b18577de86f76f160
e5447818976ad7af2ae55ccee4baab64d2a76ce8bcd43654ca8361dc19c91ad4
1a8a10e6d2ab1702de995a09fc5342d0b6106a6fc3bee8efd666138f0a013f3f
0ad5765ff2058fabe14de8e0910c8b7ea16449885be5f0d5c3fad913e874418a
223111b3f70e633ae79af142ed1dbdacd04dcdf5afb20639010263b16ba00955
e41b931c344ee6753862b74f9e9fba1632646d6730f27e92a21a693cfb3f9ef9
7a650b7af16721e46686633a253c967184414183a7d2be0cb64978e4d8880ba6
aa3d40c34d88ebc024f798e3e5a720e6cd7f6f447cdfbbead1f0c5bba72d4312
d63069101832890712e5c2331af362d16737e667bac89c0e0476495f4cf81e9f
72098cde4022d5ee29a7bdd304d2c7b84492f7dba116f71ad7d87adfa38f63e6
b60004cf3b319182c85d8feeae4d3fc9d9f7cec8dd7740b1f7731f1d21cb11a8
cf76ac64d1038d54fa178a67712a4916e021b6b381241b44c2ceed7428ba4692
58799f8135040c64722f91150fd79853bf0423c6e52c1e5afef79a3aa2ba9d67
2cd2f077ca597ad0ef234a357ea71558d5e039da9df9958d0b8bd0efa92e74c9
69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13
156c5ddbfeaeb8699d9b3c6d41c0e2e7082a178b1d436ba0a5e54e05a675cbd0
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
Domains
beelowers.com
230224175748394.uba.xlf07.shop
230320051222585.btl.jbc75.shop
bebekmanti.com
goupbuy.com
vh567599.eurodir.ru
nebula.pm
managerefineduberinfo-program.info
notmalware.top
1qwqewrewqweqwrqe.sbs
recogniano.com
maxximbrasil.com
bot.notmalware.top
managespeedyuberinfo-program.info
cant.run
livestream-ufc.com
lovletterstolife.store
my-chemicals.online
haglove.stream
249b871ab7d2.info
URLs
http://85.192.56.26/api/bing_release.php
http://5.42.66.10/download/123p.exe
http://5.42.66.10/download/th/retail.php
http://5.42.66.10/download/th/getimage12.php
http://5.42.66.10/download/th/space.php
http://5.42.66.10/api/flash.php
http://5.42.66.10/api/bing_release.php
http://wfsdragon.ru/api/setStats.php
http://85.192.56.26/api/flash.php
http://5.42.66.10/download/th/getimage15.php
http://91.241.19.125/pub.php
http://sarfoods.com/index.php
http://ipinfo.io/widget/demo/
http://api64.ipify.org/
http://db-ip.com/demo/home.php
http://discord.com/api/v9/users/@me
http://195.20.16.45/api/flash.php
http://195.20.16.45/api/bing_release.php
http://46.226.167.187/api/flash.php
http://46.226.167.187/api/bing_release.php
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 51
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 723
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 570
comments 0

What is PrivateLoader malware?

PrivateLoader is a loader, which serves to embed other malware families on compromised systems. The creators of this malicious software, who are likely to be from ex-USSR countries, monetize their activity by charging various threat actors for the installation of their particular type of payload. The services are advertised openly on forums and Telegram channels, making them widely accessible.

The earliest instances of the malware’s activity can be traced to the beginning of 2021. However, researchers were able to spot it for the first time only in 2022, when it gained notoriety as the most widely used loader of the year.

A common vector of infection in the case of PrivateLoader has been through websites offering cracked versions of popular software. Once victims downloaded a file from such sites and ran an alleged software executable, they launched a chain reaction, which led to the installation of PrivateLoader and eventually to a trojan, stealer, or another type of malware being deployed on their system.

Some of the known malware families that have been pushed by PrivateLoader include Redline, DCRAT, Raccoon, and Smokeloader.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the PrivateLoader malicious software

PrivateLoader is written in C++ and has a control panel, allowing operators to manage its activity, including by adding new payload links and tracking the total number of installations.

PrivateLoader is set up to drop payloads depending on the configuration of each victim’s system. For instance, it can distribute malware based on the geo location. It can also scan the machine to determine if there are any crypto wallets installed and see banking credentials. Yet, in most cases, it does not exfiltrate this information.

PrivateLoader is a modular threat, consisting of three distinct parts, each with its own purpose. It starts with the Loader module, which is intended for downloading the main Core module. The latter then contacts the command-and-control server (C2) and drops the next-stage threat, as well as the Service module that is regularly updated and responsible for keeping the loader on the victim’s system. In certain instances, PrivateLoader can drop several payloads.

The malware also makes use of the Dead Drop Resolver technique, where it utilizes legitimate services, such as Discord, to host malicious payloads.

PrivateLoader employs various techniques to prevent analysis, including encrypting its important strings and obfuscating the C2 communication.

Execution process of PrivateLoader

Let’s see how PrivateLoader operates in detail by uploading its sample to ANY.RUN, an interactive sandbox for malware analysis.

The main PrivateLoader process creates a child process whose executable file is located in the user’s “Pictures” directory. The created child process is added to the startup using Task Scheduler. The executable file of the child process was downloaded from the Internet.

Analyzing the HTTP requests, we can observe connections and data exchanges with the C2 server. The content sent (as well as received) in POST requests consists of BASE64-encoded strings. Moving forward to the indicators, we can see that the malware steals user credentials from browsers.

Read a detailed analysis of PrivateLoader in our blog.

PrivateLoader process tree shown in ANY.RUN PrivateLoader’s process tree demonstrated in ANY.RUN

Distribution methods of the PrivateLoader malware

As mentioned above, the primary way PrivateLoader can infect a computer is via a direct download. Attackers employ SEO poisoning to boost the ranking of their websites. Users visit these links in search of different types of legitimate programs. Yet, after downloading an archive from the website and opening its contents, an infection begins, allowing PrivateLoader to compromise the entire system.

Conclusion

PrivateLoader is a serious threat to organizations and individuals because of the scale of its operation, as it can infect hundreds of thousands of computers in a short period of time. In order to avoid falling victim to this and other malware, it is vital to steer clear of suspicious websites and never download software from unofficial sources.

To determine whether a certain file or link is malicious, use ANY.RUN. It is a malware sandbox that provides users with the ability to interact with the samples at hand in a safe cloud environment. For instance, PrivateLoader usually comes packed into a passworded archive. ANY.RUN lets you easily open it, extract the contents, and run them as if you were using your own computer to expose any harmful behavior and collect IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy