File name:	release.rar
Full analysis:	https://app.any.run/tasks/10cd1d78-0ff1-4dd4-a6ba-6a48a906a524
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Malware Trends Tracker >>>
Analysis date:	December 26, 2023, 19:31:19
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader evasion privateloader g0njxa
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	CA97EB9111A3EAA8ADC0E0FE2DCA78DC
SHA1:	B6EB8B0CF67A5AF1CB6D2F5D9D783D43B71AD51C
SHA256:	B0BB0F9533C5D732876EFA73ECFFA6AD544D6656B20E0A9AD21455636DAEDCC1
SSDEEP:	98304:+23Xm683BGoMJa6dshS5n09MWi6AwUwNxCkoX3tjpzR522jVwvdHEm8/iOqk0/lD:IXSoahU3BdmNn7sLllN7

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	NodeSlots
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	MRUListEx
Value: 04000000030000000B000000000000000A00000005000000080000000900000001000000070000000600000002000000FFFFFFFF
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0
Operation:	write	Name:	MRUListEx
Value: 0600000005000000040000000100000007000000000000000200000003000000FFFFFFFF
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell
Operation:	write	Name:	SniffedFolderType
Value: Generic
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	GlobalAssocChangedCounter
Value: 35
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:	delete value	Name:	1
Value: 4F00700065006E0057006900740068002E00650078006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080020000E0010000000000000000000000000000000000000100000000000000
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:	write	Name:	MRUListEx
Value: 00000000FFFFFFFF
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Operation:	write	Name:	Mode
Value: 4
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CIDOpen\Modules\GlobalSettings\ProperTreeModuleInner
Operation:	write	Name:	ProperTreeModuleInner
Value: 9C000000980000003153505305D5CDD59C2E1B10939708002B2CF9AE3B0000002A000000004E0061007600500061006E0065005F004300460044005F0046006900720073007400520075006E0000000B000000000000004100000030000000004E0061007600500061006E0065005F00530068006F0077004C00690062007200610072007900500061006E00650000000B000000FFFF00000000000000000000
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
Operation:	write	Name:	ExpandedState
Value: 04000000160014001F80CB859F6720028040B29B5540CC05AAB60000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F60983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000

PID	Process	Filename		Type
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFf49c1.TMP		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old~RFf49f0.TMP		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFf4a3e.TMP		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RFf49c1.TMP		text
		MD5:547620D929EDE8D5E347CF977232D297	SHA256:2D2BB13A4BDF44AA6A987BEE96A50D73974F05CB60C553F44ECCAA1F77918728
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFf4ca0.TMP		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RFf49b2.TMP		text
		MD5:972D26A5FA0BA9ABCBD1E26C70C31036	SHA256:773F4F52034D63204C420B54E59D4BF9C873D6515CE6E0AF306B7E6484D15922
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old		text
		MD5:4F1D77A6CC0D809E902E51D9C028EC94	SHA256:B80316DACB2F80086B6268A627DD74C69A64F160D2370D2457C497D8C1926AAE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	HEAD	200	23.213.164.137:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
2508	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.11 Kb	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	unknown	binary	813 b	unknown
2508	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	binary	824 b	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	binary	418 b	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	unknown	binary	814 b	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	unknown	binary	400 b	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	binary	813 b	unknown
2836	svchost.exe	GET	206	184.24.77.173:80	http://au.download.windowsupdate.com/d/msdownload/update/software/defu/2022/11/am_engine_a13d0f0a32e2ba218a67afd0e3cb522012eac063.exe	unknown	text	2 b	unknown
2836	svchost.exe	GET	206	184.24.77.173:80	http://au.download.windowsupdate.com/d/msdownload/update/software/defu/2022/11/am_engine_a13d0f0a32e2ba218a67afd0e3cb522012eac063.exe	unknown	binary	333 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2508	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
2508	svchost.exe	88.221.125.143:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
2836	svchost.exe	52.184.216.246:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2836	svchost.exe	184.24.77.173:80	au.download.windowsupdate.com	Akamai International B.V.	DE	unknown
2836	svchost.exe	184.24.77.187:80	au.download.windowsupdate.com	Akamai International B.V.	DE	unknown
2508	svchost.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1872	msedge.exe	51.104.176.40:443	ping-edge.smartscreen.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4340	msedge.exe	204.79.197.203:443	ntp.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
crl.microsoft.com	2.16.164.9 2.16.164.49 2.16.164.72 2.16.164.106	whitelisted
www.microsoft.com	88.221.125.143 184.30.21.171	whitelisted
au.download.windowsupdate.com	184.24.77.173 184.24.77.187 184.24.77.205 184.24.77.200 184.24.77.208 184.24.77.207 184.24.77.194 93.184.221.240	whitelisted
ping-edge.smartscreen.microsoft.com	51.104.176.40	whitelisted
ntp.msn.com	204.79.197.203	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
www.bing.com	2.23.209.187 2.23.209.133 2.23.209.130 2.23.209.182	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
data-edge.smartscreen.microsoft.com	20.103.180.120	whitelisted
th.bing.com	2.19.96.34 2.19.96.25 2.19.96.10 2.19.96.8 2.19.96.26 2.19.96.24 2.19.96.35 2.19.96.40 2.19.96.42	whitelisted

PID	Process	Class	Message
6768	setup.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
6768	setup.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6768	setup.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
6768	setup.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6768	setup.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6768	setup.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
2120	svchost.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
6768	setup.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in TLS SNI)

Process	Message
m25wIOeQhkKkxoje9iTUZXhj.exe	CLR: Managed code called FailFast, saying "
m25wIOeQhkKkxoje9iTUZXhj.exe	System requirements not met.
m25wIOeQhkKkxoje9iTUZXhj.exe	"

General Info

release.rar

CA97EB9111A3EAA8ADC0E0FE2DCA78DC

B6EB8B0CF67A5AF1CB6D2F5D9D783D43B71AD51C

B0BB0F9533C5D732876EFA73ECFFA6AD544D6656B20E0A9AD21455636DAEDCC1

98304:+23Xm683BGoMJa6dshS5n09MWi6AwUwNxCkoX3tjpzR522jVwvdHEm8/iOqk0/lD:IXSoahU3BdmNn7sLllN7

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

PRIVATELOADER has been detected (SURICATA)

Actions looks like stealing of personal data

Connects to the CnC server

SUSPICIOUS

Reads Internet Explorer settings

Reads the BIOS version

Connects to the server without a host name

Checks for external IP

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Executes application which crashes

INFO

Manual execution by a user

Application launched itself

Checks supported languages

Reads the computer name

Drops the executable file immediately after the start

The process uses the downloaded file

Process checks Internet Explorer phishing filters

Checks proxy server information

Creates files in the program directory

Drops 7-zip archiver for unpacking

Creates files or folders in the user directory

Reads the machine GUID from the registry

Process drops legitimate windows executable

Reads the software policy settings

Process checks are UAC notifies on

Process checks computer location settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings