File name:	release.rar
Full analysis:	https://app.any.run/tasks/10cd1d78-0ff1-4dd4-a6ba-6a48a906a524
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Malware Trends Tracker >>>
Analysis date:	December 26, 2023, 19:31:19
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader evasion privateloader g0njxa
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	CA97EB9111A3EAA8ADC0E0FE2DCA78DC
SHA1:	B6EB8B0CF67A5AF1CB6D2F5D9D783D43B71AD51C
SHA256:	B0BB0F9533C5D732876EFA73ECFFA6AD544D6656B20E0A9AD21455636DAEDCC1
SSDEEP:	98304:+23Xm683BGoMJa6dshS5n09MWi6AwUwNxCkoX3tjpzR522jVwvdHEm8/iOqk0/lD:IXSoahU3BdmNn7sLllN7

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	NodeSlots
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	MRUListEx
Value: 04000000030000000B000000000000000A00000005000000080000000900000001000000070000000600000002000000FFFFFFFF
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0
Operation:	write	Name:	MRUListEx
Value: 0600000005000000040000000100000007000000000000000200000003000000FFFFFFFF
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell
Operation:	write	Name:	SniffedFolderType
Value: Generic
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	GlobalAssocChangedCounter
Value: 35
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:	delete value	Name:	1
Value: 4F00700065006E0057006900740068002E00650078006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080020000E0010000000000000000000000000000000000000100000000000000
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:	write	Name:	MRUListEx
Value: 00000000FFFFFFFF
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Operation:	write	Name:	Mode
Value: 4
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CIDOpen\Modules\GlobalSettings\ProperTreeModuleInner
Operation:	write	Name:	ProperTreeModuleInner
Value: 9C000000980000003153505305D5CDD59C2E1B10939708002B2CF9AE3B0000002A000000004E0061007600500061006E0065005F004300460044005F0046006900720073007400520075006E0000000B000000000000004100000030000000004E0061007600500061006E0065005F00530068006F0077004C00690062007200610072007900500061006E00650000000B000000FFFF00000000000000000000
(PID) Process:	(3160) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
Operation:	write	Name:	ExpandedState
Value: 04000000160014001F80CB859F6720028040B29B5540CC05AAB60000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F60983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000

PID	Process	Filename		Type
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFf49c1.TMP		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old~RFf49f0.TMP		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFf4a3e.TMP		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RFf49b2.TMP		text
		MD5:2F58D7AADB6797F54FB74445ECB3B140	SHA256:2A742591827FF457B0B7240A2AF917AF56171F0A7C01F2AE3AFF4C7E5E0C139D
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFf4ca0.TMP		—
		MD5:—	SHA256:—
1872	msedge.exe	C:\USERS\ADMIN\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\CRASHPAD\SETTINGS.DAT		binary
		MD5:F031F91FDE71CDF88D17A4F61F978C6D	SHA256:373A3DDC2064369794624ACC2FB61A4196CD7B0C05532879B2B80860DF7E7A62
1872	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Last Version		text
		MD5:BE8F261C28760A40087E9917A434D688	SHA256:3BFDF4421C179EFF12CB51B407C7FE6324671355FEB03F648416A8F431AD4C8F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	HEAD	200	23.213.164.137:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	unknown
2508	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.11 Kb	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	unknown	binary	813 b	unknown
2508	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	binary	824 b	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	unknown	binary	814 b	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	unknown	binary	400 b	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	binary	813 b	unknown
2508	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	binary	400 b	unknown
2836	svchost.exe	GET	206	184.24.77.173:80	http://au.download.windowsupdate.com/d/msdownload/update/software/defu/2022/11/am_engine_a13d0f0a32e2ba218a67afd0e3cb522012eac063.exe	unknown	text	2 b	unknown
2836	svchost.exe	GET	206	184.24.77.173:80	http://au.download.windowsupdate.com/d/msdownload/update/software/defu/2022/11/am_engine_a13d0f0a32e2ba218a67afd0e3cb522012eac063.exe	unknown	binary	1.00 Mb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2508	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
2508	svchost.exe	88.221.125.143:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
2836	svchost.exe	52.184.216.246:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2836	svchost.exe	184.24.77.173:80	au.download.windowsupdate.com	Akamai International B.V.	DE	unknown
2836	svchost.exe	184.24.77.187:80	au.download.windowsupdate.com	Akamai International B.V.	DE	unknown
2508	svchost.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1872	msedge.exe	51.104.176.40:443	ping-edge.smartscreen.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4340	msedge.exe	204.79.197.203:443	ntp.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
crl.microsoft.com	2.16.164.9 2.16.164.49 2.16.164.72 2.16.164.106	whitelisted
www.microsoft.com	88.221.125.143 184.30.21.171	whitelisted
au.download.windowsupdate.com	184.24.77.173 184.24.77.187 184.24.77.205 184.24.77.200 184.24.77.208 184.24.77.207 184.24.77.194 93.184.221.240	whitelisted
ping-edge.smartscreen.microsoft.com	51.104.176.40	whitelisted
ntp.msn.com	204.79.197.203	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
www.bing.com	2.23.209.187 2.23.209.133 2.23.209.130 2.23.209.182	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
data-edge.smartscreen.microsoft.com	20.103.180.120	whitelisted
th.bing.com	2.19.96.34 2.19.96.25 2.19.96.10 2.19.96.8 2.19.96.26 2.19.96.24 2.19.96.35 2.19.96.40 2.19.96.42	whitelisted

PID	Process	Class	Message
6768	setup.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
6768	setup.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6768	setup.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
6768	setup.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6768	setup.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6768	setup.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
2120	svchost.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
6768	setup.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in TLS SNI)

Process	Message
m25wIOeQhkKkxoje9iTUZXhj.exe	CLR: Managed code called FailFast, saying "
m25wIOeQhkKkxoje9iTUZXhj.exe	System requirements not met.
m25wIOeQhkKkxoje9iTUZXhj.exe	"

General Info

release.rar

CA97EB9111A3EAA8ADC0E0FE2DCA78DC

B6EB8B0CF67A5AF1CB6D2F5D9D783D43B71AD51C

B0BB0F9533C5D732876EFA73ECFFA6AD544D6656B20E0A9AD21455636DAEDCC1

98304:+23Xm683BGoMJa6dshS5n09MWi6AwUwNxCkoX3tjpzR522jVwvdHEm8/iOqk0/lD:IXSoahU3BdmNn7sLllN7

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

PRIVATELOADER has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Reads Internet Explorer settings

Reads the BIOS version

Connects to the server without a host name

Reads security settings of Internet Explorer

Checks for external IP

Checks Windows Trust Settings

Executes application which crashes

INFO

Reads the computer name

Manual execution by a user

Checks supported languages

Drops the executable file immediately after the start

The process uses the downloaded file

Checks proxy server information

Process checks Internet Explorer phishing filters

Application launched itself

Creates files or folders in the user directory

Reads the machine GUID from the registry

Creates files in the program directory

Drops 7-zip archiver for unpacking

Process checks are UAC notifies on

Process drops legitimate windows executable

Process checks computer location settings

Reads the software policy settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings