Manuel Statik Analiz (LLM Okumali) — PrivateLoader | Tehdit: YUKSEK
Dosya Kimligi
SHA256 dbd6fcf0495ae49cef1cf8b2f65f0cdcc16b0c4421f60ec88b8922f18aef1dc9
Orijinal Ad winver.exe
Boyut 296.960 byte
PrivateLoader Hakkinda
PrivateLoader, 2021 yilinda ortaya cikan ve PPI (Pay-Per-Install) modeliyle calisan C/C++ tabanli bir loaderdir. Saldirganlar bu servisi kullanarak hedef makinalara kendi secimlerine gore payload yuklettirmektedir. Binary agir paketlenmis; C2 gate URL'si runtime'da decrypt edilmektedir.
PrivateLoader ile Yuklenen Bilinen Aileleri
Aile Tip
LummaC2 Infostealer (C++)
Vidar Infostealer (C++)
Raccoon V2 Infostealer (C++)
StealC Infostealer (Go)
RedLine Infostealer (.NET)
Cobalt Strike Beacon C2 Framework
SmokeLoader Loader
IOC
SHA256 dbd6fcf0495ae49cef1cf8b2f65f0cdcc16b0c4421f60ec88b8922f18aef1dc9
Lure Adi winver.exe (Windows version tool taklidi)
C2 HTTP gate (sifrelenmis)
PrivateLoader — Malware Profile
PrivateLoader/PrivateLdr. sysmon.exe Sysinternals fake. cJSON C library. Chrome browser targeting.
Technical Details
Varyanta gore C/C#/VBS/PS1, anti-analysis (VM/debugger check), persistence (Registry/Task Scheduler/Startup folder), payload decryption ve injection (shellcode/PE), fileless execution teknikleri
Capabilities & Behavior
Kimlik Bilgisi Hırsızlığı
IOC List
(1 indicators)
# SHA256
dbd6fcf0495ae49cef1cf8b2f65f0cdcc16b0c4421f60ec88b8922f18aef1dc9
Type Value Note
sha256
dbd6fcf0495ae49cef1cf8b2f65f0cdcc16b0c4421f60ec88b8922f18aef1dc9
C2 Servers
(4 recorded servers for this family)
Address
Type
Port
Protocol
Status
Country
45.142.213.167
ip
80
HTTP
inactive
RU
87.251.64.160
ip
80
HTTP
inactive
NL
known2.me
domain
443
HTTPS
inactive
—
45.138.74.63
ip
443
HTTPS
sinkholed
RU
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.