YARAhub

You are currently viewing the YARAhub entry of the YARA rule privateloader. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.

YARA Rule Details: privateloader


Rule name:privateloader
Author:andretavare5 - @andretavare5
Description:Detects PrivateLoader malware.
Reference MD5: 3fe6f262a34d82a4cc96540e4105b581
Likes: 1
Reference Link : https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service
Malpedia Family : https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader
Date added:2022-06-06
Rule Matching TLP :TLP:WHITE
Rule Sharing TLP :TLP:WHITE
License : https://creativecommons.org/licenses/by-nc-sa/4.0/
UUID: 5916c441-16b1-42b7-acaa-114c06296f38
Static hits:841
Unpacker hits:6

YARA Rule Content


The content of the YARA rule is shown below.

rule privateloader
{
    meta:
        author                    = "andretavare5"
        description               = "Detects PrivateLoader malware."
        org                       = "Bitsight"
        date                      = "2024-08-08"
        sample1_md5               = "8f70a0f45532261cb4df2800b141551d" // loader module Jan 2022
        sample2_md5               = "dbf48bf522a272297266c35b965c6054" // service module Nov 2023
        sample3_md5               = "51bb70b9a31d07c7d57da0c5b26545d4" // core module Dez 2023
        sample4_md5               = "3fe6f262a34d82a4cc96540e4105b581" // core module Jul 2024
        yarahub_author_twitter    = "@andretavare5"
        yarahub_reference_link    = "https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service"
        yarahub_malpedia_family   = "win.privateloader"
        yarahub_uuid              = "5916c441-16b1-42b7-acaa-114c06296f38"
        yarahub_license           = "CC BY-NC-SA 4.0"
        yarahub_rule_matching_tlp = "TLP:WHITE"
        yarahub_rule_sharing_tlp  = "TLP:WHITE"
        yarahub_reference_md5     = "3fe6f262a34d82a4cc96540e4105b581"

    strings:
        $hdr   = "Content-Type: application/x-www-form-urlencoded" wide ascii
        $dom1  = "ipinfo.io" wide ascii
        $dom2  = "db-ip.com" wide ascii
        $dom3  = "maxmind.com" wide ascii
        $dom4  = "ipgeolocation.io" wide ascii
        $ua1   = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" wide ascii
        $ua2   = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" wide ascii
        $ua3   = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" wide ascii
        $ua4   = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" wide ascii

        // str decrypt
        // PXOR XMM(1/0)
        $asm1 = {66 0F EF (4?|8?)}

        // str decrypt
        // LEA ??
        // XOR ??
        // INC ??
        // CMP ??
        // JC ??
        $asm2 = {8D ?? ?? 30 ?? ?? ?? 4? FF C? 4? 83 F? ?? 72 ??}

        // str decrypt
        // LEA ??
        // INC ??
        // XOR ??
        // CMP ??
        // JC ??
        $asm3 = {8D ?? ?? 4? 30 ?? 83 F? ?? 72 ??}
                    
    condition:
        uint16(0) == 0x5A4D and filesize > 100KB and filesize < 10MB and $hdr and any of ($dom*) and any of ($ua*) and any of ($asm*)
}
  

YARA Rule Matches


The following table shows the most recent files matching this particular YARA rule.

First seen (UTC)SHA256 hashStatic matchesUnpacker matches