{
	"id": "df30216f-1013-4337-b1dc-e882b28728c3",
	"created_at": "2026-04-06T00:11:56.066879Z",
	"updated_at": "2026-04-10T13:11:37.902475Z",
	"deleted_at": null,
	"sha1_hash": "b1c9b23a5bdddd7fbe55ad8de4fd0051598d8f8c",
	"title": "PrivateLoader. Analyzing the Malware Encryption and Decryption",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78047,
	"plain_text": "PrivateLoader. Analyzing the Malware Encryption and Decryption\r\nBy khr0x\r\nPublished: 2023-07-19 · Archived: 2026-04-05 12:53:14 UTC\r\nIn this article, we delve into the inner workings of PrivateLoader, a notorious malicious loader family. We will explore the\r\nencryption and decryption processes utilized by this malware, particularly focusing on its ability to protect itself using\r\nVMProtect, as well as its decryption of loaded libraries. Let’s dive in! \r\nPrivateLoader\r\nPrivateLoader analysis introduction \r\nPrivateLoader is a malicious loader family, written in C++ and first discovered in early 2021. \r\nIt is known for distributing a wide range of malware, from simple information stealers to complex rootkits and spyware,\r\nutilizing payloads. \r\nThe distribution of this type of malware is managed by the Pay-Per-Install (PPI) service, a popular tool within the\r\ncybercriminal ecosystem that generates revenue by adding payloads to malware. \r\nThe code itself involves the decryption of loaded libraries. \r\nAt present, there are two versions of PrivateLoader available: one protected by VMProtect, and a regular version. \r\nEvery day, between 2 and 4 samples of this malware are uploaded. \r\nStatic Analysis of the Source File \r\nSHA256: 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4 \r\nUsing the Detect It Easy utility, we can see that the analyzed executable file is compiled in C++. There is no information\r\nabout the packer, which could mean it was not possible to identify it. \r\nPrivateLoader's sample data\r\nFig. 1 – PrivateLoader’s sample data \r\nThe next step is to search for unencrypted strings using the strings command: \r\nstrings --encoding=l loader.exe\r\nInteresting strings detected in the executable file \r\nFig. 2 – Interesting strings detected in the executable file \r\nAnalyzing the discovered strings allows us to identify several interesting elements: \r\nA user-agent, which is likely used to masquerade as a legitimate browser application \r\nURL addresses for determining the current IP and geolocation \r\nPrivateLoader dynamic analysis with ANY.RUN \r\nWe analyzed the sample in ANY.RUN interactive malware sandbox.  \r\nHere’s a link to the task:\r\nhttps://app.any.run/tasks/3e359dc7-934b-4ae1-89bf-ad33e346ed60 \r\nThe process tree generated by the executable file appears as follows: \r\nPrivateLoader's process tree \r\nFig 3. – PrivateLoader’s process tree \r\nAnalyzing the process tree leads to the following conclusions: \r\nhttps://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/\r\nPage 1 of 5\n\n1. The main PrivateLoader process creates a child process named “FhuC750omh76YtB1xgR7diEy.exe”, whose executable\r\nfile is located in the user’s “Pictures” directory (T1564 – Hide Artifacts): \r\nC:\\Users\\admin\\Pictures\\Minor Policy \r\n2. The created child process is added to the startup using Task Scheduler (T1053.005 – Scheduled Task/Job: Scheduled\r\nTask): \r\nschtasks /create /f /RU “admin” /tr “”C:\\Program Files (x86)\\ClipManagerP0\\ClipManager_Svc.exe”” /tn “LOLPA4DESK\r\nHR” /sc HOURLY /rl HIGHEST \r\nThe executable file of the child process was downloaded from the Internet (T1105 – Ingress Tool Transfer). We will not go\r\ninto the detailed analysis of it. \r\nPrivateLoader downloaded payload \r\nFig 4. – PrivateLoader downloaded payload \r\nAnalyzing the HTTP requests, we can observe connections and data exchanges with the C2 server (T1071.001 – Application\r\nLayer Protocol): \r\nPrivateLoader С2 addresses \r\nFig. 5 – С2 addresses \r\nThe content sent (as well as received) in POST requests consists of BASE64-encoded strings (T1132.001 – Data Encoding:\r\nStandard Encoding). Decoding these strings does not yield any readable results: \r\ndata=-\r\nkSYhy9HPjD5Jhn9y6Evty4XFfJ3JgIwrSzln5bGnLfKDmbXix2ebDEXy6Ty3Bb8Hz2GB8w0Y2SL2JeBSZ4G80iHAkSS7JJyeiPwZOpWJONO\r\nljR9hkvX_TJhqr1nNqQpYUB2lQ9i7NmmHeL_QSx8hUka_C3jOxi02ml5FyDDruXM_IWwPXvAGxtT8TV-i9wLtfd0mF1O369GUAEeI45sF1pKeyDfssmqE= \r\nMoving forward to the indicators, we can see that the malware steals user credentials from browsers (T1552.001 Credentials\r\nIn Files): \r\nPrivateLoader Stealing data \r\nFig. 6 – Stealing data \r\nTechnical Analysis of PrivateLoader  \r\nFor the technical analysis, the following tasks were set: \r\n1. Locate the C2 server within the code \r\n2. Identify the encryption algorithms for the C2 server and, if possible, for strings as well. \r\n3. Automate the decryption of the C2 server and strings \r\nThe analysis of the executable file revealed that string encryption is done using the XOR algorithm (T1027 – Obfuscated\r\nFiles or Information). Initially, the data and key are loaded into the stack, and then decrypted using the SIMD instruction\r\n“PXOR” and the “XMM” register. The result of the XOR operation is also stored in the stack. \r\nThe three stages of C2 server decryption are shown below. \r\n1. Loading encrypted data into the stack: \r\nPrivateLoader data\r\nFig. 7 – Data \r\n2. Loading the encryption key into the stack: \r\nKey PrivateLoader\r\nFig. 8 – Key \r\n3. Decrypting the C2 server using the “PXOR” instruction and saving the results in the stack: \r\nhttps://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/\r\nPage 2 of 5\n\nDecrypting PrivateLoader\r\nFig. 9 – Decrypting \r\nDuring the analysis process, it was also found that the method similar to C2 decryption is used to decrypt the following: \r\nUsed API functions (T1027.007 – Obfuscated Files or Information: Dynamic API Resolution) \r\nPayloads \r\nURLs and more\r\nSome of the analyzed samples are protected by VMProtect. The search for string decryption is complicated by the fact that\r\nthe decryption data is located in one function, while the XOR and key are in another. Moreover, the key is always the same. \r\nFig 10. – Decript VMprotect sample\r\nExample of automating C2 server decryption of PrivateLoader \r\nTo automate the extraction of data and configuration, we can use the Triton framework. It will emulate code blocks that\r\ncontain all the necessary encrypted information.\r\nYou can find an example of a script for emulating a specific block in our GitHub repository. The output of the script will be\r\nthe decrypted C2 server. \r\nPrivateLoader Script output\r\nFig 11. – Script output \r\nTherefore, by emulating all the code blocks that contain encrypted data, we can obtain a set of strings with the necessary\r\ninformation, including the C2 server. \r\nExtracting the PrivateLoader configuration \r\nIn our service, you can view the configuration, which is extracted automatically: \r\nPrivateLoader configution and strings\r\n Fig. 12 – PrivateLoader configution and strings\r\nThe decrypted data includes C2 addresses and strings. The strings contain information such as: used libraries and their\r\nfunctions, registry keys, paths to crypto wallets and browsers, etc. \r\nConclusion \r\nIn this article, we discussed encryption in PrivateLoader. \r\nIts main feature is the XOR of all strings it interacts with (C2, URLs, DLLs). Also, some samples are protected by\r\nVMprotect, which makes the code a bit more complex due to the use of many functions. \r\nIf you’d like to read more content like this, read our LimeRAT Malware Analysis. Or check out our deep dive into the\r\nencryption and decryption process of XLoader/FormBook. \r\nhttps://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/\r\nPage 3 of 5\n\nMITRE (ARMATTACK) \r\nTactics  Techniques  Description \r\nTA0007: \r\nSoftware discovery \r\nT1518: \r\nSoftware Discovery \r\nSearches for installed software \r\nin the system  \r\nin the “Uninstall” key \r\n \r\n \r\nT1082: \r\nSystem Information \r\nDiscovery \r\nCollects system data \r\nTA0011: \r\nCommand and Control \r\nT1071.001: \r\nApplication Layer  \r\nProtocol \r\nSending collected data  \r\nto the control server \r\n  T1105 Ingress Tool Transfer  requests binary from the Internet \r\n \r\nT1132.001 – Data Encoding:\r\nStandard Encoding \r\nencode data with BASE64 \r\nTA0006: Credential\r\nAccess \r\nT1552.001: Credentials In Files \r\nStealing of personal data – login\r\ndata \r\nTA0005: Defense\r\nEvasion \r\nT1564  Hide Artifacts \r\nattempt to hide artifacts in user\r\nfolder \r\n \r\nT1027.007 – Obfuscated Files or\r\nInformation: Dynamic\r\nAPI Resolution  \r\nobfuscate then dynamically resolve\r\nAPI\r\nfunctions called by their malware \r\n \r\nT1027 – Obfuscated Files or\r\nInformation \r\nattempt to make an executable or\r\nfile difficult to discover or\r\nanalyze by encrypting XOR \r\nTA0002: Execution \r\nT1053.005 – Scheduled\r\nTask/Job: Scheduled Task \r\nabuse the Windows Task\r\nScheduler to create file in statup \r\nIOCs \r\nTitle  Description \r\nName  27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4 exe \r\nMD5  6cc7d9664c1a89c58549e57b5959bb38 \r\nSHA1  85b665c501b9ab38710050e9a5c1b6d2e96acccc \r\nSHA256  27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4 \r\nExtracted URLs \r\nhttp://23[.]254[.]227[.]214/api/tracemap[.]php  \r\nhttp://23[.]254[.]227[.]205/api/tracemap[.]php  \r\nhttp://23[.]254[.]227[.]202/api/tracemap[.]php  \r\nhttp://208[.]67[.]104[.]60/api/tracemap[.]php  \r\nhttp://208[.]67[.]104[.]60/api/firegate[.]php  \r\nhttp://163[.]123[.]143[.]4/download/YT_Client[.]exe \r\nDropped executable file \r\nhttps://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/\r\nPage 4 of 5\n\nTitle  Description \r\nName  C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\AH8CR9J5\\YT_Client[1].exe \r\nSHA256  041f891934add72852c8fda245c95da959d7f98cc580383d198e42f2de039634 \r\nDNS requests \r\niplogger.org  \r\nipinfo.io  \r\nIplis.ru \r\nConnections (IP) \r\n“23[.]254.227.214” \r\n“23[.]254.227.202” \r\n“23[.]254.227.205” \r\n “208[.]67.104.60” \r\nMORE SAMPLES FOR YOUR RESEARCH \r\nhttps://app.any.run/tasks/ff1872a6-6c1f-4f79-89da-995b9bd56152/\r\nhttps://app.any.run/tasks/6a8f93eb-be36-41bc-bf7f-534938a7e3a2/\r\nhttps://app.any.run/tasks/cc2cb367-82e9-4705-9767-8c12f7a67a21/\r\nhttps://app.any.run/tasks/c32312d8-4026-4a81-84e5-3d90ab2e309a/\r\nhttps://app.any.run/tasks/235754fa-6aa3-49dd-bbc4-1a7f9361f455/\r\nANY.RUN malware analyst\r\nkhr0x\r\nI'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my\r\ncomputer. In my spare time I do sports and play video games.\r\nI'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my\r\ncomputer. In my spare time I do sports and play video games.\r\nSource: https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/\r\nhttps://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/"
	],
	"report_names": [
		"privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434316,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1c9b23a5bdddd7fbe55ad8de4fd0051598d8f8c.pdf",
		"text": "https://archive.orkl.eu/b1c9b23a5bdddd7fbe55ad8de4fd0051598d8f8c.txt",
		"img": "https://archive.orkl.eu/b1c9b23a5bdddd7fbe55ad8de4fd0051598d8f8c.jpg"
	}
}