Hello, Privateloader now has made a radical change update in its network behaviour
New behaviour: Analysis https://dataprotectioncourse.com/idm+download+with+crack+64+bit+2023.zip Malicious activity - Interactive analysis ANY.RUN
Last tipically privateloader detonation available on me: Analysis https://dealcatalogue.com/idm+download+with+crack+64+bit+2023.zip Malicious activity - Interactive analysis ANY.RUN
new c2s now using port 3306 to communicate between build and c2 host, please see attached detonation focusing on PID 5356 on the new behaviour
There is interaction between c2 and host and then a encrypted string where the configuration is received from c2 host and then the load of malware is done
Both builds used in detonations were grabbed from the same malvertising ad networks used by InstallsKey PPI service, known for years and should be no problem associating the source of both builds to the same origin
There is no rule detection of this new Privateloader behavior. The old behavior has not been observed since October 5th, some old c2s were destroyed or traditional files inside them were deleted (making them obsolete). So there should be no more questions about associating this new malware behavior to traditional Privateloader builds.