NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service

SHA-256
----------------------------------------------------------------
PrivateLoader
4d94232ec587f991017ed134ea2635e85c883ca868b96e552f9b5ac5691cdaf5

Driver
81dbe7ff247d909dc3d6aef5b5894a153886955a9c9aaade6f0e9f47033dc2fb

93[.]115[.]21[.]45 IoCs
----------------------------------------------------------------
Dropper
28ad0bc330c7005637c6241ef5f267981c7b31561dc7d5d5a56e24423b63e642
50ab75a7c8685f9a87b5b9eb7927ccb7c069f42fb7427566628969acdf42b345
85e439e13bcd714b966c6f4cea0cedf513944ca13523c7b0c4448fdebc240be2
c64a551e5b0f74efcce154e97e1246d342b13477c80ca84f99c78db5bfeb85ef
8fa89e4be15b11f42e887f1a1cad49e8c9c0c724ae56eb012ac5e529edc8b15c
531f6cb76127ead379d0315a7ef1a3fc61d8fff1582aa6e4f77cc73259b3e1f2
44babb2843da68977682a74675c8375da235c75618445292990380dbc2ac23af
64be1332d1bf602aaf709d30475c3d117f715d030f1c38dee4e7afa6fa0a8523
43dcf8eea02b7286ba481ca84ec1b4d9299ba5db293177ff0a28231b36600a22
91791f8c459f32dc9bf6ec9f7ee157e322b252bc74b1142705dcc74fe8eced7e
a49769b8c1d28b5bb5498db87098ee9c67a94d79e10307b67fe6a870c228d402

Loader
d20576f0bd39f979759cde5fb08343c3f22ff929a71c3806e8dcf0c70e0f308b
76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086
40ee0bd60bcb6f015ad19d1099b3749ca9958dd5c619a9483332e95caee42a06
1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72
2e37495379eb1a4dfae883d1e669e489877ed73f50ae26d43b5c91d6c7cb5792
8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e
5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54
bfc99c3f76d00c56149efcf75fd73497ec62b1ed53e12d428cf253525f8be8d0
ed98187a0895818dfa6b583463b8a6d13ebc709d6dd219b18f789e40a596e40e
94fb2969eae7cce75c44c667332dacace155369911b425c50476d90528651584
07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4

RAT
62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5
ab7d39e34ad51bc3138fb4d0f7dedc4668be1d4b54a45c385e661869267ef685
c54a492d086930eb4d9cd0233a2f5255743b6dde22a042f2a2800f2c8fe82ce8
f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70
55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431
ed092406a12d68eac373b2ddb061153cb8abe38e168550f4f6106161f43dcafe
ba563dfaf572aa5b981043af3f164a09f16a2cf445498d52b299d18bb37ce904
796df2ad288455a4047a503b671d5970788b15328ce15b512c5e3403b0c39a61

89[.]38[.]131[.]151 IoCs
----------------------------------------------------------------
Dropper
60bf7b23526f36710f4ef589273d92cc21d45a996c09af9a4be52368c3233af6
557f35cfdd1606d53d6a3ae8d9f86013b4953c5e1c6fabc2faa57d528c895694

Loader
cdf3aaa9134dc1c5523902afed3ff029574f9c13bc7105c77df70d20c9312288
85d3b0b00759d7b2c7810c65cdae7fcfe46f3a9aec9892c11156d61c99c2d92e

RAT
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace

Domains and URLs
----------------------------------------------------------------
PrivateLoader C&C server
http://212.193.30.21/

Netdooka C&C servers
http://93.115.21.45
http://89.38.131.155

Malware hosting website
http://data-file-data-18.com
http://file-coin-coin-10.com