privateloader | 698afadb438df4675db66d4c1836ac52fc4cce05484537d3ae8ee86b31dc6254

General

Target

8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe
Size

1.3MB
MD5

ccdc827488c94ff6961f327f4377ee75
SHA1

4a0001b0b79cd845ff620dce8db61c869ff77420
SHA256

8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6
SHA512

1b07454c8ef0a453b899c8a452de55cf907b42ac4f2e1259a523def0932d6ae7780e66a92fadcf96249a82a0539a89655dedfa69735339a2a5273216dfd662a2
SSDEEP

24576:byMGbzVyPAIujWLOlNCr9CB0Rjw3WqSSvJkQc/tOocsQ:OGPAIujWLOlgs/3W3SR5c/t9

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3360-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 4 IoCs

pid	Process
3252	EQ0St86.exe
4060	GF0GS89.exe
1356	2bL4397.exe
3456	4CU033cE.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	EQ0St86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GF0GS89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 3360	1356	2bL4397.exe	98

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 3252	4132	8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe	85
PID 4132 wrote to memory of 3252	4132	8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe	85
PID 4132 wrote to memory of 3252	4132	8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe	85
PID 3252 wrote to memory of 4060	3252	EQ0St86.exe	87
PID 3252 wrote to memory of 4060	3252	EQ0St86.exe	87
PID 3252 wrote to memory of 4060	3252	EQ0St86.exe	87
PID 4060 wrote to memory of 1356	4060	GF0GS89.exe	89
PID 4060 wrote to memory of 1356	4060	GF0GS89.exe	89
PID 4060 wrote to memory of 1356	4060	GF0GS89.exe	89
PID 1356 wrote to memory of 3360	1356	2bL4397.exe	98
PID 1356 wrote to memory of 3360	1356	2bL4397.exe	98
PID 1356 wrote to memory of 3360	1356	2bL4397.exe	98
PID 1356 wrote to memory of 3360	1356	2bL4397.exe	98
PID 1356 wrote to memory of 3360	1356	2bL4397.exe	98
PID 1356 wrote to memory of 3360	1356	2bL4397.exe	98
PID 1356 wrote to memory of 3360	1356	2bL4397.exe	98
PID 1356 wrote to memory of 3360	1356	2bL4397.exe	98
PID 4060 wrote to memory of 3456	4060	GF0GS89.exe	99
PID 4060 wrote to memory of 3456	4060	GF0GS89.exe	99
PID 4060 wrote to memory of 3456	4060	GF0GS89.exe	99

C:\Users\Admin\AppData\Local\Temp\8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe
"C:\Users\Admin\AppData\Local\Temp\8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EQ0St86.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EQ0St86.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GF0GS89.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GF0GS89.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2bL4397.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2bL4397.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4CU033cE.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4CU033cE.exe
      4⤵
      Executes dropped EXE
      PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EQ0St86.exe

Filesize
1.1MB

MD5
d33472e0a6908c0b93b80635ed9425f8

SHA1
bb5ab060b73dc5afaa472c18a50306d97dc3fe67

SHA256
182858c5e215115927dcb8245a3c8e24c3cde42def0ad3ffec6e2573585f90ca

SHA512
eaba6575a5834addc698051ed321920017337c6d59bd18a535c0a5b39da3ef793669e0b66985e983d14e7255f1a4adb1bb930f074a22951bdd921d278e401f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EQ0St86.exe

Filesize
1.1MB

MD5
d33472e0a6908c0b93b80635ed9425f8

SHA1
bb5ab060b73dc5afaa472c18a50306d97dc3fe67

SHA256
182858c5e215115927dcb8245a3c8e24c3cde42def0ad3ffec6e2573585f90ca

SHA512
eaba6575a5834addc698051ed321920017337c6d59bd18a535c0a5b39da3ef793669e0b66985e983d14e7255f1a4adb1bb930f074a22951bdd921d278e401f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GF0GS89.exe

Filesize
952KB

MD5
013a502eb89713074cd727e1ea93debe

SHA1
e04eba3563f2381e143315452a2f109c4d879b5e

SHA256
e320c6392d3b9d2d12317a4e5950bc3482833bffb2aa2378888ffa09cbec6556

SHA512
b840c102231b55a5b09f4b63bf644b975834f90dcfa3ee91af27fe18e8a15bb23a9197b4ccc8a1fdd75d4ecd84a0074ef3bb7f19e304d369da82f6209ad4bc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GF0GS89.exe

Filesize
952KB

MD5
013a502eb89713074cd727e1ea93debe

SHA1
e04eba3563f2381e143315452a2f109c4d879b5e

SHA256
e320c6392d3b9d2d12317a4e5950bc3482833bffb2aa2378888ffa09cbec6556

SHA512
b840c102231b55a5b09f4b63bf644b975834f90dcfa3ee91af27fe18e8a15bb23a9197b4ccc8a1fdd75d4ecd84a0074ef3bb7f19e304d369da82f6209ad4bc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2bL4397.exe

Filesize
1.2MB

MD5
1338742ad5f057af4f1b54724d8f4900

SHA1
911e259b9e48b181beeec3f327f7ad0bdd00fa14

SHA256
3c8ac14b3c824163e0b5cc518a441523f4f0047f3e22868c2a02ce74543f680f

SHA512
5b73b1792d3089b682f6822e3ad4262078851d5b05fa3d0b100b24005b15e7b9108ce3bc13850112429f3671a61904bc69e9fafb4ab94f0462d62aa2e179e351

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2bL4397.exe

Filesize
1.2MB

MD5
1338742ad5f057af4f1b54724d8f4900

SHA1
911e259b9e48b181beeec3f327f7ad0bdd00fa14

SHA256
3c8ac14b3c824163e0b5cc518a441523f4f0047f3e22868c2a02ce74543f680f

SHA512
5b73b1792d3089b682f6822e3ad4262078851d5b05fa3d0b100b24005b15e7b9108ce3bc13850112429f3671a61904bc69e9fafb4ab94f0462d62aa2e179e351

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4CU033cE.exe

Filesize
1.3MB

MD5
a3076d7a6f16f63033cc571702c253c9

SHA1
8eec50423985781a839c984d35cb71df917bc1d1

SHA256
d92f80f292ec4d486f238cf5c0e88114c85a281477cb885f8c6b6d4b37f461e8

SHA512
2d2c83f1cdc05e52af8b8c012ee679bd688196c513f4ff0d5ab94f23980e432ecaa3dc8c72703c60c0aadf483356fdd79a72263ddc4d8d8075efa7ea80dfa028

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4CU033cE.exe

Filesize
1.3MB

MD5
a3076d7a6f16f63033cc571702c253c9

SHA1
8eec50423985781a839c984d35cb71df917bc1d1

SHA256
d92f80f292ec4d486f238cf5c0e88114c85a281477cb885f8c6b6d4b37f461e8

SHA512
2d2c83f1cdc05e52af8b8c012ee679bd688196c513f4ff0d5ab94f23980e432ecaa3dc8c72703c60c0aadf483356fdd79a72263ddc4d8d8075efa7ea80dfa028

Download Submit
memory/3360-26-0x0000000007BF0000-0x0000000008194000-memory.dmp

Filesize
5.6MB

Download
memory/3360-25-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3360-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3360-27-0x00000000076E0000-0x0000000007772000-memory.dmp

Filesize
584KB

Download
memory/3360-28-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/3360-29-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/3360-30-0x00000000087C0000-0x0000000008DD8000-memory.dmp

Filesize
6.1MB

Download
memory/3360-31-0x00000000081A0000-0x00000000082AA000-memory.dmp

Filesize
1.0MB

Download
memory/3360-32-0x0000000007AF0000-0x0000000007B02000-memory.dmp

Filesize
72KB

Download
memory/3360-33-0x0000000007B50000-0x0000000007B8C000-memory.dmp

Filesize
240KB

Download
memory/3360-34-0x0000000007B90000-0x0000000007BDC000-memory.dmp

Filesize
304KB

Download
memory/3360-35-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3360-36-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads