privateloader | fed18f7acebaa30f644c8a7de8229ef2d05e9cd213fdcf37881ef29fc0238bbc

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2023 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

283e72fbf2c6d5af415b2ef437ce82f8.exe
Size

1.1MB
MD5

283e72fbf2c6d5af415b2ef437ce82f8
SHA1

4f908a45e49cf7f3ad48b90cca5b9bb4aca26faa
SHA256

fed18f7acebaa30f644c8a7de8229ef2d05e9cd213fdcf37881ef29fc0238bbc
SHA512

eb24fd25784059f0b8ac25d85d6cc3e108f15d03d4fbf005022b13917110868d7cb303f1fa123d2ed0585bf1f5848469dddf8693be33a76defdb0864b36b853b
SSDEEP

24576:oyPuSciMrLXzHsYHTbvlk9W4/qAaVvphDb/DqnTfLSo+7xQfLkA:v2iMrzzHpbaun/DkTDSmfQ

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5108-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3Ck37OF.exe

Executes dropped EXE 4 IoCs

pid	Process
4528	Qz5ZH76.exe
1592	Ej8Bn94.exe
2484	2gz1332.exe
1588	3Ck37OF.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qz5ZH76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ej8Bn94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3Ck37OF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	283e72fbf2c6d5af415b2ef437ce82f8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 5108	2484	2gz1332.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5020	schtasks.exe
4516	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4528	4420	283e72fbf2c6d5af415b2ef437ce82f8.exe	86
PID 4420 wrote to memory of 4528	4420	283e72fbf2c6d5af415b2ef437ce82f8.exe	86
PID 4420 wrote to memory of 4528	4420	283e72fbf2c6d5af415b2ef437ce82f8.exe	86
PID 4528 wrote to memory of 1592	4528	Qz5ZH76.exe	87
PID 4528 wrote to memory of 1592	4528	Qz5ZH76.exe	87
PID 4528 wrote to memory of 1592	4528	Qz5ZH76.exe	87
PID 1592 wrote to memory of 2484	1592	Ej8Bn94.exe	88
PID 1592 wrote to memory of 2484	1592	Ej8Bn94.exe	88
PID 1592 wrote to memory of 2484	1592	Ej8Bn94.exe	88
PID 2484 wrote to memory of 5108	2484	2gz1332.exe	101
PID 2484 wrote to memory of 5108	2484	2gz1332.exe	101
PID 2484 wrote to memory of 5108	2484	2gz1332.exe	101
PID 2484 wrote to memory of 5108	2484	2gz1332.exe	101
PID 2484 wrote to memory of 5108	2484	2gz1332.exe	101
PID 2484 wrote to memory of 5108	2484	2gz1332.exe	101
PID 2484 wrote to memory of 5108	2484	2gz1332.exe	101
PID 2484 wrote to memory of 5108	2484	2gz1332.exe	101
PID 1592 wrote to memory of 1588	1592	Ej8Bn94.exe	102
PID 1592 wrote to memory of 1588	1592	Ej8Bn94.exe	102
PID 1592 wrote to memory of 1588	1592	Ej8Bn94.exe	102
PID 1588 wrote to memory of 5020	1588	3Ck37OF.exe	103
PID 1588 wrote to memory of 5020	1588	3Ck37OF.exe	103
PID 1588 wrote to memory of 5020	1588	3Ck37OF.exe	103
PID 1588 wrote to memory of 4516	1588	3Ck37OF.exe	105
PID 1588 wrote to memory of 4516	1588	3Ck37OF.exe	105
PID 1588 wrote to memory of 4516	1588	3Ck37OF.exe	105

C:\Users\Admin\AppData\Local\Temp\283e72fbf2c6d5af415b2ef437ce82f8.exe
"C:\Users\Admin\AppData\Local\Temp\283e72fbf2c6d5af415b2ef437ce82f8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qz5ZH76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qz5ZH76.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej8Bn94.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej8Bn94.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2gz1332.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2gz1332.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ck37OF.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ck37OF.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5020
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
f1f91edc33a4571fff4dfbf25f072565

SHA1
af60634c2a8b53046ad178cae971316d2bfe6a99

SHA256
a191ff4b2c2d3834d75dd96ec31df45fa989ca5404772f33806acfe59293bf00

SHA512
faf834b6c77be33320f41182ce4a7c8fd07bb6c80a8c87f8ac3d2c3e72d01be567d23da4cbef13ccc30f2f3c3e9bf1389b667bfcd84a7acc1be78f99722a1858

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qz5ZH76.exe

Filesize
951KB

MD5
7de9cc92b8b1afb5863b9cf742f53fa2

SHA1
269f4814ed42abe345851c0ee23108238dafd508

SHA256
550e9244f55cc2896c886777a936eff457712f1372adb596573620d9f1219b39

SHA512
52aa149b0e3440590b336cb8a290ffc87ebb28d98c3e6bb15eb9ed786470e51b4b1ccbbf7a390dcb0dd72f965a48c6ad2e54f8b775abde78d11bb65d76cf113c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qz5ZH76.exe

Filesize
951KB

MD5
7de9cc92b8b1afb5863b9cf742f53fa2

SHA1
269f4814ed42abe345851c0ee23108238dafd508

SHA256
550e9244f55cc2896c886777a936eff457712f1372adb596573620d9f1219b39

SHA512
52aa149b0e3440590b336cb8a290ffc87ebb28d98c3e6bb15eb9ed786470e51b4b1ccbbf7a390dcb0dd72f965a48c6ad2e54f8b775abde78d11bb65d76cf113c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej8Bn94.exe

Filesize
827KB

MD5
4080b3fee1485c1f646d12b2061afde1

SHA1
ff5f2afd4c40cc45726e90a08b9ef392abe0f547

SHA256
67b3f72c11f1c2ec214fcf5eb7cb7dcdf988e85b5cc9b3b8937093af5d87086a

SHA512
20856e6bc332a4514b94e72bfe2be911e3f5aaf215ce6bc32fc569bcebe381c294babb596b6ef628192d154a23f7e2957eb599b0af5dca36710de95f9ea50b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej8Bn94.exe

Filesize
827KB

MD5
4080b3fee1485c1f646d12b2061afde1

SHA1
ff5f2afd4c40cc45726e90a08b9ef392abe0f547

SHA256
67b3f72c11f1c2ec214fcf5eb7cb7dcdf988e85b5cc9b3b8937093af5d87086a

SHA512
20856e6bc332a4514b94e72bfe2be911e3f5aaf215ce6bc32fc569bcebe381c294babb596b6ef628192d154a23f7e2957eb599b0af5dca36710de95f9ea50b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2gz1332.exe

Filesize
493KB

MD5
df3e38f0c925ca9f8f86faef59578ec6

SHA1
accd8d98b398e5958cde68c4ac29e0577fc3fe8e

SHA256
852aabb505075778b78fe0ea6777bc2e60a474ffb5f53c493563a13856cfc41d

SHA512
309bc32eeacc8353e629f7edcfddc6dd3d8dd6b26bb1a2e4ef85a7f96467b3bd2f6671ed0f2e7ea3d52a01a243b6a440d63ce15f3ac7d59fec57d71559c393e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2gz1332.exe

Filesize
493KB

MD5
df3e38f0c925ca9f8f86faef59578ec6

SHA1
accd8d98b398e5958cde68c4ac29e0577fc3fe8e

SHA256
852aabb505075778b78fe0ea6777bc2e60a474ffb5f53c493563a13856cfc41d

SHA512
309bc32eeacc8353e629f7edcfddc6dd3d8dd6b26bb1a2e4ef85a7f96467b3bd2f6671ed0f2e7ea3d52a01a243b6a440d63ce15f3ac7d59fec57d71559c393e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ck37OF.exe

Filesize
1.3MB

MD5
f1f91edc33a4571fff4dfbf25f072565

SHA1
af60634c2a8b53046ad178cae971316d2bfe6a99

SHA256
a191ff4b2c2d3834d75dd96ec31df45fa989ca5404772f33806acfe59293bf00

SHA512
faf834b6c77be33320f41182ce4a7c8fd07bb6c80a8c87f8ac3d2c3e72d01be567d23da4cbef13ccc30f2f3c3e9bf1389b667bfcd84a7acc1be78f99722a1858

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ck37OF.exe

Filesize
1.3MB

MD5
f1f91edc33a4571fff4dfbf25f072565

SHA1
af60634c2a8b53046ad178cae971316d2bfe6a99

SHA256
a191ff4b2c2d3834d75dd96ec31df45fa989ca5404772f33806acfe59293bf00

SHA512
faf834b6c77be33320f41182ce4a7c8fd07bb6c80a8c87f8ac3d2c3e72d01be567d23da4cbef13ccc30f2f3c3e9bf1389b667bfcd84a7acc1be78f99722a1858

Download Submit
memory/5108-27-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/5108-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-32-0x0000000008310000-0x00000000088B4000-memory.dmp

Filesize
5.6MB

Download
memory/5108-33-0x0000000007E40000-0x0000000007ED2000-memory.dmp

Filesize
584KB

Download
memory/5108-34-0x00000000080B0000-0x00000000080C0000-memory.dmp

Filesize
64KB

Download
memory/5108-36-0x0000000007EF0000-0x0000000007EFA000-memory.dmp

Filesize
40KB

Download
memory/5108-37-0x0000000008EE0000-0x00000000094F8000-memory.dmp

Filesize
6.1MB

Download
memory/5108-38-0x00000000081D0000-0x00000000082DA000-memory.dmp

Filesize
1.0MB

Download
memory/5108-39-0x00000000080E0000-0x00000000080F2000-memory.dmp

Filesize
72KB

Download
memory/5108-40-0x0000000008140000-0x000000000817C000-memory.dmp

Filesize
240KB

Download
memory/5108-41-0x0000000008180000-0x00000000081CC000-memory.dmp

Filesize
304KB

Download
memory/5108-42-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/5108-43-0x00000000080B0000-0x00000000080C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads