privateloader | 57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8.exe
Size

1.1MB
MD5

f053475d8ce8b045850ff8ce2323709b
SHA1

de476080cceb5d39ee1d15a5abc7d504489130d8
SHA256

57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8
SHA512

6f634ca4951f29a5d98a138ff0d380d94b4268150d6b2568f87943a537245432ab9f8f87aa151a7a759750d6a2647e8806f80e1910cee9d8cbc6307590c4d950
SSDEEP

24576:LyylLobAGReV6CQ7t6gw2Svv/3ehqayTGQ8dceN7XT27RxN1mS/:+ylTV6COBzSPCqaVv23z

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1120-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3Fi14re.exe

Executes dropped EXE 4 IoCs

pid	Process
4668	jz4Oc00.exe
4360	ql2oY58.exe
1444	2Jm4304.exe
2816	3Fi14re.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jz4Oc00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ql2oY58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3Fi14re.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 1120	1444	2Jm4304.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3800	schtasks.exe
2288	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4668	4052	57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8.exe	88
PID 4052 wrote to memory of 4668	4052	57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8.exe	88
PID 4052 wrote to memory of 4668	4052	57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8.exe	88
PID 4668 wrote to memory of 4360	4668	jz4Oc00.exe	89
PID 4668 wrote to memory of 4360	4668	jz4Oc00.exe	89
PID 4668 wrote to memory of 4360	4668	jz4Oc00.exe	89
PID 4360 wrote to memory of 1444	4360	ql2oY58.exe	90
PID 4360 wrote to memory of 1444	4360	ql2oY58.exe	90
PID 4360 wrote to memory of 1444	4360	ql2oY58.exe	90
PID 1444 wrote to memory of 1120	1444	2Jm4304.exe	99
PID 1444 wrote to memory of 1120	1444	2Jm4304.exe	99
PID 1444 wrote to memory of 1120	1444	2Jm4304.exe	99
PID 1444 wrote to memory of 1120	1444	2Jm4304.exe	99
PID 1444 wrote to memory of 1120	1444	2Jm4304.exe	99
PID 1444 wrote to memory of 1120	1444	2Jm4304.exe	99
PID 1444 wrote to memory of 1120	1444	2Jm4304.exe	99
PID 1444 wrote to memory of 1120	1444	2Jm4304.exe	99
PID 4360 wrote to memory of 2816	4360	ql2oY58.exe	100
PID 4360 wrote to memory of 2816	4360	ql2oY58.exe	100
PID 4360 wrote to memory of 2816	4360	ql2oY58.exe	100
PID 2816 wrote to memory of 3800	2816	3Fi14re.exe	101
PID 2816 wrote to memory of 3800	2816	3Fi14re.exe	101
PID 2816 wrote to memory of 3800	2816	3Fi14re.exe	101
PID 2816 wrote to memory of 2288	2816	3Fi14re.exe	103
PID 2816 wrote to memory of 2288	2816	3Fi14re.exe	103
PID 2816 wrote to memory of 2288	2816	3Fi14re.exe	103

C:\Users\Admin\AppData\Local\Temp\57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8.exe
"C:\Users\Admin\AppData\Local\Temp\57bde0040690dbc1a57bb3985b51fb20f52252d52d961f915ce1a8538241f7d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz4Oc00.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz4Oc00.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ql2oY58.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ql2oY58.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Jm4304.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Jm4304.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Fi14re.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Fi14re.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
0807b2d2bea66d1a0213cd7ecd25653c

SHA1
be6e2c5682ead68464bab05f10d12ef28149771d

SHA256
b334c9e2545b0738e93d0d2a864bd51fab1daf86bba6bbf2fa2137a30c5d8384

SHA512
3522900231536aeedf1a3d3a4b15275ab942a77e995fc7ca924cd51e59d60b1fab4750ac0bddad119b73b704882d7f988ae328e078fa86f656fb61008efb044f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz4Oc00.exe

Filesize
953KB

MD5
b603221eeaaeff4871fe8d8cc7dba22b

SHA1
b9d58131c64430fa1d8628b1dcc4b644d20500cc

SHA256
3279cda037413157d9efa6aec050172c608994a064c2eec5e38a865535824327

SHA512
93981669f9db4509291976f8897822c1abdbb7c2db1eb1ca9ea6ab7b86295cafc8e925f213deab1e5144027453c0c8c4fb57ebc4cccf978a69b1a674588f2e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz4Oc00.exe

Filesize
953KB

MD5
b603221eeaaeff4871fe8d8cc7dba22b

SHA1
b9d58131c64430fa1d8628b1dcc4b644d20500cc

SHA256
3279cda037413157d9efa6aec050172c608994a064c2eec5e38a865535824327

SHA512
93981669f9db4509291976f8897822c1abdbb7c2db1eb1ca9ea6ab7b86295cafc8e925f213deab1e5144027453c0c8c4fb57ebc4cccf978a69b1a674588f2e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ql2oY58.exe

Filesize
828KB

MD5
40b113c00d2fab0a49b6a52094736dca

SHA1
3107ba6d880f69c58433d4ede3e0c773fad6b843

SHA256
6aadb0af08c6826953bdc19d44f21dee1ee54ab18ae50dbe9b3356b9bddfc95a

SHA512
4cd68e84690537a879278ae3d37770fd01ca56fa6acae6355ef78d4a54d9ba47e46d0e09c2b72cff1cc8337a1853d812c89dff953e90b354b4014d6cc44f57bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ql2oY58.exe

Filesize
828KB

MD5
40b113c00d2fab0a49b6a52094736dca

SHA1
3107ba6d880f69c58433d4ede3e0c773fad6b843

SHA256
6aadb0af08c6826953bdc19d44f21dee1ee54ab18ae50dbe9b3356b9bddfc95a

SHA512
4cd68e84690537a879278ae3d37770fd01ca56fa6acae6355ef78d4a54d9ba47e46d0e09c2b72cff1cc8337a1853d812c89dff953e90b354b4014d6cc44f57bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Jm4304.exe

Filesize
493KB

MD5
3fb2ed9087d2ce0419a8f82bb4573772

SHA1
1ff9ba2e970d4056f9c5939260d1f24207716837

SHA256
07fbb580d5316259248b69d0926269dbadd7066e024b7925d9d0608ea5331d9c

SHA512
3d9277eb88841c62f42d701e643f58d40ce2aadcf01a1781ecbfb44957caab3f3d9a6af7267f261a1fe770f0dfa2384aa0dc4a272e4328656ea49a0a8574280e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Jm4304.exe

Filesize
493KB

MD5
3fb2ed9087d2ce0419a8f82bb4573772

SHA1
1ff9ba2e970d4056f9c5939260d1f24207716837

SHA256
07fbb580d5316259248b69d0926269dbadd7066e024b7925d9d0608ea5331d9c

SHA512
3d9277eb88841c62f42d701e643f58d40ce2aadcf01a1781ecbfb44957caab3f3d9a6af7267f261a1fe770f0dfa2384aa0dc4a272e4328656ea49a0a8574280e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Fi14re.exe

Filesize
1.3MB

MD5
0807b2d2bea66d1a0213cd7ecd25653c

SHA1
be6e2c5682ead68464bab05f10d12ef28149771d

SHA256
b334c9e2545b0738e93d0d2a864bd51fab1daf86bba6bbf2fa2137a30c5d8384

SHA512
3522900231536aeedf1a3d3a4b15275ab942a77e995fc7ca924cd51e59d60b1fab4750ac0bddad119b73b704882d7f988ae328e078fa86f656fb61008efb044f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Fi14re.exe

Filesize
1.3MB

MD5
0807b2d2bea66d1a0213cd7ecd25653c

SHA1
be6e2c5682ead68464bab05f10d12ef28149771d

SHA256
b334c9e2545b0738e93d0d2a864bd51fab1daf86bba6bbf2fa2137a30c5d8384

SHA512
3522900231536aeedf1a3d3a4b15275ab942a77e995fc7ca924cd51e59d60b1fab4750ac0bddad119b73b704882d7f988ae328e078fa86f656fb61008efb044f

Download Submit
memory/1120-27-0x0000000073FF0000-0x00000000747A0000-memory.dmp

Filesize
7.7MB

Download
memory/1120-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1120-28-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/1120-29-0x0000000007650000-0x00000000076E2000-memory.dmp

Filesize
584KB

Download
memory/1120-34-0x00000000075F0000-0x0000000007600000-memory.dmp

Filesize
64KB

Download
memory/1120-35-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/1120-37-0x0000000008730000-0x0000000008D48000-memory.dmp

Filesize
6.1MB

Download
memory/1120-38-0x00000000079F0000-0x0000000007AFA000-memory.dmp

Filesize
1.0MB

Download
memory/1120-39-0x0000000007920000-0x0000000007932000-memory.dmp

Filesize
72KB

Download
memory/1120-40-0x0000000007980000-0x00000000079BC000-memory.dmp

Filesize
240KB

Download
memory/1120-41-0x0000000007B00000-0x0000000007B4C000-memory.dmp

Filesize
304KB

Download
memory/1120-42-0x0000000073FF0000-0x00000000747A0000-memory.dmp

Filesize
7.7MB

Download
memory/1120-43-0x00000000075F0000-0x0000000007600000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads