privateloader | 4dd3c6a807bc550a92e9b2686ec8891d7db25ce92472e4b0ad57d69f7d81eafd

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

090c4eb59520db21f5922ad7ea268e8b.exe
Size

1.1MB
MD5

090c4eb59520db21f5922ad7ea268e8b
SHA1

16e0da553155e1f7ecbec7ed237345d83c2039ee
SHA256

4dd3c6a807bc550a92e9b2686ec8891d7db25ce92472e4b0ad57d69f7d81eafd
SHA512

4843a3c663cb3f5c6d294653b3e3050819dbd051289507cf05326eb696189051fbf0a9106cb13bbb69d43fdabb9df59c01c9aec9c4d78d012859ce770ae70f7b
SSDEEP

24576:+yGcqTFND9xirfCV9P2JHHfNeWelqA95:NGhTTpQfCnPllqI

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2540-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3PB91Zo.exe

Executes dropped EXE 4 IoCs

pid	Process
3540	eO1RF57.exe
2828	mR2KE92.exe
896	2Iy5310.exe
1992	3PB91Zo.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	090c4eb59520db21f5922ad7ea268e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eO1RF57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mR2KE92.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3PB91Zo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 896 set thread context of 2540	896	2Iy5310.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3444	schtasks.exe
3768	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 3540	4000	090c4eb59520db21f5922ad7ea268e8b.exe	86
PID 4000 wrote to memory of 3540	4000	090c4eb59520db21f5922ad7ea268e8b.exe	86
PID 4000 wrote to memory of 3540	4000	090c4eb59520db21f5922ad7ea268e8b.exe	86
PID 3540 wrote to memory of 2828	3540	eO1RF57.exe	88
PID 3540 wrote to memory of 2828	3540	eO1RF57.exe	88
PID 3540 wrote to memory of 2828	3540	eO1RF57.exe	88
PID 2828 wrote to memory of 896	2828	mR2KE92.exe	89
PID 2828 wrote to memory of 896	2828	mR2KE92.exe	89
PID 2828 wrote to memory of 896	2828	mR2KE92.exe	89
PID 896 wrote to memory of 2540	896	2Iy5310.exe	102
PID 896 wrote to memory of 2540	896	2Iy5310.exe	102
PID 896 wrote to memory of 2540	896	2Iy5310.exe	102
PID 896 wrote to memory of 2540	896	2Iy5310.exe	102
PID 896 wrote to memory of 2540	896	2Iy5310.exe	102
PID 896 wrote to memory of 2540	896	2Iy5310.exe	102
PID 896 wrote to memory of 2540	896	2Iy5310.exe	102
PID 896 wrote to memory of 2540	896	2Iy5310.exe	102
PID 2828 wrote to memory of 1992	2828	mR2KE92.exe	103
PID 2828 wrote to memory of 1992	2828	mR2KE92.exe	103
PID 2828 wrote to memory of 1992	2828	mR2KE92.exe	103
PID 1992 wrote to memory of 3444	1992	3PB91Zo.exe	104
PID 1992 wrote to memory of 3444	1992	3PB91Zo.exe	104
PID 1992 wrote to memory of 3444	1992	3PB91Zo.exe	104
PID 1992 wrote to memory of 3768	1992	3PB91Zo.exe	106
PID 1992 wrote to memory of 3768	1992	3PB91Zo.exe	106
PID 1992 wrote to memory of 3768	1992	3PB91Zo.exe	106

C:\Users\Admin\AppData\Local\Temp\090c4eb59520db21f5922ad7ea268e8b.exe
"C:\Users\Admin\AppData\Local\Temp\090c4eb59520db21f5922ad7ea268e8b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eO1RF57.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eO1RF57.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR2KE92.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR2KE92.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Iy5310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Iy5310.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3PB91Zo.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3PB91Zo.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3444
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
2948caad0f2076b5df6ba23068a872c0

SHA1
5cb909710cd69fe9f4b1be6c7647d3ca07a76774

SHA256
2605a929da3031a15d948113343cc54358c2e709389da760aa92a3406d6271cb

SHA512
b89b55c1c25399e7f139734bafd0078c72dd8a3fa500aa1ce958cf54df96131f5f17a324a6bf03d1bbd78dd28bc7b73d8ed8afab7e7c351076969efbed292ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eO1RF57.exe

Filesize
953KB

MD5
c288987413e151939f26e49b5c7e8b08

SHA1
1fb2b61f368b657f5bb2b18b4cc7637ef00edf00

SHA256
f065427ca75c75747ade20a498e395b906944f8fa0d2fda869f4f85a95071f4d

SHA512
59a1d4d7d4b33b77178022c85b8d0f81469aa5b2739c62e4046d45e3f55ec25393e638f945cc294e5108502fb805f63c07a08a0989a29b0f5efc165499ab5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eO1RF57.exe

Filesize
953KB

MD5
c288987413e151939f26e49b5c7e8b08

SHA1
1fb2b61f368b657f5bb2b18b4cc7637ef00edf00

SHA256
f065427ca75c75747ade20a498e395b906944f8fa0d2fda869f4f85a95071f4d

SHA512
59a1d4d7d4b33b77178022c85b8d0f81469aa5b2739c62e4046d45e3f55ec25393e638f945cc294e5108502fb805f63c07a08a0989a29b0f5efc165499ab5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR2KE92.exe

Filesize
828KB

MD5
330ed115b6e0ef8bbe5ef04eede69f10

SHA1
5b55a14877a0ae47bd1103f7884be22332376e39

SHA256
d6262eaa8739aaeb870b9b1ed0265cc6bf51c10e5e48dafc99169624c1a49343

SHA512
9a541a13b7096f0bc2aeab53763939c8ed8db81c46cc8a0f6f26850fe037eac5a3508cbcdabb1323253d9fc91d5d24b7932841ff1f48cf3fb8cd5b2b234747e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR2KE92.exe

Filesize
828KB

MD5
330ed115b6e0ef8bbe5ef04eede69f10

SHA1
5b55a14877a0ae47bd1103f7884be22332376e39

SHA256
d6262eaa8739aaeb870b9b1ed0265cc6bf51c10e5e48dafc99169624c1a49343

SHA512
9a541a13b7096f0bc2aeab53763939c8ed8db81c46cc8a0f6f26850fe037eac5a3508cbcdabb1323253d9fc91d5d24b7932841ff1f48cf3fb8cd5b2b234747e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Iy5310.exe

Filesize
493KB

MD5
d28cd37a46b7d682791faf140d0697d4

SHA1
35ce1e261c304ea5283bb135c03e430663575726

SHA256
408e68ba3a3ed8e5d5c922938d1690ea4abff992273ac461a6d1a356d97b32d2

SHA512
42beb0e2792ef509a7ed095fdaed3cd3fe88978804350d39d4582efd30a1711bfdfb1966946e0c91edf3d795d15c4f72a9b0707d350d9bd4ddac68a91b8cce71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Iy5310.exe

Filesize
493KB

MD5
d28cd37a46b7d682791faf140d0697d4

SHA1
35ce1e261c304ea5283bb135c03e430663575726

SHA256
408e68ba3a3ed8e5d5c922938d1690ea4abff992273ac461a6d1a356d97b32d2

SHA512
42beb0e2792ef509a7ed095fdaed3cd3fe88978804350d39d4582efd30a1711bfdfb1966946e0c91edf3d795d15c4f72a9b0707d350d9bd4ddac68a91b8cce71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3PB91Zo.exe

Filesize
1.3MB

MD5
2948caad0f2076b5df6ba23068a872c0

SHA1
5cb909710cd69fe9f4b1be6c7647d3ca07a76774

SHA256
2605a929da3031a15d948113343cc54358c2e709389da760aa92a3406d6271cb

SHA512
b89b55c1c25399e7f139734bafd0078c72dd8a3fa500aa1ce958cf54df96131f5f17a324a6bf03d1bbd78dd28bc7b73d8ed8afab7e7c351076969efbed292ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3PB91Zo.exe

Filesize
1.3MB

MD5
2948caad0f2076b5df6ba23068a872c0

SHA1
5cb909710cd69fe9f4b1be6c7647d3ca07a76774

SHA256
2605a929da3031a15d948113343cc54358c2e709389da760aa92a3406d6271cb

SHA512
b89b55c1c25399e7f139734bafd0078c72dd8a3fa500aa1ce958cf54df96131f5f17a324a6bf03d1bbd78dd28bc7b73d8ed8afab7e7c351076969efbed292ec0

Download Submit
memory/2540-27-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/2540-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2540-32-0x0000000007C60000-0x0000000008204000-memory.dmp

Filesize
5.6MB

Download
memory/2540-33-0x00000000077B0000-0x0000000007842000-memory.dmp

Filesize
584KB

Download
memory/2540-34-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2540-36-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/2540-37-0x0000000008830000-0x0000000008E48000-memory.dmp

Filesize
6.1MB

Download
memory/2540-38-0x0000000008210000-0x000000000831A000-memory.dmp

Filesize
1.0MB

Download
memory/2540-39-0x0000000007A90000-0x0000000007AA2000-memory.dmp

Filesize
72KB

Download
memory/2540-40-0x0000000007AF0000-0x0000000007B2C000-memory.dmp

Filesize
240KB

Download
memory/2540-41-0x0000000007B30000-0x0000000007B7C000-memory.dmp

Filesize
304KB

Download
memory/2540-42-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/2540-43-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads