privateloader | 89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe
Size

1.1MB
MD5

70af13c890c5081da2091516841af307
SHA1

594f38460e233676ee60e09a0e7bc6e0c4dd2428
SHA256

89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562
SHA512

31104d94f244cb8ad36559f88ce9226733124cfa0db10d286c716c79794695f3e791e9e16622f8741c16c1b3982fd45bd9acf0390ea4cbb6f7f6d062ad73bd8d
SSDEEP

24576:CyNsrxUbbGlC5nHLNyoupccfuC7Px0riP+hniTx1Ej/N5bHFIo:pNskbNxyo3jGx0g+64zND

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1412-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3rS28GF.exe

Executes dropped EXE 4 IoCs

pid	Process
2524	lj6Or14.exe
1316	Ya0RB62.exe
4440	2Ig9315.exe
5000	3rS28GF.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3rS28GF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	lj6Or14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ya0RB62.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 1412	4440	2Ig9315.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2824	4440	WerFault.exe	94

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2424	schtasks.exe
3116	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2524	1552	89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe	91
PID 1552 wrote to memory of 2524	1552	89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe	91
PID 1552 wrote to memory of 2524	1552	89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe	91
PID 2524 wrote to memory of 1316	2524	lj6Or14.exe	93
PID 2524 wrote to memory of 1316	2524	lj6Or14.exe	93
PID 2524 wrote to memory of 1316	2524	lj6Or14.exe	93
PID 1316 wrote to memory of 4440	1316	Ya0RB62.exe	94
PID 1316 wrote to memory of 4440	1316	Ya0RB62.exe	94
PID 1316 wrote to memory of 4440	1316	Ya0RB62.exe	94
PID 4440 wrote to memory of 1412	4440	2Ig9315.exe	106
PID 4440 wrote to memory of 1412	4440	2Ig9315.exe	106
PID 4440 wrote to memory of 1412	4440	2Ig9315.exe	106
PID 4440 wrote to memory of 1412	4440	2Ig9315.exe	106
PID 4440 wrote to memory of 1412	4440	2Ig9315.exe	106
PID 4440 wrote to memory of 1412	4440	2Ig9315.exe	106
PID 4440 wrote to memory of 1412	4440	2Ig9315.exe	106
PID 4440 wrote to memory of 1412	4440	2Ig9315.exe	106
PID 1316 wrote to memory of 5000	1316	Ya0RB62.exe	110
PID 1316 wrote to memory of 5000	1316	Ya0RB62.exe	110
PID 1316 wrote to memory of 5000	1316	Ya0RB62.exe	110
PID 5000 wrote to memory of 2424	5000	3rS28GF.exe	112
PID 5000 wrote to memory of 2424	5000	3rS28GF.exe	112
PID 5000 wrote to memory of 2424	5000	3rS28GF.exe	112
PID 5000 wrote to memory of 3116	5000	3rS28GF.exe	114
PID 5000 wrote to memory of 3116	5000	3rS28GF.exe	114
PID 5000 wrote to memory of 3116	5000	3rS28GF.exe	114

C:\Users\Admin\AppData\Local\Temp\89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe
"C:\Users\Admin\AppData\Local\Temp\89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 148
        5⤵
        Program crash
        
        PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4440 -ip 4440
1⤵
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
34563154d1a2a2b7599086eac6ee3913

SHA1
21283fbd85cf0372834cd90b29caa4d7d56a7717

SHA256
6a9fbce30079f4c2c23ff213b1b7971ae41fa35db94a12db4e11cdaf53d24629

SHA512
e785daab62b4b057e83555373ddafb54ef708299ae618c3307ba02536e40897354b042e5214a965daf8500419e684a518606a0eb14215c0aa5a7b607cd066318

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exe

Filesize
935KB

MD5
f3d3fecc283f8e49955e88d854317dac

SHA1
62fefc860b7d771ed0f4438c154afa023b57c08c

SHA256
eb300507c0cb513e33ef94544a3bf1af4f33be74a2ca70db2cfd63e858e75f46

SHA512
72cd7f7e263123c28804f4c18ab03e0927a571bc1466f2b1b20e222c04d29e3af7d8edb113e0da2f3cac0f892ff09bf09edfbcb9ed2f56b1742f58f9ea204e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exe

Filesize
935KB

MD5
f3d3fecc283f8e49955e88d854317dac

SHA1
62fefc860b7d771ed0f4438c154afa023b57c08c

SHA256
eb300507c0cb513e33ef94544a3bf1af4f33be74a2ca70db2cfd63e858e75f46

SHA512
72cd7f7e263123c28804f4c18ab03e0927a571bc1466f2b1b20e222c04d29e3af7d8edb113e0da2f3cac0f892ff09bf09edfbcb9ed2f56b1742f58f9ea204e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exe

Filesize
811KB

MD5
6acaccecbbe4ea4b2c84bf37b06175bc

SHA1
b1108780fde8d55c8c716917f472d4726f609b28

SHA256
5a6c444580d38a5947dcd7fdb7a8242bdd49c5dd54977d7058aa9a156d5abc83

SHA512
e004cb7ba2b7331f0c9d40e33099c2425390edd75a8232828f311f3093fa298776a73fec98c512bcb07efcd0c046f00f0a1b510aa97ddfa4e5bffa722958df22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exe

Filesize
811KB

MD5
6acaccecbbe4ea4b2c84bf37b06175bc

SHA1
b1108780fde8d55c8c716917f472d4726f609b28

SHA256
5a6c444580d38a5947dcd7fdb7a8242bdd49c5dd54977d7058aa9a156d5abc83

SHA512
e004cb7ba2b7331f0c9d40e33099c2425390edd75a8232828f311f3093fa298776a73fec98c512bcb07efcd0c046f00f0a1b510aa97ddfa4e5bffa722958df22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exe

Filesize
432KB

MD5
dc5470255181f2d8c3988607e68e2838

SHA1
428a5c0b4cbacce664843c8b8dc853bcdaa42978

SHA256
8a6a397ce0ce2f6dffb085e47055049758d8fd637f4f4fd7a5d23d377ad35639

SHA512
660cbdc6d8679d2114ce589cde2e9625ac357c6c1546bd2ec6795efc88b5fcb41bad839b84204d142ea1ef38c001b0f77c6cb23567593a38be7c53588d9c6b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exe

Filesize
432KB

MD5
dc5470255181f2d8c3988607e68e2838

SHA1
428a5c0b4cbacce664843c8b8dc853bcdaa42978

SHA256
8a6a397ce0ce2f6dffb085e47055049758d8fd637f4f4fd7a5d23d377ad35639

SHA512
660cbdc6d8679d2114ce589cde2e9625ac357c6c1546bd2ec6795efc88b5fcb41bad839b84204d142ea1ef38c001b0f77c6cb23567593a38be7c53588d9c6b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exe

Filesize
1.3MB

MD5
34563154d1a2a2b7599086eac6ee3913

SHA1
21283fbd85cf0372834cd90b29caa4d7d56a7717

SHA256
6a9fbce30079f4c2c23ff213b1b7971ae41fa35db94a12db4e11cdaf53d24629

SHA512
e785daab62b4b057e83555373ddafb54ef708299ae618c3307ba02536e40897354b042e5214a965daf8500419e684a518606a0eb14215c0aa5a7b607cd066318

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exe

Filesize
1.3MB

MD5
34563154d1a2a2b7599086eac6ee3913

SHA1
21283fbd85cf0372834cd90b29caa4d7d56a7717

SHA256
6a9fbce30079f4c2c23ff213b1b7971ae41fa35db94a12db4e11cdaf53d24629

SHA512
e785daab62b4b057e83555373ddafb54ef708299ae618c3307ba02536e40897354b042e5214a965daf8500419e684a518606a0eb14215c0aa5a7b607cd066318

Download Submit
memory/1412-25-0x0000000007F80000-0x0000000007F90000-memory.dmp

Filesize
64KB

Download
memory/1412-24-0x0000000007D20000-0x0000000007DB2000-memory.dmp

Filesize
584KB

Download
memory/1412-23-0x0000000008230000-0x00000000087D4000-memory.dmp

Filesize
5.6MB

Download
memory/1412-22-0x00000000739B0000-0x0000000074160000-memory.dmp

Filesize
7.7MB

Download
memory/1412-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1412-31-0x0000000007DE0000-0x0000000007DEA000-memory.dmp

Filesize
40KB

Download
memory/1412-37-0x0000000008E00000-0x0000000009418000-memory.dmp

Filesize
6.1MB

Download
memory/1412-38-0x00000000087E0000-0x00000000088EA000-memory.dmp

Filesize
1.0MB

Download
memory/1412-39-0x0000000007ED0000-0x0000000007EE2000-memory.dmp

Filesize
72KB

Download
memory/1412-40-0x0000000007F30000-0x0000000007F6C000-memory.dmp

Filesize
240KB

Download
memory/1412-41-0x0000000008080000-0x00000000080CC000-memory.dmp

Filesize
304KB

Download
memory/1412-42-0x00000000739B0000-0x0000000074160000-memory.dmp

Filesize
7.7MB

Download
memory/1412-43-0x0000000007F80000-0x0000000007F90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads