privateloader | 6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40

Analysis

max time kernel
140s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40.exe
Size

1.3MB
MD5

75164be06c9b8c73806036ab715788ec
SHA1

c13cf0913187995099d905514132bff25499117f
SHA256

6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40
SHA512

57dab7a3b4fe0a0a0f03fd89963255d7cdd50357466d8976a2cf2b01a199cf7398885f03b61b16b2a6803d7ae4adf29b3077f3c59501b16abfb5c2a32f2215bc
SSDEEP

24576:dysip47L/FL4zSGxulRZxDUodeuUUmZyc0yC9EOGSGeQVLACeswSp8j8jFRu:4sip4vF4zS4uv7DzdNwiyERGe0Acp8jQ

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/620-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3lA31wi.exe

Executes dropped EXE 4 IoCs

pid	Process
3720	Yd0tA37.exe
2156	dG5pt10.exe
4472	2yS9534.exe
2100	3lA31wi.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Yd0tA37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dG5pt10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3lA31wi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4472 set thread context of 620	4472	2yS9534.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1944	4472	WerFault.exe	87

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2088	schtasks.exe
1480	schtasks.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 3720	1696	6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40.exe	84
PID 1696 wrote to memory of 3720	1696	6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40.exe	84
PID 1696 wrote to memory of 3720	1696	6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40.exe	84
PID 3720 wrote to memory of 2156	3720	Yd0tA37.exe	85
PID 3720 wrote to memory of 2156	3720	Yd0tA37.exe	85
PID 3720 wrote to memory of 2156	3720	Yd0tA37.exe	85
PID 2156 wrote to memory of 4472	2156	dG5pt10.exe	87
PID 2156 wrote to memory of 4472	2156	dG5pt10.exe	87
PID 2156 wrote to memory of 4472	2156	dG5pt10.exe	87
PID 4472 wrote to memory of 3956	4472	2yS9534.exe	99
PID 4472 wrote to memory of 3956	4472	2yS9534.exe	99
PID 4472 wrote to memory of 3956	4472	2yS9534.exe	99
PID 4472 wrote to memory of 620	4472	2yS9534.exe	100
PID 4472 wrote to memory of 620	4472	2yS9534.exe	100
PID 4472 wrote to memory of 620	4472	2yS9534.exe	100
PID 4472 wrote to memory of 620	4472	2yS9534.exe	100
PID 4472 wrote to memory of 620	4472	2yS9534.exe	100
PID 4472 wrote to memory of 620	4472	2yS9534.exe	100
PID 4472 wrote to memory of 620	4472	2yS9534.exe	100
PID 4472 wrote to memory of 620	4472	2yS9534.exe	100
PID 2156 wrote to memory of 2100	2156	dG5pt10.exe	104
PID 2156 wrote to memory of 2100	2156	dG5pt10.exe	104
PID 2156 wrote to memory of 2100	2156	dG5pt10.exe	104
PID 2100 wrote to memory of 1480	2100	3lA31wi.exe	105
PID 2100 wrote to memory of 1480	2100	3lA31wi.exe	105
PID 2100 wrote to memory of 1480	2100	3lA31wi.exe	105
PID 2100 wrote to memory of 2088	2100	3lA31wi.exe	107
PID 2100 wrote to memory of 2088	2100	3lA31wi.exe	107
PID 2100 wrote to memory of 2088	2100	3lA31wi.exe	107

C:\Users\Admin\AppData\Local\Temp\6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40.exe
"C:\Users\Admin\AppData\Local\Temp\6e349cf64aa3fa330d1312bbdf0a158376282fd547c54fcabf75af777d93ae40.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yd0tA37.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yd0tA37.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dG5pt10.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dG5pt10.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yS9534.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yS9534.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3956
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 596
        5⤵
        Program crash
        
        PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lA31wi.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lA31wi.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:1480
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
5b2cad4c0169dde495dc5269005d3bcc

SHA1
db70453183393cdf0471553100880c7c997f6415

SHA256
898d76ae00e7ca0c0a79246712c2ca8dcd55c6b7e74201d47ca76576c317d9c4

SHA512
0f9a6badcfbe8722a730fcef1b46e9055f4184e64946084319e2fe633ae141fdbb0b4609bd89103985b053668d9398d28da9115e8880232a9d08a20d1f944ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yd0tA37.exe

Filesize
1.0MB

MD5
7d57c9746c8f6657773c6f5ec57d1171

SHA1
7898100fa5f9188bb930e12be018823ee8f22033

SHA256
02ab15a90c6ea43e3602e25d445e744831b58fec0c68ce102aeb03befd8b7799

SHA512
779337b7cf1604024b091d7371455ab26afa5e17a23f37dc33fb1882d85002ceba47207259b875f373c78ce12d9a130c87ed4536d2e9a80b5f7c4d07bbca4bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yd0tA37.exe

Filesize
1.0MB

MD5
7d57c9746c8f6657773c6f5ec57d1171

SHA1
7898100fa5f9188bb930e12be018823ee8f22033

SHA256
02ab15a90c6ea43e3602e25d445e744831b58fec0c68ce102aeb03befd8b7799

SHA512
779337b7cf1604024b091d7371455ab26afa5e17a23f37dc33fb1882d85002ceba47207259b875f373c78ce12d9a130c87ed4536d2e9a80b5f7c4d07bbca4bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dG5pt10.exe

Filesize
948KB

MD5
6d3b5dab4a670c4cd370b992668f55c8

SHA1
4b9c866fb31648feafb91ad8cb01d6281ce5f09c

SHA256
2efdb31e86d935292b0ac792dc679149bd7e62b49bf833d6cb53ba090d5852d1

SHA512
913875a6a9bf65aed71592b8e72e1822ff7f3e1b5917776cd68860e13a0e8067c9442682ea2f9a211690bfbc4ec37ee537545ba5e3d428ecdfab9fdbfe2cbf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dG5pt10.exe

Filesize
948KB

MD5
6d3b5dab4a670c4cd370b992668f55c8

SHA1
4b9c866fb31648feafb91ad8cb01d6281ce5f09c

SHA256
2efdb31e86d935292b0ac792dc679149bd7e62b49bf833d6cb53ba090d5852d1

SHA512
913875a6a9bf65aed71592b8e72e1822ff7f3e1b5917776cd68860e13a0e8067c9442682ea2f9a211690bfbc4ec37ee537545ba5e3d428ecdfab9fdbfe2cbf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yS9534.exe

Filesize
1.1MB

MD5
ccc0b1c201f669b140ef8ededc6c067f

SHA1
fc17b5460dde431be809ac87a4ff03ce0ace822f

SHA256
0ff3972c8fa3b9d9a950552a7901150caabf4134673e3a9e37eced114c7095ac

SHA512
e6e22ab5bffcc8c8e5975cc9eb61a4f8ce2a4fc6c516c34223e53297a7a5876b88013aaa66a5f9694dd2717bad7d04ce66c0c890ef6dd1ebb4898039a2ebb680

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yS9534.exe

Filesize
1.1MB

MD5
ccc0b1c201f669b140ef8ededc6c067f

SHA1
fc17b5460dde431be809ac87a4ff03ce0ace822f

SHA256
0ff3972c8fa3b9d9a950552a7901150caabf4134673e3a9e37eced114c7095ac

SHA512
e6e22ab5bffcc8c8e5975cc9eb61a4f8ce2a4fc6c516c34223e53297a7a5876b88013aaa66a5f9694dd2717bad7d04ce66c0c890ef6dd1ebb4898039a2ebb680

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lA31wi.exe

Filesize
1.3MB

MD5
5b2cad4c0169dde495dc5269005d3bcc

SHA1
db70453183393cdf0471553100880c7c997f6415

SHA256
898d76ae00e7ca0c0a79246712c2ca8dcd55c6b7e74201d47ca76576c317d9c4

SHA512
0f9a6badcfbe8722a730fcef1b46e9055f4184e64946084319e2fe633ae141fdbb0b4609bd89103985b053668d9398d28da9115e8880232a9d08a20d1f944ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lA31wi.exe

Filesize
1.3MB

MD5
5b2cad4c0169dde495dc5269005d3bcc

SHA1
db70453183393cdf0471553100880c7c997f6415

SHA256
898d76ae00e7ca0c0a79246712c2ca8dcd55c6b7e74201d47ca76576c317d9c4

SHA512
0f9a6badcfbe8722a730fcef1b46e9055f4184e64946084319e2fe633ae141fdbb0b4609bd89103985b053668d9398d28da9115e8880232a9d08a20d1f944ca5

Download Submit
memory/620-25-0x0000000007770000-0x0000000007780000-memory.dmp

Filesize
64KB

Download
memory/620-22-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/620-26-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/620-24-0x0000000007520000-0x00000000075B2000-memory.dmp

Filesize
584KB

Download
memory/620-23-0x0000000007A20000-0x0000000007FC4000-memory.dmp

Filesize
5.6MB

Download
memory/620-30-0x00000000085F0000-0x0000000008C08000-memory.dmp

Filesize
6.1MB

Download
memory/620-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/620-33-0x0000000007890000-0x000000000799A000-memory.dmp

Filesize
1.0MB

Download
memory/620-34-0x00000000077C0000-0x00000000077D2000-memory.dmp

Filesize
72KB

Download
memory/620-35-0x0000000007820000-0x000000000785C000-memory.dmp

Filesize
240KB

Download
memory/620-36-0x00000000079A0000-0x00000000079EC000-memory.dmp

Filesize
304KB

Download
memory/620-42-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/620-43-0x0000000007770000-0x0000000007780000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads