privateloader | d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4.exe
Size

1.3MB
MD5

77cae6f64306312091f612ed1821b425
SHA1

3ac0f634340c91f04ea69da6d1154e5ff70a6691
SHA256

d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4
SHA512

587ff3a8280679c2826c05eec6f0662cbbe5f2e67d86f57ed0563ba92d491d365477067d97fa0dac0e63e304a69a976653c956fadfb472b120ade52163f62ee8
SSDEEP

24576:AyG6v1JDMJHLcofanDx36hH6hOvFidSyfqrGP1SROWrQmLwTVMX8ZvV+F:HG6TDILzpwwNisiP1mBRLO6Xsv

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/852-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3Cn28Le.exe

Executes dropped EXE 4 IoCs

pid	Process
3648	nP4lE15.exe
1836	NN9Lc73.exe
2520	2TU3076.exe
3920	3Cn28Le.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nP4lE15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	NN9Lc73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3Cn28Le.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 852	2520	2TU3076.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4540	2520	WerFault.exe	93

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4648	schtasks.exe
2404	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 3648	1116	d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4.exe	90
PID 1116 wrote to memory of 3648	1116	d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4.exe	90
PID 1116 wrote to memory of 3648	1116	d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4.exe	90
PID 3648 wrote to memory of 1836	3648	nP4lE15.exe	91
PID 3648 wrote to memory of 1836	3648	nP4lE15.exe	91
PID 3648 wrote to memory of 1836	3648	nP4lE15.exe	91
PID 1836 wrote to memory of 2520	1836	NN9Lc73.exe	93
PID 1836 wrote to memory of 2520	1836	NN9Lc73.exe	93
PID 1836 wrote to memory of 2520	1836	NN9Lc73.exe	93
PID 2520 wrote to memory of 852	2520	2TU3076.exe	105
PID 2520 wrote to memory of 852	2520	2TU3076.exe	105
PID 2520 wrote to memory of 852	2520	2TU3076.exe	105
PID 2520 wrote to memory of 852	2520	2TU3076.exe	105
PID 2520 wrote to memory of 852	2520	2TU3076.exe	105
PID 2520 wrote to memory of 852	2520	2TU3076.exe	105
PID 2520 wrote to memory of 852	2520	2TU3076.exe	105
PID 2520 wrote to memory of 852	2520	2TU3076.exe	105
PID 1836 wrote to memory of 3920	1836	NN9Lc73.exe	108
PID 1836 wrote to memory of 3920	1836	NN9Lc73.exe	108
PID 1836 wrote to memory of 3920	1836	NN9Lc73.exe	108
PID 3920 wrote to memory of 4648	3920	3Cn28Le.exe	110
PID 3920 wrote to memory of 4648	3920	3Cn28Le.exe	110
PID 3920 wrote to memory of 4648	3920	3Cn28Le.exe	110
PID 3920 wrote to memory of 2404	3920	3Cn28Le.exe	112
PID 3920 wrote to memory of 2404	3920	3Cn28Le.exe	112
PID 3920 wrote to memory of 2404	3920	3Cn28Le.exe	112

C:\Users\Admin\AppData\Local\Temp\d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4.exe
"C:\Users\Admin\AppData\Local\Temp\d7507308cb5e5646d7fb52c57dcac92e8722e1a0d6602e68236d249fa89a5ee4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nP4lE15.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nP4lE15.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NN9Lc73.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NN9Lc73.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2TU3076.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2TU3076.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 580
        5⤵
        Program crash
        
        PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Cn28Le.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Cn28Le.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2520 -ip 2520
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
ee9658f5bee7bc42d185bfb1f0843249

SHA1
15fba547d10b01ef6e714a63089ffc2e5d167d5a

SHA256
7bf3d20c2c975fd0a14b8bbc9abcb131a6da594ea41658c374f0ee13016112b7

SHA512
df8429622720775c2db16fe9490e20625579497887ff0bbbd0daaceec7b3e1c6c070ea3290ca456ed2b466d83dd63eb114c28f444867459002a77ab07ffafc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nP4lE15.exe

Filesize
1.0MB

MD5
a210d1e465dfac413191f41b3cdb821d

SHA1
184c43dcdd487f66a23e043a3c6d0451ce8aaf7a

SHA256
4f4635df1fd4ed30fd536e731a24071c1aac552dae0e7ad6c3be7b821f6e52df

SHA512
80d2a904185501a55e0c97b7615fcfd9c56689c8316b80034ca1994a4805958a6a929cf1745af4c3cd74b90bb8f5cd024b6aa607a614dba2019c746cb20f9dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nP4lE15.exe

Filesize
1.0MB

MD5
a210d1e465dfac413191f41b3cdb821d

SHA1
184c43dcdd487f66a23e043a3c6d0451ce8aaf7a

SHA256
4f4635df1fd4ed30fd536e731a24071c1aac552dae0e7ad6c3be7b821f6e52df

SHA512
80d2a904185501a55e0c97b7615fcfd9c56689c8316b80034ca1994a4805958a6a929cf1745af4c3cd74b90bb8f5cd024b6aa607a614dba2019c746cb20f9dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NN9Lc73.exe

Filesize
946KB

MD5
5985ff0b3c1df0bb7c81424c6ac34d21

SHA1
438a952bbf271eb374826c19895636640bdd06d8

SHA256
c63d45819691583d1f3f69e288c5b76777c0132f2a77664e60ce2af06a441f8c

SHA512
894a77255b6b90acf1476948b0f0f38e5fc2b502b21ef696fa9853fb0f20815fdb68f2766c456c4077e8b60113eca9ea3480f5b4fcad34de1db86a4d6df0a307

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NN9Lc73.exe

Filesize
946KB

MD5
5985ff0b3c1df0bb7c81424c6ac34d21

SHA1
438a952bbf271eb374826c19895636640bdd06d8

SHA256
c63d45819691583d1f3f69e288c5b76777c0132f2a77664e60ce2af06a441f8c

SHA512
894a77255b6b90acf1476948b0f0f38e5fc2b502b21ef696fa9853fb0f20815fdb68f2766c456c4077e8b60113eca9ea3480f5b4fcad34de1db86a4d6df0a307

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2TU3076.exe

Filesize
1.1MB

MD5
ef21d7267d8682e80a9bd04cbf16e8e3

SHA1
531b8a6be937d040c7b781d0e69d05cab1cb5cd0

SHA256
1beed8b1ddfc2470582c8241f93e101bf7dee910c17ee309ba9591d3e6ea7785

SHA512
cdd258522863ea5a8874d508447d4befc3d53e7916b2c6914ea6b0be74d1f79c58b5c33b73cce8faae5816001d6897bd80ff6ddfc410859f17d61359e00cd21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2TU3076.exe

Filesize
1.1MB

MD5
ef21d7267d8682e80a9bd04cbf16e8e3

SHA1
531b8a6be937d040c7b781d0e69d05cab1cb5cd0

SHA256
1beed8b1ddfc2470582c8241f93e101bf7dee910c17ee309ba9591d3e6ea7785

SHA512
cdd258522863ea5a8874d508447d4befc3d53e7916b2c6914ea6b0be74d1f79c58b5c33b73cce8faae5816001d6897bd80ff6ddfc410859f17d61359e00cd21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Cn28Le.exe

Filesize
1.3MB

MD5
ee9658f5bee7bc42d185bfb1f0843249

SHA1
15fba547d10b01ef6e714a63089ffc2e5d167d5a

SHA256
7bf3d20c2c975fd0a14b8bbc9abcb131a6da594ea41658c374f0ee13016112b7

SHA512
df8429622720775c2db16fe9490e20625579497887ff0bbbd0daaceec7b3e1c6c070ea3290ca456ed2b466d83dd63eb114c28f444867459002a77ab07ffafc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Cn28Le.exe

Filesize
1.3MB

MD5
ee9658f5bee7bc42d185bfb1f0843249

SHA1
15fba547d10b01ef6e714a63089ffc2e5d167d5a

SHA256
7bf3d20c2c975fd0a14b8bbc9abcb131a6da594ea41658c374f0ee13016112b7

SHA512
df8429622720775c2db16fe9490e20625579497887ff0bbbd0daaceec7b3e1c6c070ea3290ca456ed2b466d83dd63eb114c28f444867459002a77ab07ffafc69

Download Submit
memory/852-25-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/852-24-0x0000000007240000-0x00000000072D2000-memory.dmp

Filesize
584KB

Download
memory/852-26-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/852-23-0x0000000007750000-0x0000000007CF4000-memory.dmp

Filesize
5.6MB

Download
memory/852-22-0x0000000074180000-0x0000000074930000-memory.dmp

Filesize
7.7MB

Download
memory/852-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-36-0x0000000008320000-0x0000000008938000-memory.dmp

Filesize
6.1MB

Download
memory/852-37-0x0000000007E10000-0x0000000007F1A000-memory.dmp

Filesize
1.0MB

Download
memory/852-39-0x0000000007640000-0x0000000007652000-memory.dmp

Filesize
72KB

Download
memory/852-40-0x00000000076B0000-0x00000000076EC000-memory.dmp

Filesize
240KB

Download
memory/852-41-0x00000000076F0000-0x000000000773C000-memory.dmp

Filesize
304KB

Download
memory/852-42-0x0000000074180000-0x0000000074930000-memory.dmp

Filesize
7.7MB

Download
memory/852-43-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads