privateloader | 998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da.exe
Size

1.4MB
MD5

ba9bf7af0c009f395801205af7596df9
SHA1

444bf2e08210cc84b015841797b34d85a732e618
SHA256

998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da
SHA512

6901fcfd2a8a6a54de41ea43202a08e68e03ed4901b3af8b367b18a07711dd20e47191be153d4cec26cb30bca3508304c5e65b31e69f4b6ac3fc6e1ea103145a
SSDEEP

24576:pyy5EflOGXXRlhvuVgGfkIie5pMVemEqfr3+ZzKM6mpLcD2Lx6MZwkuWbGe:cy5UOGHEqGfkIie5pnmjfaZOM6g6M

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2648-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3pN62CG.exe

Executes dropped EXE 4 IoCs

pid	Process
4560	rN7CJ41.exe
1940	sp9iT22.exe
4908	2cg3717.exe
3680	3pN62CG.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3pN62CG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rN7CJ41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sp9iT22.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 2648	4908	2cg3717.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2816	schtasks.exe
3592	schtasks.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4560	1396	998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da.exe	87
PID 1396 wrote to memory of 4560	1396	998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da.exe	87
PID 1396 wrote to memory of 4560	1396	998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da.exe	87
PID 4560 wrote to memory of 1940	4560	rN7CJ41.exe	89
PID 4560 wrote to memory of 1940	4560	rN7CJ41.exe	89
PID 4560 wrote to memory of 1940	4560	rN7CJ41.exe	89
PID 1940 wrote to memory of 4908	1940	sp9iT22.exe	90
PID 1940 wrote to memory of 4908	1940	sp9iT22.exe	90
PID 1940 wrote to memory of 4908	1940	sp9iT22.exe	90
PID 4908 wrote to memory of 2544	4908	2cg3717.exe	102
PID 4908 wrote to memory of 2544	4908	2cg3717.exe	102
PID 4908 wrote to memory of 2544	4908	2cg3717.exe	102
PID 4908 wrote to memory of 1640	4908	2cg3717.exe	103
PID 4908 wrote to memory of 1640	4908	2cg3717.exe	103
PID 4908 wrote to memory of 1640	4908	2cg3717.exe	103
PID 4908 wrote to memory of 2540	4908	2cg3717.exe	104
PID 4908 wrote to memory of 2540	4908	2cg3717.exe	104
PID 4908 wrote to memory of 2540	4908	2cg3717.exe	104
PID 4908 wrote to memory of 2648	4908	2cg3717.exe	105
PID 4908 wrote to memory of 2648	4908	2cg3717.exe	105
PID 4908 wrote to memory of 2648	4908	2cg3717.exe	105
PID 4908 wrote to memory of 2648	4908	2cg3717.exe	105
PID 4908 wrote to memory of 2648	4908	2cg3717.exe	105
PID 4908 wrote to memory of 2648	4908	2cg3717.exe	105
PID 4908 wrote to memory of 2648	4908	2cg3717.exe	105
PID 4908 wrote to memory of 2648	4908	2cg3717.exe	105
PID 1940 wrote to memory of 3680	1940	sp9iT22.exe	106
PID 1940 wrote to memory of 3680	1940	sp9iT22.exe	106
PID 1940 wrote to memory of 3680	1940	sp9iT22.exe	106
PID 3680 wrote to memory of 2816	3680	3pN62CG.exe	107
PID 3680 wrote to memory of 2816	3680	3pN62CG.exe	107
PID 3680 wrote to memory of 2816	3680	3pN62CG.exe	107
PID 3680 wrote to memory of 3592	3680	3pN62CG.exe	109
PID 3680 wrote to memory of 3592	3680	3pN62CG.exe	109
PID 3680 wrote to memory of 3592	3680	3pN62CG.exe	109

C:\Users\Admin\AppData\Local\Temp\998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da.exe
"C:\Users\Admin\AppData\Local\Temp\998d11b1a98132f03929e757580de41b3543bec99d09d5e1239dbbc237a0a2da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rN7CJ41.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rN7CJ41.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sp9iT22.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sp9iT22.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2cg3717.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2cg3717.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2544
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1640
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2540
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pN62CG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pN62CG.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
1125ca41ef9c6892fe57190c44101803

SHA1
dbddac0538bd7161eb676db13c10f14869a5ffab

SHA256
e90fc9fb91758c648abb327e9924f514bbb52b7c31344ef18d38e826a54576e3

SHA512
63ee46760b68d6d0e559d86dfcef8017dc61b8805d768199ef2d7bd4b32274638e44857419838b8eb3505a1f5c49a63258f2756bcef84c67c28fb3c2639a20b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rN7CJ41.exe

Filesize
1.2MB

MD5
48428fcd9e8087b7d791384dd3c69915

SHA1
774c503bc09711275172e098147f9952fc905fb3

SHA256
d3d5027ba3d90610d7e25d17e1339c6a1736aaa0f21624319af436ce568b7ef2

SHA512
7bcbc7d7cf58e85c65a564ce83965dcc7c64b6106c23e2a028a86d6245d469dceede7a05b275576c3862b518fdee56eb56e45f0f502a4d35969eeec5d1e418c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rN7CJ41.exe

Filesize
1.2MB

MD5
48428fcd9e8087b7d791384dd3c69915

SHA1
774c503bc09711275172e098147f9952fc905fb3

SHA256
d3d5027ba3d90610d7e25d17e1339c6a1736aaa0f21624319af436ce568b7ef2

SHA512
7bcbc7d7cf58e85c65a564ce83965dcc7c64b6106c23e2a028a86d6245d469dceede7a05b275576c3862b518fdee56eb56e45f0f502a4d35969eeec5d1e418c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sp9iT22.exe

Filesize
1.1MB

MD5
c30e7f5d11794f38a5768f08a4f4532e

SHA1
64a7dc253cacb6857ae9a87378d8172efbe37bf0

SHA256
ae78af63b3ad94120639c97c28f724d0a76737b0033357190422c6a58d7acd7c

SHA512
3f56cc32e14026f5f823fed83c3fbd9ecc1cf88a74c18da84a53c0e08ef2850e7211643e3bf58d4ffd2adaa46273f75c97063c73cd0462e11fb2576cb70e2162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sp9iT22.exe

Filesize
1.1MB

MD5
c30e7f5d11794f38a5768f08a4f4532e

SHA1
64a7dc253cacb6857ae9a87378d8172efbe37bf0

SHA256
ae78af63b3ad94120639c97c28f724d0a76737b0033357190422c6a58d7acd7c

SHA512
3f56cc32e14026f5f823fed83c3fbd9ecc1cf88a74c18da84a53c0e08ef2850e7211643e3bf58d4ffd2adaa46273f75c97063c73cd0462e11fb2576cb70e2162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2cg3717.exe

Filesize
1.9MB

MD5
8f06bc38d1bba7f0b4b88ebf512fe6cd

SHA1
f70699d0075e136ae3d611ec230a5bc4d876d3dd

SHA256
86457fcbcad999b2e3fc07e1d4b4f6ae2978acc1b47a062f76b86dc353ea02bc

SHA512
0a56b571774bd649a1aa64e01f8b73fb8d4d64f09d05375cc4e25a3150da784fe2f9f31daec62d62f5e85d909e0f67b707b3cd2de632616462dcec9f8d174c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2cg3717.exe

Filesize
1.9MB

MD5
8f06bc38d1bba7f0b4b88ebf512fe6cd

SHA1
f70699d0075e136ae3d611ec230a5bc4d876d3dd

SHA256
86457fcbcad999b2e3fc07e1d4b4f6ae2978acc1b47a062f76b86dc353ea02bc

SHA512
0a56b571774bd649a1aa64e01f8b73fb8d4d64f09d05375cc4e25a3150da784fe2f9f31daec62d62f5e85d909e0f67b707b3cd2de632616462dcec9f8d174c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pN62CG.exe

Filesize
1.3MB

MD5
1125ca41ef9c6892fe57190c44101803

SHA1
dbddac0538bd7161eb676db13c10f14869a5ffab

SHA256
e90fc9fb91758c648abb327e9924f514bbb52b7c31344ef18d38e826a54576e3

SHA512
63ee46760b68d6d0e559d86dfcef8017dc61b8805d768199ef2d7bd4b32274638e44857419838b8eb3505a1f5c49a63258f2756bcef84c67c28fb3c2639a20b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pN62CG.exe

Filesize
1.3MB

MD5
1125ca41ef9c6892fe57190c44101803

SHA1
dbddac0538bd7161eb676db13c10f14869a5ffab

SHA256
e90fc9fb91758c648abb327e9924f514bbb52b7c31344ef18d38e826a54576e3

SHA512
63ee46760b68d6d0e559d86dfcef8017dc61b8805d768199ef2d7bd4b32274638e44857419838b8eb3505a1f5c49a63258f2756bcef84c67c28fb3c2639a20b2

Download Submit
memory/2648-27-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2648-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-28-0x0000000008190000-0x0000000008734000-memory.dmp

Filesize
5.6MB

Download
memory/2648-31-0x0000000007CC0000-0x0000000007D52000-memory.dmp

Filesize
584KB

Download
memory/2648-34-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download
memory/2648-35-0x0000000007E80000-0x0000000007E8A000-memory.dmp

Filesize
40KB

Download
memory/2648-37-0x0000000008D60000-0x0000000009378000-memory.dmp

Filesize
6.1MB

Download
memory/2648-38-0x0000000008040000-0x000000000814A000-memory.dmp

Filesize
1.0MB

Download
memory/2648-39-0x0000000007F60000-0x0000000007F72000-memory.dmp

Filesize
72KB

Download
memory/2648-40-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/2648-41-0x0000000008740000-0x000000000878C000-memory.dmp

Filesize
304KB

Download
memory/2648-42-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2648-43-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads