privateloader | 9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a

Analysis

max time kernel
146s
max time network
154s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
22-11-2023 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a.exe
Size

1.4MB
MD5

2c47b3360d7958204132df411ceb1a13
SHA1

af41aa4fc7b87f5fc85f4dcbc7e4f259adcfd00b
SHA256

9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a
SHA512

450eeb2c7d43f87640c056c55f8d55c6d7f33f24ff9dacc73749eec485528397e92999caa2f6879be147b5498c4d166a0516e230fbefb970b5c6c742c25bb187
SSDEEP

24576:syTxeznFwlIAWB39fFcmB7lzXO1rYbVYCOSz8X1r67A2MhjidPaJ:b1eraIAM9NcURzXO1ruDhG1GszUdC

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5032-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3bx80Eb.exe

Executes dropped EXE 4 IoCs

pid	Process
2240	hh5MB22.exe
4112	hy6Eh16.exe
4576	2Fk1975.exe
660	3bx80Eb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hh5MB22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hy6Eh16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3bx80Eb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4576 set thread context of 5032	4576	2Fk1975.exe	75

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1084	schtasks.exe
2228	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 2240	3872	9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a.exe	71
PID 3872 wrote to memory of 2240	3872	9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a.exe	71
PID 3872 wrote to memory of 2240	3872	9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a.exe	71
PID 2240 wrote to memory of 4112	2240	hh5MB22.exe	72
PID 2240 wrote to memory of 4112	2240	hh5MB22.exe	72
PID 2240 wrote to memory of 4112	2240	hh5MB22.exe	72
PID 4112 wrote to memory of 4576	4112	hy6Eh16.exe	73
PID 4112 wrote to memory of 4576	4112	hy6Eh16.exe	73
PID 4112 wrote to memory of 4576	4112	hy6Eh16.exe	73
PID 4576 wrote to memory of 5032	4576	2Fk1975.exe	75
PID 4576 wrote to memory of 5032	4576	2Fk1975.exe	75
PID 4576 wrote to memory of 5032	4576	2Fk1975.exe	75
PID 4576 wrote to memory of 5032	4576	2Fk1975.exe	75
PID 4576 wrote to memory of 5032	4576	2Fk1975.exe	75
PID 4576 wrote to memory of 5032	4576	2Fk1975.exe	75
PID 4576 wrote to memory of 5032	4576	2Fk1975.exe	75
PID 4576 wrote to memory of 5032	4576	2Fk1975.exe	75
PID 4112 wrote to memory of 660	4112	hy6Eh16.exe	76
PID 4112 wrote to memory of 660	4112	hy6Eh16.exe	76
PID 4112 wrote to memory of 660	4112	hy6Eh16.exe	76
PID 660 wrote to memory of 1084	660	3bx80Eb.exe	77
PID 660 wrote to memory of 1084	660	3bx80Eb.exe	77
PID 660 wrote to memory of 1084	660	3bx80Eb.exe	77
PID 660 wrote to memory of 2228	660	3bx80Eb.exe	79
PID 660 wrote to memory of 2228	660	3bx80Eb.exe	79
PID 660 wrote to memory of 2228	660	3bx80Eb.exe	79

C:\Users\Admin\AppData\Local\Temp\9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a.exe
"C:\Users\Admin\AppData\Local\Temp\9c670dbe614fbf0dbc4572636b7fc66e481a1d3424db413886e81fab2097f69a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hh5MB22.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hh5MB22.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hy6Eh16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hy6Eh16.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fk1975.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fk1975.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3bx80Eb.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3bx80Eb.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:1084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
66afa84943c39a414af598cedeaa2fe6

SHA1
a59403c6dd47efe9e6fce0acb17a2a4765720f3c

SHA256
b0f017c679a393518e605091ed049396a804fd35007b0b2384211dfd3b3e66e5

SHA512
452dafd2571d506dad0996985e0c24a6bb4bf4efe96978c80007fb852999de2081789f8184e728f8eaf6f0e358789fee16eeeb4acb5a90c84accb0b32cef389e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hh5MB22.exe

Filesize
1.2MB

MD5
756204012e70333c786b7f6d86d297eb

SHA1
70f598469492578240029ea13183129e8c544ced

SHA256
2dc3a3be6f4a4408a40508c3a311cae035c272f501195d3c9d4dde92b623663d

SHA512
7953180f4422dced4339e47d0322f2a7753098fe10b5d138baab8eea438ee27f81eccec0a7aff6c6b91b0fc6673baac8845b8c4f7399c38a425faa58cd0dac5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hh5MB22.exe

Filesize
1.2MB

MD5
756204012e70333c786b7f6d86d297eb

SHA1
70f598469492578240029ea13183129e8c544ced

SHA256
2dc3a3be6f4a4408a40508c3a311cae035c272f501195d3c9d4dde92b623663d

SHA512
7953180f4422dced4339e47d0322f2a7753098fe10b5d138baab8eea438ee27f81eccec0a7aff6c6b91b0fc6673baac8845b8c4f7399c38a425faa58cd0dac5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hy6Eh16.exe

Filesize
1.1MB

MD5
8d9f54d0ab2824d2e28cbd780e5ef219

SHA1
6eae6d5ff95f7047c261f5daa293235505a30b30

SHA256
5bd1873d2d0ef5988185f9168cbb8a3c57a7a5ccfd2c91a22a97fb4764099e73

SHA512
2c1c4c41ac9bb692e6ea10431387b99ce6735ab4c9f700372230b66d677f93647e36d6032e521b1b51287672a989b64e952154f1e23391c00e09e63914515c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hy6Eh16.exe

Filesize
1.1MB

MD5
8d9f54d0ab2824d2e28cbd780e5ef219

SHA1
6eae6d5ff95f7047c261f5daa293235505a30b30

SHA256
5bd1873d2d0ef5988185f9168cbb8a3c57a7a5ccfd2c91a22a97fb4764099e73

SHA512
2c1c4c41ac9bb692e6ea10431387b99ce6735ab4c9f700372230b66d677f93647e36d6032e521b1b51287672a989b64e952154f1e23391c00e09e63914515c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fk1975.exe

Filesize
1.9MB

MD5
3aea83cf875425205423271620f5e83f

SHA1
e46b7a8aa171e93fa71f9ffa355c27576f02ee76

SHA256
b8a3e9eb3ad4eb8ba17e6014f919ec6568951be76575d6f1448cfa9f6f977cd6

SHA512
e35713657e5773ff1e8e851c027e2528476c5eaf601c6e38df475e7b7265ef87824764e17168a88b95cbc65dac830c84c12f640f7769fa19207c3cb106108536

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fk1975.exe

Filesize
1.9MB

MD5
3aea83cf875425205423271620f5e83f

SHA1
e46b7a8aa171e93fa71f9ffa355c27576f02ee76

SHA256
b8a3e9eb3ad4eb8ba17e6014f919ec6568951be76575d6f1448cfa9f6f977cd6

SHA512
e35713657e5773ff1e8e851c027e2528476c5eaf601c6e38df475e7b7265ef87824764e17168a88b95cbc65dac830c84c12f640f7769fa19207c3cb106108536

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3bx80Eb.exe

Filesize
1.3MB

MD5
66afa84943c39a414af598cedeaa2fe6

SHA1
a59403c6dd47efe9e6fce0acb17a2a4765720f3c

SHA256
b0f017c679a393518e605091ed049396a804fd35007b0b2384211dfd3b3e66e5

SHA512
452dafd2571d506dad0996985e0c24a6bb4bf4efe96978c80007fb852999de2081789f8184e728f8eaf6f0e358789fee16eeeb4acb5a90c84accb0b32cef389e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3bx80Eb.exe

Filesize
1.3MB

MD5
66afa84943c39a414af598cedeaa2fe6

SHA1
a59403c6dd47efe9e6fce0acb17a2a4765720f3c

SHA256
b0f017c679a393518e605091ed049396a804fd35007b0b2384211dfd3b3e66e5

SHA512
452dafd2571d506dad0996985e0c24a6bb4bf4efe96978c80007fb852999de2081789f8184e728f8eaf6f0e358789fee16eeeb4acb5a90c84accb0b32cef389e

Download Submit
memory/5032-34-0x00000000735D0000-0x0000000073CBE000-memory.dmp

Filesize
6.9MB

Download
memory/5032-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5032-35-0x000000000BC70000-0x000000000C16E000-memory.dmp

Filesize
5.0MB

Download
memory/5032-36-0x000000000B850000-0x000000000B8E2000-memory.dmp

Filesize
584KB

Download
memory/5032-38-0x000000000B9D0000-0x000000000B9DA000-memory.dmp

Filesize
40KB

Download
memory/5032-39-0x000000000C780000-0x000000000CD86000-memory.dmp

Filesize
6.0MB

Download
memory/5032-40-0x000000000C280000-0x000000000C38A000-memory.dmp

Filesize
1.0MB

Download
memory/5032-41-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/5032-42-0x000000000C170000-0x000000000C1AE000-memory.dmp

Filesize
248KB

Download
memory/5032-43-0x000000000C1B0000-0x000000000C1FB000-memory.dmp

Filesize
300KB

Download
memory/5032-54-0x00000000735D0000-0x0000000073CBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads