privateloader | f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c

Analysis

max time kernel
146s
max time network
153s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
22/11/2023, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe
Size

2.7MB
MD5

0e9cf505555628b007eb877954c73442
SHA1

a4212455a57c3963a155d1cddf98f7e0655a9c25
SHA256

f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c
SHA512

47c79ed56d0fdc88160c6f32f5a08e4b70f1e6acffcb3f80227178e7649975acb6e6382f85adc26dc1576e63f859452d8b496f6c93029cb932b97739a9af60a4
SSDEEP

49152:MHviI/Wdy6mrV+zgLsxmj5Mz/ZZ0L48fBeExueK+6Zgi1lhS60iwF3CbgF/v/+qL:+qWWFzgwmj5g/ZZE4GBeEnKDZfGH3CbM

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2920-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3OK22hC.exe

Executes dropped EXE 5 IoCs

pid	Process
1088	ij7ck89.exe
2956	mQ6HA40.exe
3620	hF5Pe27.exe
4880	2Ua2943.exe
3756	3OK22hC.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ij7ck89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mQ6HA40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hF5Pe27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3OK22hC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4880 set thread context of 2920	4880	2Ua2943.exe	75

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5036	schtasks.exe
2292	schtasks.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1088	2776	f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe	70
PID 2776 wrote to memory of 1088	2776	f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe	70
PID 2776 wrote to memory of 1088	2776	f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe	70
PID 1088 wrote to memory of 2956	1088	ij7ck89.exe	71
PID 1088 wrote to memory of 2956	1088	ij7ck89.exe	71
PID 1088 wrote to memory of 2956	1088	ij7ck89.exe	71
PID 2956 wrote to memory of 3620	2956	mQ6HA40.exe	72
PID 2956 wrote to memory of 3620	2956	mQ6HA40.exe	72
PID 2956 wrote to memory of 3620	2956	mQ6HA40.exe	72
PID 3620 wrote to memory of 4880	3620	hF5Pe27.exe	73
PID 3620 wrote to memory of 4880	3620	hF5Pe27.exe	73
PID 3620 wrote to memory of 4880	3620	hF5Pe27.exe	73
PID 4880 wrote to memory of 2920	4880	2Ua2943.exe	75
PID 4880 wrote to memory of 2920	4880	2Ua2943.exe	75
PID 4880 wrote to memory of 2920	4880	2Ua2943.exe	75
PID 4880 wrote to memory of 2920	4880	2Ua2943.exe	75
PID 4880 wrote to memory of 2920	4880	2Ua2943.exe	75
PID 4880 wrote to memory of 2920	4880	2Ua2943.exe	75
PID 4880 wrote to memory of 2920	4880	2Ua2943.exe	75
PID 4880 wrote to memory of 2920	4880	2Ua2943.exe	75
PID 3620 wrote to memory of 3756	3620	hF5Pe27.exe	76
PID 3620 wrote to memory of 3756	3620	hF5Pe27.exe	76
PID 3620 wrote to memory of 3756	3620	hF5Pe27.exe	76
PID 3756 wrote to memory of 2292	3756	3OK22hC.exe	77
PID 3756 wrote to memory of 2292	3756	3OK22hC.exe	77
PID 3756 wrote to memory of 2292	3756	3OK22hC.exe	77
PID 3756 wrote to memory of 5036	3756	3OK22hC.exe	79
PID 3756 wrote to memory of 5036	3756	3OK22hC.exe	79
PID 3756 wrote to memory of 5036	3756	3OK22hC.exe	79

C:\Users\Admin\AppData\Local\Temp\f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe
"C:\Users\Admin\AppData\Local\Temp\f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7ck89.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7ck89.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mQ6HA40.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mQ6HA40.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hF5Pe27.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hF5Pe27.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ua2943.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ua2943.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK22hC.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK22hC.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2292
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
da048bec8d094e0245bccdd9cfb53c88

SHA1
daea0d0f60966aaafd11b6316814bfd8a4680602

SHA256
8750ca9a7f967ff992ee12ea3b4ee111776ede58904889a662d02aab5d4ebb2a

SHA512
d973cc69ef8011e61b8705bc41ff3db212978e83aa167d7077e8f8b5048cf5dbab0f361ffa999bdb14af21585c6b46acf33dcb6b0cba67c081dc76f585654d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7ck89.exe

Filesize
2.2MB

MD5
bc5f14558b0903ac3b349d1266da1234

SHA1
ba0493c02c526957b7bfcb58540a02e243a47c69

SHA256
5a5d932ae5b7291f4c79e2c6ba5e70ab74acd958c2a7d9c54593824e2c666297

SHA512
9f537fadaec7e4e509c2754a6ef195dd7d62d2930b419768bf7db5f2fd5277382466898df28d27f573062f1d945d2aa2cf928481c8731e2c83f7febe90fd3cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7ck89.exe

Filesize
2.2MB

MD5
bc5f14558b0903ac3b349d1266da1234

SHA1
ba0493c02c526957b7bfcb58540a02e243a47c69

SHA256
5a5d932ae5b7291f4c79e2c6ba5e70ab74acd958c2a7d9c54593824e2c666297

SHA512
9f537fadaec7e4e509c2754a6ef195dd7d62d2930b419768bf7db5f2fd5277382466898df28d27f573062f1d945d2aa2cf928481c8731e2c83f7febe90fd3cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mQ6HA40.exe

Filesize
1.2MB

MD5
c224b5277d51133daac9e9476c4be2a2

SHA1
a2442b2f2d010271efc0687a23dc2af203064402

SHA256
cebe9188a4d8be8d4e9aa780302300e1210c2b5acc2ffce11127f89ce3ef436d

SHA512
842bc394ea6693ce93a493552e864835ff30f0e2266cd06021a9590987b0f5e1144f9a5e3955541f677c041ffb2825092888d935e33bd160e31b4f64088630c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mQ6HA40.exe

Filesize
1.2MB

MD5
c224b5277d51133daac9e9476c4be2a2

SHA1
a2442b2f2d010271efc0687a23dc2af203064402

SHA256
cebe9188a4d8be8d4e9aa780302300e1210c2b5acc2ffce11127f89ce3ef436d

SHA512
842bc394ea6693ce93a493552e864835ff30f0e2266cd06021a9590987b0f5e1144f9a5e3955541f677c041ffb2825092888d935e33bd160e31b4f64088630c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hF5Pe27.exe

Filesize
1.1MB

MD5
13f7ad9dc899b0c491a25cf91aa62e3d

SHA1
2c5c91b6ba39572e233d93cce57fe6bc30677bdf

SHA256
1d0bab07357a3ccf4fa1148c9a28a5abb33eecb8611e78bf6451a4981b6ec9ba

SHA512
8f58702c63ce99dee88559f6e6123681c64505d573f0988bcb2d80657bd2e6544dc5cf002b4f4204912c4eb3460dbebc3546af6dcce0e42be1fdd8cd7309b862

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hF5Pe27.exe

Filesize
1.1MB

MD5
13f7ad9dc899b0c491a25cf91aa62e3d

SHA1
2c5c91b6ba39572e233d93cce57fe6bc30677bdf

SHA256
1d0bab07357a3ccf4fa1148c9a28a5abb33eecb8611e78bf6451a4981b6ec9ba

SHA512
8f58702c63ce99dee88559f6e6123681c64505d573f0988bcb2d80657bd2e6544dc5cf002b4f4204912c4eb3460dbebc3546af6dcce0e42be1fdd8cd7309b862

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ua2943.exe

Filesize
1.9MB

MD5
6dd10882eb6efed454bbc131ecb05e87

SHA1
1c23841c6f0b2c39dc39b2f0670aa4d674018a21

SHA256
881b897defc1b49084d5c1029d3755b0457fe952a91c3958a60d341860c6c50c

SHA512
e8ae7c30801688c796322fe6ebcfd6270a99a79ed0c7f7fb3851b4d9c1395389c13496fc521b5228be122b4ced1741a2b793d064d79dfda674726873ea8ab7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ua2943.exe

Filesize
1.9MB

MD5
6dd10882eb6efed454bbc131ecb05e87

SHA1
1c23841c6f0b2c39dc39b2f0670aa4d674018a21

SHA256
881b897defc1b49084d5c1029d3755b0457fe952a91c3958a60d341860c6c50c

SHA512
e8ae7c30801688c796322fe6ebcfd6270a99a79ed0c7f7fb3851b4d9c1395389c13496fc521b5228be122b4ced1741a2b793d064d79dfda674726873ea8ab7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK22hC.exe

Filesize
1.3MB

MD5
da048bec8d094e0245bccdd9cfb53c88

SHA1
daea0d0f60966aaafd11b6316814bfd8a4680602

SHA256
8750ca9a7f967ff992ee12ea3b4ee111776ede58904889a662d02aab5d4ebb2a

SHA512
d973cc69ef8011e61b8705bc41ff3db212978e83aa167d7077e8f8b5048cf5dbab0f361ffa999bdb14af21585c6b46acf33dcb6b0cba67c081dc76f585654d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK22hC.exe

Filesize
1.3MB

MD5
da048bec8d094e0245bccdd9cfb53c88

SHA1
daea0d0f60966aaafd11b6316814bfd8a4680602

SHA256
8750ca9a7f967ff992ee12ea3b4ee111776ede58904889a662d02aab5d4ebb2a

SHA512
d973cc69ef8011e61b8705bc41ff3db212978e83aa167d7077e8f8b5048cf5dbab0f361ffa999bdb14af21585c6b46acf33dcb6b0cba67c081dc76f585654d2d

Download Submit
memory/2920-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2920-41-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-42-0x000000000B6C0000-0x000000000BBBE000-memory.dmp

Filesize
5.0MB

Download
memory/2920-43-0x000000000B260000-0x000000000B2F2000-memory.dmp

Filesize
584KB

Download
memory/2920-45-0x000000000B3E0000-0x000000000B3EA000-memory.dmp

Filesize
40KB

Download
memory/2920-46-0x000000000C1D0000-0x000000000C7D6000-memory.dmp

Filesize
6.0MB

Download
memory/2920-47-0x000000000BBC0000-0x000000000BCCA000-memory.dmp

Filesize
1.0MB

Download
memory/2920-48-0x000000000B4E0000-0x000000000B4F2000-memory.dmp

Filesize
72KB

Download
memory/2920-49-0x000000000B500000-0x000000000B53E000-memory.dmp

Filesize
248KB

Download
memory/2920-50-0x000000000B540000-0x000000000B58B000-memory.dmp

Filesize
300KB

Download
memory/2920-61-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads