privateloader | ed9c56af756bffebc97edfe6ae977c42e77f5bdaeededc4a9b46186578ecdc34

General

Target

0f66c11b84b409c0b2ea602dc96585f2.exe
Size

953KB
MD5

0f66c11b84b409c0b2ea602dc96585f2
SHA1

d96d7df17a0738060d4ddb10d50d60de5db79e02
SHA256

ed9c56af756bffebc97edfe6ae977c42e77f5bdaeededc4a9b46186578ecdc34
SHA512

aea094b27902a98c26ddef881356ae5498e83036eb05fa169b04efdb3d762f16b220523ca71994ecd5fbfd1d020f96b934f9027ae227e8c725ebc1f50d3b93b3
SSDEEP

24576:AyGNQR5BuiZHHXPWFVS252rjBGS8Y5v69Nw2:HUm0iNXPCV6ISy9Nw

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2916-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3Bk45tO.exe

Executes dropped EXE 3 IoCs

pid	Process
4628	CF9Ju67.exe
568	2TE3712.exe
4616	3Bk45tO.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f66c11b84b409c0b2ea602dc96585f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CF9Ju67.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3Bk45tO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 568 set thread context of 2916	568	2TE3712.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3280	schtasks.exe
1804	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4628	4772	0f66c11b84b409c0b2ea602dc96585f2.exe	86
PID 4772 wrote to memory of 4628	4772	0f66c11b84b409c0b2ea602dc96585f2.exe	86
PID 4772 wrote to memory of 4628	4772	0f66c11b84b409c0b2ea602dc96585f2.exe	86
PID 4628 wrote to memory of 568	4628	CF9Ju67.exe	87
PID 4628 wrote to memory of 568	4628	CF9Ju67.exe	87
PID 4628 wrote to memory of 568	4628	CF9Ju67.exe	87
PID 568 wrote to memory of 2916	568	2TE3712.exe	96
PID 568 wrote to memory of 2916	568	2TE3712.exe	96
PID 568 wrote to memory of 2916	568	2TE3712.exe	96
PID 568 wrote to memory of 2916	568	2TE3712.exe	96
PID 568 wrote to memory of 2916	568	2TE3712.exe	96
PID 568 wrote to memory of 2916	568	2TE3712.exe	96
PID 568 wrote to memory of 2916	568	2TE3712.exe	96
PID 568 wrote to memory of 2916	568	2TE3712.exe	96
PID 4628 wrote to memory of 4616	4628	CF9Ju67.exe	97
PID 4628 wrote to memory of 4616	4628	CF9Ju67.exe	97
PID 4628 wrote to memory of 4616	4628	CF9Ju67.exe	97
PID 4616 wrote to memory of 3280	4616	3Bk45tO.exe	98
PID 4616 wrote to memory of 3280	4616	3Bk45tO.exe	98
PID 4616 wrote to memory of 3280	4616	3Bk45tO.exe	98
PID 4616 wrote to memory of 1804	4616	3Bk45tO.exe	100
PID 4616 wrote to memory of 1804	4616	3Bk45tO.exe	100
PID 4616 wrote to memory of 1804	4616	3Bk45tO.exe	100

C:\Users\Admin\AppData\Local\Temp\0f66c11b84b409c0b2ea602dc96585f2.exe
"C:\Users\Admin\AppData\Local\Temp\0f66c11b84b409c0b2ea602dc96585f2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF9Ju67.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF9Ju67.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TE3712.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TE3712.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Bk45tO.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Bk45tO.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3280
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
e6aa4349047c7abeeef5fe6a9dd0d88d

SHA1
bd05bb3d1947cc3b909b1b48a713ad8333b4764d

SHA256
11018526efaa20a73783d7648c7946a968e77a6e6decf842e30322fc3ab11623

SHA512
7a437a2f36e6b6619b4c960e65f8527b1215eb9842be6751b9551613f25b5c38741e6398ab81e6a1f1f4086b9ba29f24b7703138c9af1ce0a59a181ef6ae3fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF9Ju67.exe

Filesize
829KB

MD5
c3c6f6f1958bca73f218b16d964c8492

SHA1
467b09456b27a18b7ad7b3238c78ad025e6ef07c

SHA256
8231a2abab9865f5c8e732a64d9d759ec9e9b9cc2f71a32880d56960336bd73c

SHA512
f620eacd63e0763b9fba3b6bd80964827c25e6ee5f514f97c462ecff808436abe8565e85d55dd27ff53840416b64049de5884e30fc5c844e3890d5d649c5943f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CF9Ju67.exe

Filesize
829KB

MD5
c3c6f6f1958bca73f218b16d964c8492

SHA1
467b09456b27a18b7ad7b3238c78ad025e6ef07c

SHA256
8231a2abab9865f5c8e732a64d9d759ec9e9b9cc2f71a32880d56960336bd73c

SHA512
f620eacd63e0763b9fba3b6bd80964827c25e6ee5f514f97c462ecff808436abe8565e85d55dd27ff53840416b64049de5884e30fc5c844e3890d5d649c5943f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TE3712.exe

Filesize
493KB

MD5
3159713da68953cb5b407a88c00e538f

SHA1
39d45fcfca8f078725f19abc0a0b899aaa09022d

SHA256
bee797adf7a00f704b52816332020ce0a7505075fdce2143d3cbfd46841fbaf3

SHA512
6af75337bc8beef739f03ee5df74b2318140a9fe3282cc5f453a5ded2e46b1f8e12f5fae294c55c8750df10f74e25385ddfb218e87042a687c0c6324a7507e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2TE3712.exe

Filesize
493KB

MD5
3159713da68953cb5b407a88c00e538f

SHA1
39d45fcfca8f078725f19abc0a0b899aaa09022d

SHA256
bee797adf7a00f704b52816332020ce0a7505075fdce2143d3cbfd46841fbaf3

SHA512
6af75337bc8beef739f03ee5df74b2318140a9fe3282cc5f453a5ded2e46b1f8e12f5fae294c55c8750df10f74e25385ddfb218e87042a687c0c6324a7507e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Bk45tO.exe

Filesize
1.3MB

MD5
e6aa4349047c7abeeef5fe6a9dd0d88d

SHA1
bd05bb3d1947cc3b909b1b48a713ad8333b4764d

SHA256
11018526efaa20a73783d7648c7946a968e77a6e6decf842e30322fc3ab11623

SHA512
7a437a2f36e6b6619b4c960e65f8527b1215eb9842be6751b9551613f25b5c38741e6398ab81e6a1f1f4086b9ba29f24b7703138c9af1ce0a59a181ef6ae3fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Bk45tO.exe

Filesize
1.3MB

MD5
e6aa4349047c7abeeef5fe6a9dd0d88d

SHA1
bd05bb3d1947cc3b909b1b48a713ad8333b4764d

SHA256
11018526efaa20a73783d7648c7946a968e77a6e6decf842e30322fc3ab11623

SHA512
7a437a2f36e6b6619b4c960e65f8527b1215eb9842be6751b9551613f25b5c38741e6398ab81e6a1f1f4086b9ba29f24b7703138c9af1ce0a59a181ef6ae3fef

Download Submit
memory/2916-25-0x0000000006DC0000-0x0000000006E52000-memory.dmp

Filesize
584KB

Download
memory/2916-20-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/2916-21-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/2916-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-27-0x0000000006F80000-0x0000000006F90000-memory.dmp

Filesize
64KB

Download
memory/2916-28-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

Filesize
40KB

Download
memory/2916-30-0x0000000007E60000-0x0000000008478000-memory.dmp

Filesize
6.1MB

Download
memory/2916-31-0x0000000007840000-0x000000000794A000-memory.dmp

Filesize
1.0MB

Download
memory/2916-32-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/2916-33-0x0000000007100000-0x000000000713C000-memory.dmp

Filesize
240KB

Download
memory/2916-34-0x0000000007140000-0x000000000718C000-memory.dmp

Filesize
304KB

Download
memory/2916-35-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/2916-36-0x0000000006F80000-0x0000000006F90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads