privateloader | 5658f2d0a6782fa0c9ec353a37d0252e308e373d28c8570f9765fc79d3a6bb2f | Triage

Submit
Reports

Overview

overview

Static

static

3

37303cf95e...94.exe

windows10-2004-x64

Sharing

General

Target

37303cf95e57208d991e49c540cba294.exe
Size

1.7MB
Sample

231129-r5ab7shb31
MD5

37303cf95e57208d991e49c540cba294
SHA1

f0d6b9aef910fdc67a61f66de44bb6c25b4a6d56
SHA256

5658f2d0a6782fa0c9ec353a37d0252e308e373d28c8570f9765fc79d3a6bb2f
SHA512

15066c14efb4e511cf1d9ecb6bd5c415e32ae64241a56a4eb2ad5041d1adb090314ca564300ac94c4383978ebe3a67ad87039c72d9846edbf7e7951acd4fff2f
SSDEEP

49152:jW4FsXXrnUG2+Fr5EdYoRhLtjk7DXgegdmolVzWWHl:i4F+g3+7oJ47DQR1

Score

10^/10

privateloader redline risepro smokeloader zgrat @ytlogsbot horda livetraffic backdoor evasion infostealer loader persistence rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

37303cf95e57208d991e49c540cba294.exe

Resource

win10v2004-20231127-en

privateloader redline risepro smokeloader zgrat @ytlogsbot horda livetraffic backdoor evasion infostealer loader persistence rat stealer trojan

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Extracted

Family

redline

Botnet

LiveTraffic

C2

195.10.205.16:2245

Targets

- Target
  
  37303cf95e57208d991e49c540cba294.exe
- Size
  
  1.7MB
- MD5
  
  37303cf95e57208d991e49c540cba294
- SHA1
  
  f0d6b9aef910fdc67a61f66de44bb6c25b4a6d56
- SHA256
  
  5658f2d0a6782fa0c9ec353a37d0252e308e373d28c8570f9765fc79d3a6bb2f
- SHA512
  
  15066c14efb4e511cf1d9ecb6bd5c415e32ae64241a56a4eb2ad5041d1adb090314ca564300ac94c4383978ebe3a67ad87039c72d9846edbf7e7951acd4fff2f
- SSDEEP
  
  49152:jW4FsXXrnUG2+Fr5EdYoRhLtjk7DXgegdmolVzWWHl:i4F+g3+7oJ47DQR1
Score

10^/10

privateloader redline risepro smokeloader zgrat @ytlogsbot horda livetraffic backdoor evasion infostealer loader persistence rat stealer trojan
- Detect ZGRat V1
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

privateloaderredlineriseprosmokeloaderzgrat@ytlogsbothordalivetrafficbackdoorevasioninfostealerloaderpersistenceratstealertrojan

© 2018-2024

Terms | Privacy