privateloader

General

Target

42971155e95ad8ace7b6fc53d70fb952.exe
Size

2.3MB
Sample

231129-rrt5fsha2z
MD5

42971155e95ad8ace7b6fc53d70fb952
SHA1

ce4b54b604f7bbae2524bf53fef92c2f60f82656
SHA256

e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1
SHA512

8924d5a1fbbb364eaa39817250257ae71ad827d9995d49085e35140ab2346b8098db0e77163cc50a4946128351b32dd202881f55cb552985bc1c56f5082644cd
SSDEEP

49152:icjGiCymFeMBTyRF2dEKsLkGrRsIKoeu8iKEZU+ToWdHK+jUdIGKuYzKZ:fjGi4EYVdyzuowSZjTo+HrLt

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Extracted

Family

redline

Botnet

LiveTraffic

C2

195.10.205.16:2245

Extracted

Family

smokeloader

Botnet

up3

Targets

- Target
  
  42971155e95ad8ace7b6fc53d70fb952.exe
- Size
  
  2.3MB
- MD5
  
  42971155e95ad8ace7b6fc53d70fb952
- SHA1
  
  ce4b54b604f7bbae2524bf53fef92c2f60f82656
- SHA256
  
  e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1
- SHA512
  
  8924d5a1fbbb364eaa39817250257ae71ad827d9995d49085e35140ab2346b8098db0e77163cc50a4946128351b32dd202881f55cb552985bc1c56f5082644cd
- SSDEEP
  
  49152:icjGiCymFeMBTyRF2dEKsLkGrRsIKoeu8iKEZU+ToWdHK+jUdIGKuYzKZ:fjGi4EYVdyzuowSZjTo+HrLt
Score

10^/10

privateloader redline risepro smokeloader zgrat @ytlogsbot horda livetraffic up3 backdoor paypal discovery evasion infostealer loader persistence phishing rat spyware stealer trojan
- Detect ZGRat V1
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1