privateloader

General

Target

51121794f13e6a676fee56a6cb7d289286377962288dbe0a6f366f03173fd546
Size

1.7MB
Sample

231129-sdde8ahc3t
MD5

725e7553e971593c87fa1ca820258a1b
SHA1

d2e5b957a1801a015d2b7d3049003f0bcc931241
SHA256

51121794f13e6a676fee56a6cb7d289286377962288dbe0a6f366f03173fd546
SHA512

52b00a4f998d332b407a8bfebdf5a6e9eff098f3fcdbc981e9a9aa2552851f6e561013c84bf581de239a8b3d6097f67133510c8f03e087596ab0799c3a507573
SSDEEP

49152:ahHeKAu3wSWikXcE+QC+sd4rX+zl+x5KALtnQimIv9g:vWwpiknRWlZwV

Score

10^/10

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Extracted

Family

redline

Botnet

LiveTraffic

C2

195.10.205.16:2245

Targets

- Target
  
  51121794f13e6a676fee56a6cb7d289286377962288dbe0a6f366f03173fd546
- Size
  
  1.7MB
- MD5
  
  725e7553e971593c87fa1ca820258a1b
- SHA1
  
  d2e5b957a1801a015d2b7d3049003f0bcc931241
- SHA256
  
  51121794f13e6a676fee56a6cb7d289286377962288dbe0a6f366f03173fd546
- SHA512
  
  52b00a4f998d332b407a8bfebdf5a6e9eff098f3fcdbc981e9a9aa2552851f6e561013c84bf581de239a8b3d6097f67133510c8f03e087596ab0799c3a507573
- SSDEEP
  
  49152:ahHeKAu3wSWikXcE+QC+sd4rX+zl+x5KALtnQimIv9g:vWwpiknRWlZwV
Score

10^/10

privateloader redline risepro smokeloader zgrat @ytlogsbot horda livetraffic backdoor infostealer loader persistence rat stealer trojan
- Detect ZGRat V1
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1