privateloader | b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b

General

Target

b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exe
Size

1.1MB
MD5

12506feb2e48b0014b8cc83d2e4c6c5d
SHA1

344d18855274a530aeb83a8f738c44b48cb49287
SHA256

b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b
SHA512

aeb26cc20df17e5a616edb207d7f7ac440365c92114bf8552c4c853b089e87f53899cb7e18efb440a10ed8d9dc272cbeea4bf0c25cfbdbd1ff2c4ae43b2392ac
SSDEEP

24576:kyUSjJi2DSBNRzfYTJaNqbsvJLXyhXGZnLwO:zhJhENaVuqwvJehWZnLw

Score

10^/10

privateloader risepro loader persistence stealer

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

1dS08HT5.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1dS08HT5.exe
Executes dropped EXE 2 IoCs

Processes:

zS3mh13.exe1dS08HT5.exe

pid process

4160 zS3mh13.exe
5068 1dS08HT5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1dS08HT5.exe

pid	process
4160	zS3mh13.exe
5068	1dS08HT5.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exezS3mh13.exe1dS08HT5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zS3mh13.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1dS08HT5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2484 schtasks.exe
2880 schtasks.exe

pid	process
2484	schtasks.exe
2880	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exezS3mh13.exe1dS08HT5.exe

description	pid	process	target process
PID 5052 wrote to memory of 4160	5052	b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exe	zS3mh13.exe
PID 5052 wrote to memory of 4160	5052	b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exe	zS3mh13.exe
PID 5052 wrote to memory of 4160	5052	b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exe	zS3mh13.exe
PID 4160 wrote to memory of 5068	4160	zS3mh13.exe	1dS08HT5.exe
PID 4160 wrote to memory of 5068	4160	zS3mh13.exe	1dS08HT5.exe
PID 4160 wrote to memory of 5068	4160	zS3mh13.exe	1dS08HT5.exe
PID 5068 wrote to memory of 2484	5068	1dS08HT5.exe	schtasks.exe
PID 5068 wrote to memory of 2484	5068	1dS08HT5.exe	schtasks.exe
PID 5068 wrote to memory of 2484	5068	1dS08HT5.exe	schtasks.exe
PID 5068 wrote to memory of 2880	5068	1dS08HT5.exe	schtasks.exe
PID 5068 wrote to memory of 2880	5068	1dS08HT5.exe	schtasks.exe
PID 5068 wrote to memory of 2880	5068	1dS08HT5.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exe
"C:\Users\Admin\AppData\Local\Temp\b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86bexe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zS3mh13.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zS3mh13.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dS08HT5.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dS08HT5.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2484

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
1.5MB

MD5
160385423bd570c6fa08a85120cc54cf

SHA1
b7f74d0e820115ba316cb2d8a47cbf1e236d96c8

SHA256
80b247b52a7e5c83564d96f10e47287f48f196e3fa8b8c7f093a87773f93033b

SHA512
d27b8987110c19e21f18b612a21006c39a1d65f264a43569f712a77a7db51515657398468aa5425dea92e1736578345393b2ebe48e6268fe24e55e92af414969

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zS3mh13.exe
Filesize
1007KB

MD5
c15b0edc8ba9c1304d8f8e970a008266

SHA1
40991359e7e36f658810f28e9807429a4de37f83

SHA256
63192f9a5a13de1f3a2e6e24432f8965d75ff2771fe331a36f19f2ab9eddc635

SHA512
b520ee33c72b0b5e912b68b4f2de079c6a32372d171df5a616856d670c900d22fa3eae664f7d52fb07430e031a5683966ac2506a7d172bc2e591a3584fb585d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zS3mh13.exe
Filesize
1007KB

MD5
c15b0edc8ba9c1304d8f8e970a008266

SHA1
40991359e7e36f658810f28e9807429a4de37f83

SHA256
63192f9a5a13de1f3a2e6e24432f8965d75ff2771fe331a36f19f2ab9eddc635

SHA512
b520ee33c72b0b5e912b68b4f2de079c6a32372d171df5a616856d670c900d22fa3eae664f7d52fb07430e031a5683966ac2506a7d172bc2e591a3584fb585d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dS08HT5.exe
Filesize
1.5MB

MD5
160385423bd570c6fa08a85120cc54cf

SHA1
b7f74d0e820115ba316cb2d8a47cbf1e236d96c8

SHA256
80b247b52a7e5c83564d96f10e47287f48f196e3fa8b8c7f093a87773f93033b

SHA512
d27b8987110c19e21f18b612a21006c39a1d65f264a43569f712a77a7db51515657398468aa5425dea92e1736578345393b2ebe48e6268fe24e55e92af414969

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dS08HT5.exe
Filesize
1.5MB

MD5
160385423bd570c6fa08a85120cc54cf

SHA1
b7f74d0e820115ba316cb2d8a47cbf1e236d96c8

SHA256
80b247b52a7e5c83564d96f10e47287f48f196e3fa8b8c7f093a87773f93033b

SHA512
d27b8987110c19e21f18b612a21006c39a1d65f264a43569f712a77a7db51515657398468aa5425dea92e1736578345393b2ebe48e6268fe24e55e92af414969

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads