privateloader | 48ce4b5f623a90f381aa1880ccf97df5f38f0bcac9fd7b97c332620f25b4b614 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

48ce4b5f623a90f381aa1880ccf97df5f38f0bcac9fd7b97c332620f25b4b614
Size

1.6MB
Sample

231211-vsz9msedh3
MD5

7956de518919d34656560ac8c9892456
SHA1

f62ce2e82ba78404036da125cc2c925a3968e862
SHA256

48ce4b5f623a90f381aa1880ccf97df5f38f0bcac9fd7b97c332620f25b4b614
SHA512

d65964aa53282a7aecac6ca56cd49f9bea06264e5ee393c2da5d71525dcb16df9f012b41e4b60dba2c76c443ba5c6a23ad637c100c9af4b5ad50e0933fa2b1fe
SSDEEP

49152:qWg8wUmZOzqiavjDUJO/WH89ctcO0ljbbQnIQGotBKqy8TJCHEGU42sn6:ZiUmZOzqiavjDUM/WH89y8bboGO

Score

10^/10

privateloader risepro collection discovery persistence spyware stealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Targets

- Target
  
  48ce4b5f623a90f381aa1880ccf97df5f38f0bcac9fd7b97c332620f25b4b614
- Size
  
  1.6MB
- MD5
  
  7956de518919d34656560ac8c9892456
- SHA1
  
  f62ce2e82ba78404036da125cc2c925a3968e862
- SHA256
  
  48ce4b5f623a90f381aa1880ccf97df5f38f0bcac9fd7b97c332620f25b4b614
- SHA512
  
  d65964aa53282a7aecac6ca56cd49f9bea06264e5ee393c2da5d71525dcb16df9f012b41e4b60dba2c76c443ba5c6a23ad637c100c9af4b5ad50e0933fa2b1fe
- SSDEEP
  
  49152:qWg8wUmZOzqiavjDUJO/WH89ctcO0ljbbQnIQGotBKqy8TJCHEGU42sn6:ZiUmZOzqiavjDUM/WH89y8bboGO
Score

7^/10

collection discovery persistence spyware stealer
- Drops startup file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

privateloaderrisepro

behavioral1

collectiondiscoverypersistencespywarestealer