privateloader | e921f998097e449ca60bf6f0a673a463041e24c72b529db9155434281abf2155 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

e921f998097e449ca60bf6f0a673a463041e24c72b529db9155434281abf2155
Size

1.5MB
Sample

231212-pv4f7aeee4
MD5

502613cad84d8b537f1b8295200c5d19
SHA1

94add7c1e8563f40741b5cdd035f8b769d301461
SHA256

e921f998097e449ca60bf6f0a673a463041e24c72b529db9155434281abf2155
SHA512

9dc730f12f9a5457518c45e4c95a63b678afc2bade5ae6e42e828f9e066c63db1997c8eb86fe93028ac9f222087cbfc946c3cb17c22125c01d241a9db244d550
SSDEEP

24576:JyzsdTUSkuO7hnV3qXc97T9UQBPSWGp0hXekgDoNSFX4ahjzYFIybFiWJCVk:8zaUSROdnVppxUQB6WGyVSDoY4e0FIOK

Score

10^/10

privateloader risepro smokeloader backdoor loader persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32

rc4.i32

Extracted

Family

risepro

C2

193.233.132.51

Targets

- Target
  
  e921f998097e449ca60bf6f0a673a463041e24c72b529db9155434281abf2155
- Size
  
  1.5MB
- MD5
  
  502613cad84d8b537f1b8295200c5d19
- SHA1
  
  94add7c1e8563f40741b5cdd035f8b769d301461
- SHA256
  
  e921f998097e449ca60bf6f0a673a463041e24c72b529db9155434281abf2155
- SHA512
  
  9dc730f12f9a5457518c45e4c95a63b678afc2bade5ae6e42e828f9e066c63db1997c8eb86fe93028ac9f222087cbfc946c3cb17c22125c01d241a9db244d550
- SSDEEP
  
  24576:JyzsdTUSkuO7hnV3qXc97T9UQBPSWGp0hXekgDoNSFX4ahjzYFIybFiWJCVk:8zaUSROdnVppxUQB6WGyVSDoY4e0FIOK
Score

10^/10

privateloader risepro smokeloader backdoor loader persistence stealer trojan
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

privateloaderriseprosmokeloaderbackdoorloaderpersistencestealertrojan