Malware Analysis Report

2025-08-05 12:23

Sample ID 231213-3nm3hsbfd7
Target e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e
SHA256 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e
Tags
privateloader risepro collection discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e

Threat Level: Known bad

The file e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e was found to be: Known bad.

Malicious Activity Summary

privateloader risepro collection discovery persistence spyware stealer

Privateloader family

Risepro family

Drops startup file

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-13 23:39

Signatures

Privateloader family

privateloader

Risepro family

risepro

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-13 23:39

Reported

2023-12-13 23:42

Platform

win10-20231129-en

Max time kernel

120s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe

"C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1796

Network

Country Destination Domain Proto
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 0f80fb0884759cc8bf8e74b9bc7c9d75
SHA1 1544e4d4912523fc7a19f16f5ecaab701007d742
SHA256 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e
SHA512 4675dd854898d876136701b8364200e58a70ff61c32461a653ae9a46205162433d6745ae86ddfdf4d3a6932c04de479ccf7fbd3216bad3de82b8ae85397f0176

C:\Users\Admin\AppData\Local\Temp\posterBox_QrKbJQLQz6VG\QdX9ITDLyCRBWeb Data

MD5 4491efe9c997c2bb294866dab785b4a3
SHA1 655c178e979acf42eed324d2883b04ef9ba441c3
SHA256 197fb907775f182f8a8f6e00e5b514477a096988d10475a63385647c32b361e7
SHA512 57c135d0932dd1e11367d34af7808fd524c87507c263e3190105cbc69a4ac1ab730ed31631c860fbde125b99bd5995af797707fbc7063ceb5b1a1a708916d142

C:\Users\Admin\AppData\Local\Temp\grandUIA_QrKbJQLQz6VG\information.txt

MD5 b3ec0b0f067d88b2193d1f4f5ae1457c
SHA1 4464a4346abcdb5cbafa7ad5aa70b6011151f5d7
SHA256 530b1e5aa588f29288cd750775356bd568c9eb98ea04bee0d27ba64225fdb540
SHA512 c429bbd0c4ae8cb354cb917382e336500568ea8997414bf55d4e9230d2278a27eb0178f6afa6e154d4a68cd7dc3cf7aa8dd7caee810548c60e0cf4dd1eab99a9