privateloader | 5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe
Size

1.1MB
MD5

5647ef3ba33c2200403333d17e434856
SHA1

f695d37246239fd692e7fb044ca2a02ffaa104d9
SHA256

131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b
SHA512

d85b3bf66e482e08901d56f28472bd1f75fbcd4b70b27fa0582c234d71f186518fdb57b7a9bff7ae660c8d52f6eb763a696d96a384c9562a706390c5b6c55bda
SSDEEP

24576:3yIXRcd8lQUqMEcXP8iO7Eff2+uySHr/cZb8/T3TB5:CIhcdSQt0fc+2LUZb43t

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1148-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Executes dropped EXE 2 IoCs

Processes:

11Sf4953.exe12MH182.exe

pid process

3056 11Sf4953.exe
1540 12MH182.exe

pid	process
3056	11Sf4953.exe
1540	12MH182.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

11Sf4953.exe12MH182.exe

description	pid	process	target process
PID 3056 set thread context of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 1540 set thread context of 4048	1540	12MH182.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe11Sf4953.exe12MH182.exe

description	pid	process	target process
PID 2540 wrote to memory of 3056	2540	131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe	11Sf4953.exe
PID 2540 wrote to memory of 3056	2540	131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe	11Sf4953.exe
PID 2540 wrote to memory of 3056	2540	131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe	11Sf4953.exe
PID 3056 wrote to memory of 3576	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 3576	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 3576	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 3416	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 3416	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 3416	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 3804	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 3804	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 3804	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 3056 wrote to memory of 1148	3056	11Sf4953.exe	AppLaunch.exe
PID 2540 wrote to memory of 1540	2540	131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe	12MH182.exe
PID 2540 wrote to memory of 1540	2540	131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe	12MH182.exe
PID 2540 wrote to memory of 1540	2540	131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe	12MH182.exe
PID 1540 wrote to memory of 2264	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 2264	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 2264	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe
PID 1540 wrote to memory of 4048	1540	12MH182.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe
"C:\Users\Admin\AppData\Local\Temp\131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11Sf4953.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11Sf4953.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12MH182.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12MH182.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11Sf4953.exe

Filesize
1.1MB

MD5
433b698a0de5f930396a03aabcd1c579

SHA1
0bdb2760dfcb59d56a7d454ae7dcc6a105ceb44f

SHA256
10f45b705042806a911a7a85b35d545c799f046ea5ac30a9ccdad21ad716f565

SHA512
72e3570913c030afcc17f69f1fb3aa52f3d5096d75ec4c6247b9e6327ed88ccb41d36d5368e332bb76344132b75b972e27d16704e762aef5791eb12dbc5f3090

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12MH182.exe

Filesize
2.4MB

MD5
c14e02e8606a65a744079f10e1e55c7c

SHA1
a691e05d3d388a4e68215b9ef548ff6b1cc36f6d

SHA256
f91b408c7d33b9aab761098e08d070e01b3e1d03f304b78c784495818db23eb6

SHA512
26efe43269ce9242633441377e1d47122083da42557c23c007720b8defeadadca4d8074252bbf1826502aff0239a6e713240b8180473fdbe8739d14ce5f45ad7

Download Submit
memory/1148-16-0x0000000008F20000-0x0000000009538000-memory.dmp

Filesize
6.1MB

Download
memory/1148-19-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1148-12-0x0000000008350000-0x00000000088F4000-memory.dmp

Filesize
5.6MB

Download
memory/1148-13-0x0000000007E40000-0x0000000007ED2000-memory.dmp

Filesize
584KB

Download
memory/1148-15-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/1148-14-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1148-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1148-17-0x0000000008900000-0x0000000008A0A000-memory.dmp

Filesize
1.0MB

Download
memory/1148-18-0x0000000008010000-0x0000000008022000-memory.dmp

Filesize
72KB

Download
memory/1148-10-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/1148-20-0x0000000008040000-0x000000000808C000-memory.dmp

Filesize
304KB

Download
memory/1148-27-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1148-26-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/4048-25-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4048-24-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4048-23-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4048-21-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download