privateloader | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
137s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe
Size

1.1MB
MD5

75d611b9fdd12ae96644de5080557ebd
SHA1

dada87e4a3a6c66fdf05bf523ec00f78e9aaa389
SHA256

23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616
SHA512

df51455190cf4b9406cc3181277aff2342cbcfc9946e2ccba145de5adcd908db4af944e1d3182cdfc154f50f6c5bd34d6010359168090d5cbb941ff09f1edb00
SSDEEP

12288:gMrTy90Wp2ABf9NNsOYroRyNVdB31qvOJfAPgLslvr7BCuxxJMU0vLmuxLeMNmrn:jy1pRxsOYUqBQgLOVCYB0inrqjfwq7G

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1968-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Executes dropped EXE 2 IoCs

Processes:

11nv7377.exe12Cb362.exe

pid process

1568 11nv7377.exe
4956 12Cb362.exe

pid	process
1568	11nv7377.exe
4956	12Cb362.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

11nv7377.exe12Cb362.exe

description	pid	process	target process
PID 1568 set thread context of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 4956 set thread context of 4812	4956	12Cb362.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe11nv7377.exe12Cb362.exe

description	pid	process	target process
PID 3908 wrote to memory of 1568	3908	23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe	11nv7377.exe
PID 3908 wrote to memory of 1568	3908	23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe	11nv7377.exe
PID 3908 wrote to memory of 1568	3908	23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe	11nv7377.exe
PID 1568 wrote to memory of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 1568 wrote to memory of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 1568 wrote to memory of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 1568 wrote to memory of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 1568 wrote to memory of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 1568 wrote to memory of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 1568 wrote to memory of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 1568 wrote to memory of 1968	1568	11nv7377.exe	AppLaunch.exe
PID 3908 wrote to memory of 4956	3908	23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe	12Cb362.exe
PID 3908 wrote to memory of 4956	3908	23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe	12Cb362.exe
PID 3908 wrote to memory of 4956	3908	23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe	12Cb362.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe
PID 4956 wrote to memory of 4812	4956	12Cb362.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe
"C:\Users\Admin\AppData\Local\Temp\23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11nv7377.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11nv7377.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Cb362.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Cb362.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
1⤵
PID:4240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11nv7377.exe
Filesize
1.1MB

MD5
7f6fdf9a57f86e5d97e09819c54f6ba5

SHA1
6630157c09222becffd31b2d4dce1cf85ac9ad27

SHA256
e05a919c536c57fa2df8322bb933dbee8be944948037f2c1ad0c33a578360db5

SHA512
8b7dff8afeb200b0f2750a1a1846049ad6adbffd31881f9c1971218b53c8136d9eddaaca7d779a22ca3b130880146b3122499c40e330aa53eb0ecc8572a393a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Cb362.exe
Filesize
2.4MB

MD5
65414c15777b4924b10e5bbbb39bdb5c

SHA1
f7a09d9281e6437d5fde7035a18a65725ca3c7d9

SHA256
173587e99ac1b5878321cfbf73bb9db6122f4db0fb9e03ae488269abdba4b8f1

SHA512
f0f205c08c68b35a899b205dac03a759e98769340ea96ac8263148125b824f5d778a1d2473a80e23a1ca6f451b1accee6c77fbe28efef25d3bf28a5e93a20e7d

Download Submit
memory/1968-22-0x0000000007790000-0x000000000789A000-memory.dmp

Filesize
1.0MB

Download
memory/1968-24-0x0000000007510000-0x000000000754C000-memory.dmp

Filesize
240KB

Download
memory/1968-12-0x00000000079C0000-0x0000000007F64000-memory.dmp

Filesize
5.6MB

Download
memory/1968-13-0x0000000007410000-0x00000000074A2000-memory.dmp

Filesize
584KB

Download
memory/1968-14-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/1968-15-0x0000000004A30000-0x0000000004A3A000-memory.dmp

Filesize
40KB

Download
memory/1968-27-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/1968-17-0x0000000008590000-0x0000000008BA8000-memory.dmp

Filesize
6.1MB

Download
memory/1968-26-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/1968-25-0x0000000007680000-0x00000000076CC000-memory.dmp

Filesize
304KB

Download
memory/1968-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-10-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/1968-23-0x00000000074B0000-0x00000000074C2000-memory.dmp

Filesize
72KB

Download
memory/4812-21-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4812-20-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4812-19-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4812-16-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download