privateloader | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe
Size

1.1MB
MD5

b0be87fbefa8fb816eda48b5873f30e6
SHA1

580f46fb499394653f1c7a29a1bc0baccad32c0a
SHA256

14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19
SHA512

b7292045ce5adf9297dc9a4e68f9f749cab705e8dfb229fb4a8159d675d627ddd741733f6d06ca36b9987c3f8ea9f4d3fc61a9135dd18d3c7af176be124769f8
SSDEEP

24576:Jy29JdP9SYg8rvouFInG4qc3+BbLMtuQ/dIkFSE9s31hV:825FSYggoIInGu42uqdIke31h

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2568-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Executes dropped EXE 2 IoCs

Processes:

11EO0041.exe12Zu663.exe

pid process

4028 11EO0041.exe
4868 12Zu663.exe

pid	process
4028	11EO0041.exe
4868	12Zu663.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

11EO0041.exe12Zu663.exe

description	pid	process	target process
PID 4028 set thread context of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 4868 set thread context of 1708	4868	12Zu663.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe11EO0041.exe12Zu663.exe

description	pid	process	target process
PID 3776 wrote to memory of 4028	3776	14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe	11EO0041.exe
PID 3776 wrote to memory of 4028	3776	14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe	11EO0041.exe
PID 3776 wrote to memory of 4028	3776	14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe	11EO0041.exe
PID 4028 wrote to memory of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 4028 wrote to memory of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 4028 wrote to memory of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 4028 wrote to memory of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 4028 wrote to memory of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 4028 wrote to memory of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 4028 wrote to memory of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 4028 wrote to memory of 2568	4028	11EO0041.exe	AppLaunch.exe
PID 3776 wrote to memory of 4868	3776	14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe	12Zu663.exe
PID 3776 wrote to memory of 4868	3776	14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe	12Zu663.exe
PID 3776 wrote to memory of 4868	3776	14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe	12Zu663.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe
PID 4868 wrote to memory of 1708	4868	12Zu663.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe
"C:\Users\Admin\AppData\Local\Temp\14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe
Filesize
1.1MB

MD5
7ce2856f7d27efaf76b33765a7859ad3

SHA1
292a9ac5216f71a8c9858169c46a1797b27e530d

SHA256
4dd502f1c6b2373660a1a9c0ed7114649ef9abb26d2812003c62a6dd98e4a205

SHA512
571221efa90160376e6cd6f6e7dca3a23bd194876cd952f387c7b663750ed6a9f4f017664ac0393dc80852261779f1f1b28ef0cb513e091b093c47caf7cb4de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe
Filesize
2.4MB

MD5
cc91fef9c297d0fe5eb417c1afabc474

SHA1
6941d8209cadf07100606b65ca7b66eb8f47cd1f

SHA256
92bdf0c031747ef12099e9d371b82bf5370598ad47840af9f79e5f57627a589f

SHA512
a3248d0acb4488d3ee023dd2a1b9b53b6ef3cc1b2218a75a74d7c9231b34b045d773060251e018db23ef1f5b3244f78136aa2f2e9f10372fcea2ef9fac118c08

Download Submit
memory/1708-22-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1708-25-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1708-24-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1708-21-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2568-16-0x0000000008D40000-0x0000000009358000-memory.dmp

Filesize
6.1MB

Download
memory/2568-15-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/2568-14-0x00000000030E0000-0x00000000030EA000-memory.dmp

Filesize
40KB

Download
memory/2568-17-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/2568-18-0x0000000007DA0000-0x0000000007DB2000-memory.dmp

Filesize
72KB

Download
memory/2568-19-0x0000000007E20000-0x0000000007E5C000-memory.dmp

Filesize
240KB

Download
memory/2568-20-0x0000000007E60000-0x0000000007EAC000-memory.dmp

Filesize
304KB

Download
memory/2568-13-0x0000000007BC0000-0x0000000007C52000-memory.dmp

Filesize
584KB

Download
memory/2568-12-0x0000000008170000-0x0000000008714000-memory.dmp

Filesize
5.6MB

Download
memory/2568-10-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2568-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2568-26-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2568-27-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download