privateloader | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe
Size

1.1MB
MD5

a5806b1c53acceed775b77445ac26b79
SHA1

3de6b77bdceee962ce162b643ae2e19bec370c6e
SHA256

e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b
SHA512

302b2911f4cd2d9b6b5e9a0074dfa3d073575a2cc30432a92eac8d7183af760b69546dacad1f0902649bda95b115e3a94eae4b6314399c086abeeef5bd3d03c3
SSDEEP

24576:GyTJ69GsovlWgZtLq/2NMA15Z09uses5g3+YB1s95AW9n:VTJ6ovldtO/2sZYB1s91

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral18/memory/116-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 2 IoCs

pid	Process
2584	11bL6324.exe
916	12YJ529.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 116	2584	11bL6324.exe	85
PID 916 set thread context of 4944	916	12YJ529.exe	92

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2584	2756	e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe	83
PID 2756 wrote to memory of 2584	2756	e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe	83
PID 2756 wrote to memory of 2584	2756	e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe	83
PID 2584 wrote to memory of 116	2584	11bL6324.exe	85
PID 2584 wrote to memory of 116	2584	11bL6324.exe	85
PID 2584 wrote to memory of 116	2584	11bL6324.exe	85
PID 2584 wrote to memory of 116	2584	11bL6324.exe	85
PID 2584 wrote to memory of 116	2584	11bL6324.exe	85
PID 2584 wrote to memory of 116	2584	11bL6324.exe	85
PID 2584 wrote to memory of 116	2584	11bL6324.exe	85
PID 2584 wrote to memory of 116	2584	11bL6324.exe	85
PID 2756 wrote to memory of 916	2756	e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe	88
PID 2756 wrote to memory of 916	2756	e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe	88
PID 2756 wrote to memory of 916	2756	e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe	88
PID 916 wrote to memory of 5056	916	12YJ529.exe	90
PID 916 wrote to memory of 5056	916	12YJ529.exe	90
PID 916 wrote to memory of 5056	916	12YJ529.exe	90
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92
PID 916 wrote to memory of 4944	916	12YJ529.exe	92

C:\Users\Admin\AppData\Local\Temp\e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe
"C:\Users\Admin\AppData\Local\Temp\e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11bL6324.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11bL6324.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12YJ529.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12YJ529.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11bL6324.exe

Filesize
1.1MB

MD5
60fc7a4fe30c3fafba64b1d321ef80b2

SHA1
1ddfa83daa9b85ac1fb5a0f256e0048dc8ac4651

SHA256
a9a106ed84a116d1145a0dcb6d7e294ff43928a07d32ce5bf37951cf24f9263f

SHA512
670d7b8d22d482bb85f293d664c3c235787a6e5535e2d00513af5556fc0d05f2c0505931d924992494923df373daa360aa88b440d2c9d33a6de6c5cfa8cbb7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12YJ529.exe

Filesize
2.4MB

MD5
5005c1a394bb0cf7a591bd88f2287b7b

SHA1
f65659381bee77f253fb651f1464fec925c93209

SHA256
a488e7687b546f563e4f7ca23649a21e26ed61f037e463d78aaa569726d6a220

SHA512
a1661cfbb1bbb7e9fa70f381b5f7eb1fe2ba40f0948e4ca993678c483a8aa24b4215886e5d6f207e31eb3bc7f62ab4faec4199f0d3c760dcb59ab5a7c36f9b8a

Download Submit
memory/116-16-0x0000000008A30000-0x0000000009048000-memory.dmp

Filesize
6.1MB

Download
memory/116-19-0x0000000007C00000-0x0000000007C3C000-memory.dmp

Filesize
240KB

Download
memory/116-12-0x0000000007E60000-0x0000000008404000-memory.dmp

Filesize
5.6MB

Download
memory/116-13-0x0000000007950000-0x00000000079E2000-memory.dmp

Filesize
584KB

Download
memory/116-14-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/116-15-0x0000000004F10000-0x0000000004F1A000-memory.dmp

Filesize
40KB

Download
memory/116-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/116-17-0x0000000007CD0000-0x0000000007DDA000-memory.dmp

Filesize
1.0MB

Download
memory/116-18-0x0000000007A80000-0x0000000007A92000-memory.dmp

Filesize
72KB

Download
memory/116-10-0x000000007425E000-0x000000007425F000-memory.dmp

Filesize
4KB

Download
memory/116-20-0x0000000007C40000-0x0000000007C8C000-memory.dmp

Filesize
304KB

Download
memory/116-27-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/116-26-0x000000007425E000-0x000000007425F000-memory.dmp

Filesize
4KB

Download
memory/4944-25-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4944-24-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4944-22-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4944-21-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads