Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:54

General

  • Target

    14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe

  • Size

    1.1MB

  • MD5

    b0be87fbefa8fb816eda48b5873f30e6

  • SHA1

    580f46fb499394653f1c7a29a1bc0baccad32c0a

  • SHA256

    14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19

  • SHA512

    b7292045ce5adf9297dc9a4e68f9f749cab705e8dfb229fb4a8159d675d627ddd741733f6d06ca36b9987c3f8ea9f4d3fc61a9135dd18d3c7af176be124769f8

  • SSDEEP

    24576:Jy29JdP9SYg8rvouFInG4qc3+BbLMtuQ/dIkFSE9s31hV:825FSYggoIInGu42uqdIke31h

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe
    "C:\Users\Admin\AppData\Local\Temp\14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1108
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:3672
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:440
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              3⤵
                PID:3100
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                3⤵
                  PID:2360

            Network

            • flag-us
              DNS
              8.8.8.8.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              8.8.8.8.in-addr.arpa
              IN PTR
              Response
              8.8.8.8.in-addr.arpa
              IN PTR
              dnsgoogle
            • flag-us
              DNS
              228.249.119.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              228.249.119.40.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              172.210.232.199.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              172.210.232.199.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              68.159.190.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              68.159.190.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              95.221.229.192.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              95.221.229.192.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              104.219.191.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              104.219.191.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              50.23.12.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              50.23.12.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              15.164.165.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              15.164.165.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              203.107.17.2.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              203.107.17.2.in-addr.arpa
              IN PTR
              Response
              203.107.17.2.in-addr.arpa
              IN PTR
              a2-17-107-203deploystaticakamaitechnologiescom
            • flag-us
              DNS
              48.229.111.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              48.229.111.52.in-addr.arpa
              IN PTR
              Response
            • 194.49.94.152:19053
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:50500
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:50500
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:19053
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:50500
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:19053
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:50500
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:19053
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:50500
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:19053
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:50500
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:50500
              AppLaunch.exe
              260 B
              5
            • 194.49.94.152:19053
              AppLaunch.exe
              260 B
              5
            • 8.8.8.8:53
              8.8.8.8.in-addr.arpa
              dns
              66 B
              90 B
              1
              1

              DNS Request

              8.8.8.8.in-addr.arpa

            • 8.8.8.8:53
              228.249.119.40.in-addr.arpa
              dns
              73 B
              159 B
              1
              1

              DNS Request

              228.249.119.40.in-addr.arpa

            • 8.8.8.8:53
              172.210.232.199.in-addr.arpa
              dns
              74 B
              128 B
              1
              1

              DNS Request

              172.210.232.199.in-addr.arpa

            • 8.8.8.8:53
              68.159.190.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              68.159.190.20.in-addr.arpa

            • 8.8.8.8:53
              95.221.229.192.in-addr.arpa
              dns
              73 B
              144 B
              1
              1

              DNS Request

              95.221.229.192.in-addr.arpa

            • 8.8.8.8:53
              104.219.191.52.in-addr.arpa
              dns
              73 B
              147 B
              1
              1

              DNS Request

              104.219.191.52.in-addr.arpa

            • 8.8.8.8:53
              50.23.12.20.in-addr.arpa
              dns
              70 B
              156 B
              1
              1

              DNS Request

              50.23.12.20.in-addr.arpa

            • 8.8.8.8:53
              15.164.165.52.in-addr.arpa
              dns
              72 B
              146 B
              1
              1

              DNS Request

              15.164.165.52.in-addr.arpa

            • 8.8.8.8:53
              203.107.17.2.in-addr.arpa
              dns
              71 B
              135 B
              1
              1

              DNS Request

              203.107.17.2.in-addr.arpa

            • 8.8.8.8:53
              48.229.111.52.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              48.229.111.52.in-addr.arpa

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe

              Filesize

              1.1MB

              MD5

              7ce2856f7d27efaf76b33765a7859ad3

              SHA1

              292a9ac5216f71a8c9858169c46a1797b27e530d

              SHA256

              4dd502f1c6b2373660a1a9c0ed7114649ef9abb26d2812003c62a6dd98e4a205

              SHA512

              571221efa90160376e6cd6f6e7dca3a23bd194876cd952f387c7b663750ed6a9f4f017664ac0393dc80852261779f1f1b28ef0cb513e091b093c47caf7cb4de2

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe

              Filesize

              2.4MB

              MD5

              cc91fef9c297d0fe5eb417c1afabc474

              SHA1

              6941d8209cadf07100606b65ca7b66eb8f47cd1f

              SHA256

              92bdf0c031747ef12099e9d371b82bf5370598ad47840af9f79e5f57627a589f

              SHA512

              a3248d0acb4488d3ee023dd2a1b9b53b6ef3cc1b2218a75a74d7c9231b34b045d773060251e018db23ef1f5b3244f78136aa2f2e9f10372fcea2ef9fac118c08

            • memory/2360-23-0x0000000000400000-0x0000000000547000-memory.dmp

              Filesize

              1.3MB

            • memory/2360-25-0x0000000000400000-0x0000000000547000-memory.dmp

              Filesize

              1.3MB

            • memory/2360-24-0x0000000000400000-0x0000000000547000-memory.dmp

              Filesize

              1.3MB

            • memory/2360-21-0x0000000000400000-0x0000000000547000-memory.dmp

              Filesize

              1.3MB

            • memory/3672-16-0x0000000008A80000-0x0000000009098000-memory.dmp

              Filesize

              6.1MB

            • memory/3672-15-0x0000000004F30000-0x0000000004F3A000-memory.dmp

              Filesize

              40KB

            • memory/3672-14-0x00000000745E0000-0x0000000074D90000-memory.dmp

              Filesize

              7.7MB

            • memory/3672-17-0x0000000007D20000-0x0000000007E2A000-memory.dmp

              Filesize

              1.0MB

            • memory/3672-18-0x0000000007B30000-0x0000000007B42000-memory.dmp

              Filesize

              72KB

            • memory/3672-19-0x0000000007BB0000-0x0000000007BEC000-memory.dmp

              Filesize

              240KB

            • memory/3672-20-0x0000000007C10000-0x0000000007C5C000-memory.dmp

              Filesize

              304KB

            • memory/3672-13-0x00000000079A0000-0x0000000007A32000-memory.dmp

              Filesize

              584KB

            • memory/3672-12-0x0000000007EB0000-0x0000000008454000-memory.dmp

              Filesize

              5.6MB

            • memory/3672-10-0x00000000745EE000-0x00000000745EF000-memory.dmp

              Filesize

              4KB

            • memory/3672-7-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3672-26-0x00000000745EE000-0x00000000745EF000-memory.dmp

              Filesize

              4KB

            • memory/3672-27-0x00000000745E0000-0x0000000074D90000-memory.dmp

              Filesize

              7.7MB

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.