privateloader | e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe
Size

829KB
MD5

f9d1f262e72cc1b9b7e814dbdcc929cb
SHA1

214d0685f60ef65b733722f3677ba255059f16d1
SHA256

812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27
SHA512

7f2be6d8d4bf3d7f848c8b06c239428c8dfe3160686a66ff1ede13f9c834cbcf1c84db2d1dd02a12bea4586247ddfe605fcc956022ea12f3bf11e55ea7b3240d
SSDEEP

12288:8MrGy90Mc6HGhgK/eguSNyEGXOTw4bFvzyyEXy5pkboFeVT00Fh6cWNrKIva:ayV3mhgOJwx+1bohX0YoOT00D6xNr0

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral14/memory/3584-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3mG17hj.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3mG17hj.exe
Executes dropped EXE 2 IoCs

Processes:

2AK9303.exe3mG17hj.exe

pid process

4008 2AK9303.exe
4752 3mG17hj.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3mG17hj.exe

pid	process
4008	2AK9303.exe
4752	3mG17hj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe3mG17hj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3mG17hj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2AK9303.exe

description pid process target process

PID 4008 set thread context of 3584 4008 2AK9303.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3616 schtasks.exe
3608 schtasks.exe

description	pid	process	target process
PID 4008 set thread context of 3584	4008	2AK9303.exe	AppLaunch.exe

pid	process
3616	schtasks.exe
3608	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe2AK9303.exe3mG17hj.exe

description	pid	process	target process
PID 4780 wrote to memory of 4008	4780	812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe	2AK9303.exe
PID 4780 wrote to memory of 4008	4780	812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe	2AK9303.exe
PID 4780 wrote to memory of 4008	4780	812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe	2AK9303.exe
PID 4008 wrote to memory of 3584	4008	2AK9303.exe	AppLaunch.exe
PID 4008 wrote to memory of 3584	4008	2AK9303.exe	AppLaunch.exe
PID 4008 wrote to memory of 3584	4008	2AK9303.exe	AppLaunch.exe
PID 4008 wrote to memory of 3584	4008	2AK9303.exe	AppLaunch.exe
PID 4008 wrote to memory of 3584	4008	2AK9303.exe	AppLaunch.exe
PID 4008 wrote to memory of 3584	4008	2AK9303.exe	AppLaunch.exe
PID 4008 wrote to memory of 3584	4008	2AK9303.exe	AppLaunch.exe
PID 4008 wrote to memory of 3584	4008	2AK9303.exe	AppLaunch.exe
PID 4780 wrote to memory of 4752	4780	812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe	3mG17hj.exe
PID 4780 wrote to memory of 4752	4780	812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe	3mG17hj.exe
PID 4780 wrote to memory of 4752	4780	812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe	3mG17hj.exe
PID 4752 wrote to memory of 3616	4752	3mG17hj.exe	schtasks.exe
PID 4752 wrote to memory of 3616	4752	3mG17hj.exe	schtasks.exe
PID 4752 wrote to memory of 3616	4752	3mG17hj.exe	schtasks.exe
PID 4752 wrote to memory of 3608	4752	3mG17hj.exe	schtasks.exe
PID 4752 wrote to memory of 3608	4752	3mG17hj.exe	schtasks.exe
PID 4752 wrote to memory of 3608	4752	3mG17hj.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe
"C:\Users\Admin\AppData\Local\Temp\812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2AK9303.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2AK9303.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3mG17hj.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3mG17hj.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2AK9303.exe

Filesize
493KB

MD5
51598e6613e1cfc658a8a27795952fe9

SHA1
9dfd0765c993b8935e060097992cdeb5ba33547e

SHA256
19e8fa30d553a5cb3f2109cbb4e08ade0cbe3886cd81fe6e6da54c61ed62ad19

SHA512
37baf085c3d0998642bc3db35e0e6777a060027e0263bd1c7818ca8bb8010580613bc30da11abef37768f6dd795b1f56729e5a0db98d0862c2bc78375f31be53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3mG17hj.exe

Filesize
1.3MB

MD5
84b375c6da427609a5b81d9fd32e213c

SHA1
aac9d06dbdf29b1fb219af496b4b2a9893b60f56

SHA256
1b6404664754b788c705dfb15c0319a3be3a7acdaf0e8318ebbe0735b1c74a32

SHA512
65fbb3314943e16f743e266438d16deba8c821e879d6baf0609646796f7e6ba834f53571c274d2e9e85df74db9904f81858679c9c3d564a556230e84a3e9951d

Download Submit
memory/3584-21-0x0000000003100000-0x000000000310A000-memory.dmp

Filesize
40KB

Download
memory/3584-11-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/3584-18-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/3584-19-0x0000000007C00000-0x0000000007C92000-memory.dmp

Filesize
584KB

Download
memory/3584-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3584-22-0x0000000008CE0000-0x00000000092F8000-memory.dmp

Filesize
6.1MB

Download
memory/3584-23-0x0000000007F20000-0x000000000802A000-memory.dmp

Filesize
1.0MB

Download
memory/3584-24-0x0000000007DB0000-0x0000000007DC2000-memory.dmp

Filesize
72KB

Download
memory/3584-25-0x0000000007E50000-0x0000000007E8C000-memory.dmp

Filesize
240KB

Download
memory/3584-26-0x0000000007E90000-0x0000000007EDC000-memory.dmp

Filesize
304KB

Download
memory/3584-27-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download