privateloader | e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe
Size

811KB
MD5

95bdeb1476bbb614f7818a9e76912f8e
SHA1

6b95e427cfc909ac45ed15f502ef049f45de7eab
SHA256

9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532
SHA512

310cab4dce865db053ec15dad15633b156829344e4e3732dd38ec22becabf36595d5844617a5784d2bec0f47fa6feb2eb74a9d579026ebf3e0196fe8054fbabc
SSDEEP

24576:/ycDe2gqMKKCblNlTUTjmCmSFF/07G9V:KyjgMKQDlT0mCM7G9

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral20/memory/564-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3mY89EF.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3mY89EF.exe
Executes dropped EXE 2 IoCs

Processes:

2xW0454.exe3mY89EF.exe

pid process

2200 2xW0454.exe
3932 3mY89EF.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3mY89EF.exe

pid	process
2200	2xW0454.exe
3932	3mY89EF.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe3mY89EF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3mY89EF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2xW0454.exe

description pid process target process

PID 2200 set thread context of 564 2200 2xW0454.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4064 2200 WerFault.exe 2xW0454.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4988 schtasks.exe
2392 schtasks.exe

description	pid	process	target process
PID 2200 set thread context of 564	2200	2xW0454.exe	AppLaunch.exe

pid	pid_target	process	target process
4064	2200	WerFault.exe	2xW0454.exe

pid	process
4988	schtasks.exe
2392	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe2xW0454.exe3mY89EF.exe

description	pid	process	target process
PID 1608 wrote to memory of 2200	1608	9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe	2xW0454.exe
PID 1608 wrote to memory of 2200	1608	9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe	2xW0454.exe
PID 1608 wrote to memory of 2200	1608	9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe	2xW0454.exe
PID 2200 wrote to memory of 564	2200	2xW0454.exe	AppLaunch.exe
PID 2200 wrote to memory of 564	2200	2xW0454.exe	AppLaunch.exe
PID 2200 wrote to memory of 564	2200	2xW0454.exe	AppLaunch.exe
PID 2200 wrote to memory of 564	2200	2xW0454.exe	AppLaunch.exe
PID 2200 wrote to memory of 564	2200	2xW0454.exe	AppLaunch.exe
PID 2200 wrote to memory of 564	2200	2xW0454.exe	AppLaunch.exe
PID 2200 wrote to memory of 564	2200	2xW0454.exe	AppLaunch.exe
PID 2200 wrote to memory of 564	2200	2xW0454.exe	AppLaunch.exe
PID 1608 wrote to memory of 3932	1608	9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe	3mY89EF.exe
PID 1608 wrote to memory of 3932	1608	9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe	3mY89EF.exe
PID 1608 wrote to memory of 3932	1608	9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe	3mY89EF.exe
PID 3932 wrote to memory of 4988	3932	3mY89EF.exe	schtasks.exe
PID 3932 wrote to memory of 4988	3932	3mY89EF.exe	schtasks.exe
PID 3932 wrote to memory of 4988	3932	3mY89EF.exe	schtasks.exe
PID 3932 wrote to memory of 2392	3932	3mY89EF.exe	schtasks.exe
PID 3932 wrote to memory of 2392	3932	3mY89EF.exe	schtasks.exe
PID 3932 wrote to memory of 2392	3932	3mY89EF.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe
"C:\Users\Admin\AppData\Local\Temp\9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2xW0454.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2xW0454.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 608
    3⤵
    - Program crash
    PID:4064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3mY89EF.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3mY89EF.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2200 -ip 2200
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2xW0454.exe

Filesize
432KB

MD5
09b8aa73a76b89b95ab4d9e42e052646

SHA1
1ea6108abc6143505f113d01d510f186fc5bc973

SHA256
2c4a4ad48fd685eeed371034a71773f8ec7ec52ea388d31131e6f092ed4e3053

SHA512
2787e28d3263f906d818e2d98049f99635a3a7f834ab9c547124b47bf40f905b1cf02cf77a5b17574d2c7a1f022070c9c945c94b45b4049e617d0c369a04cbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3mY89EF.exe

Filesize
1.3MB

MD5
578f0fe76b81bba795a030e859f736cf

SHA1
d5a8037c0e5425636eb011b350457979df2e6870

SHA256
9fb212e25b634906d437321904002d818e89ff161e5e225930c1496a419bfecf

SHA512
2cbc5deec6e654503f41c5e100b454d75caede20351e260dde4b6d3f850bdbcff35804dedbf53da1f438de21099b3728afa1b7d3f0bb918709ec0416386a3612

Download Submit
memory/564-12-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download
memory/564-9-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/564-10-0x0000000007820000-0x00000000078B2000-memory.dmp

Filesize
584KB

Download
memory/564-11-0x0000000002C70000-0x0000000002C7A000-memory.dmp

Filesize
40KB

Download
memory/564-8-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

Filesize
4KB

Download
memory/564-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/564-21-0x00000000088C0000-0x0000000008ED8000-memory.dmp

Filesize
6.1MB

Download
memory/564-23-0x0000000007BD0000-0x0000000007CDA000-memory.dmp

Filesize
1.0MB

Download
memory/564-24-0x0000000007930000-0x0000000007942000-memory.dmp

Filesize
72KB

Download
memory/564-25-0x0000000007B00000-0x0000000007B3C000-memory.dmp

Filesize
240KB

Download
memory/564-26-0x0000000007B40000-0x0000000007B8C000-memory.dmp

Filesize
304KB

Download
memory/564-28-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

Filesize
4KB

Download
memory/564-29-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download