privateloader | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe
Size

828KB
MD5

0296a9b7156cc99de76a868f0a85ddbd
SHA1

7ed4d6af60fea7e55d8d6d3fd08c81758c5a3f3f
SHA256

de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9
SHA512

e8f22048e50bf5835511a83a41b5b382d22146d14770bd24c2174243952dd7181874fab2a923705a1743ba85d727e48f966ad441e592a67bb8c930b2fea9f4e2
SSDEEP

24576:7yJ8pn4Gr7TAzDeDZqUh3oeh3sA07/1c/OrN1vTLmFCav:uuRB/keDZNh8AT/OrnvTiwa

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral20/memory/3644-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3MS35Cf.exe

Executes dropped EXE 2 IoCs

pid	Process
2492	2nS6752.exe
1752	3MS35Cf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3MS35Cf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 3644	2492	2nS6752.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5092	schtasks.exe
5000	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2492	2944	de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe	82
PID 2944 wrote to memory of 2492	2944	de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe	82
PID 2944 wrote to memory of 2492	2944	de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe	82
PID 2492 wrote to memory of 4980	2492	2nS6752.exe	101
PID 2492 wrote to memory of 4980	2492	2nS6752.exe	101
PID 2492 wrote to memory of 4980	2492	2nS6752.exe	101
PID 2492 wrote to memory of 3644	2492	2nS6752.exe	102
PID 2492 wrote to memory of 3644	2492	2nS6752.exe	102
PID 2492 wrote to memory of 3644	2492	2nS6752.exe	102
PID 2492 wrote to memory of 3644	2492	2nS6752.exe	102
PID 2492 wrote to memory of 3644	2492	2nS6752.exe	102
PID 2492 wrote to memory of 3644	2492	2nS6752.exe	102
PID 2492 wrote to memory of 3644	2492	2nS6752.exe	102
PID 2492 wrote to memory of 3644	2492	2nS6752.exe	102
PID 2944 wrote to memory of 1752	2944	de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe	103
PID 2944 wrote to memory of 1752	2944	de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe	103
PID 2944 wrote to memory of 1752	2944	de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe	103
PID 1752 wrote to memory of 5092	1752	3MS35Cf.exe	104
PID 1752 wrote to memory of 5092	1752	3MS35Cf.exe	104
PID 1752 wrote to memory of 5092	1752	3MS35Cf.exe	104
PID 1752 wrote to memory of 5000	1752	3MS35Cf.exe	106
PID 1752 wrote to memory of 5000	1752	3MS35Cf.exe	106
PID 1752 wrote to memory of 5000	1752	3MS35Cf.exe	106

C:\Users\Admin\AppData\Local\Temp\de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe
"C:\Users\Admin\AppData\Local\Temp\de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2nS6752.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2nS6752.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MS35Cf.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MS35Cf.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5092
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2nS6752.exe

Filesize
493KB

MD5
509e4f64add755d991566fe57a5cabd5

SHA1
da3b4951d554cec0007a5d78329f41b6151c25a1

SHA256
6e5fb04b9094b9d729c27b3bba52ece70e111f0686e4ee8f2244fc69b4ff4bc2

SHA512
bec980703a26178f4eb36043e093c47a9c91b27512e48e9fabb3a667a410f23461cf070f49ce098ac51e5dde02af4338713450c6662420b30cbac6cb20438f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MS35Cf.exe

Filesize
1.3MB

MD5
ed792fb5abc1b989a6fa4c039749c205

SHA1
eb03ccae65c0905ae8c573c57cb49b2d95184d71

SHA256
d856a471a849f56787d38010fc74708c0d674067605023f95e8eac762e7f02f0

SHA512
a28021c932b1e93321682f01140fef905e14bb4818ba4c9a05a29942f1d970a80192cb4e08e6b3d0280f530431ce34962fcdc0f49ab61cf00a2f888ccaa1d36a

Download Submit
memory/3644-21-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

Filesize
40KB

Download
memory/3644-11-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

Filesize
4KB

Download
memory/3644-18-0x0000000007F20000-0x00000000084C4000-memory.dmp

Filesize
5.6MB

Download
memory/3644-19-0x0000000007A10000-0x0000000007AA2000-memory.dmp

Filesize
584KB

Download
memory/3644-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-22-0x0000000008AF0000-0x0000000009108000-memory.dmp

Filesize
6.1MB

Download
memory/3644-23-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

Filesize
1.0MB

Download
memory/3644-24-0x0000000007BA0000-0x0000000007BB2000-memory.dmp

Filesize
72KB

Download
memory/3644-25-0x0000000007C00000-0x0000000007C3C000-memory.dmp

Filesize
240KB

Download
memory/3644-26-0x0000000007C40000-0x0000000007C8C000-memory.dmp

Filesize
304KB

Download
memory/3644-27-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads