privateloader | eafc2bfbeaeddb89f86da75f29f14435b745b919f0b99dd1d0d30b9d33efb415

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe
Size

1.1MB
MD5

f9ea3474dbb9042c2d93391723e11290
SHA1

089f3964fbea1af9ca2cc7e6fbc3f650c492d026
SHA256

046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68
SHA512

9732f9bf8b8b4f1900c0b3b87e3253dc45ca79f1cb14e301c06c2fab42e74c31761b8b0650d431190f4110de7c44f6690ccc5c148848ab4e334908c0050cbfaa
SSDEEP

24576:tyuCIG0kTDLHjOo/4CJY9rtBg5/ZbLKGF0tUEqTXinYxJM6/K1by18oRt:IEYDLDO4Y9RBg1ZbLluqTXinuCF2

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1108-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3Zn63lL.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3Zn63lL.exe
Executes dropped EXE 4 IoCs

Processes:

TX5la26.exeue2vq20.exe2rJ5149.exe3Zn63lL.exe

pid process

5036 TX5la26.exe
3164 ue2vq20.exe
4852 2rJ5149.exe
5056 3Zn63lL.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3Zn63lL.exe

pid	process
5036	TX5la26.exe
3164	ue2vq20.exe
4852	2rJ5149.exe
5056	3Zn63lL.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exeTX5la26.exeue2vq20.exe3Zn63lL.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TX5la26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ue2vq20.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3Zn63lL.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2rJ5149.exe

description pid process target process

PID 4852 set thread context of 1108 4852 2rJ5149.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4092 schtasks.exe
1132 schtasks.exe

description	pid	process	target process
PID 4852 set thread context of 1108	4852	2rJ5149.exe	AppLaunch.exe

pid	process
4092	schtasks.exe
1132	schtasks.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exeTX5la26.exeue2vq20.exe2rJ5149.exe3Zn63lL.exe

description	pid	process	target process
PID 3212 wrote to memory of 5036	3212	046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe	TX5la26.exe
PID 3212 wrote to memory of 5036	3212	046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe	TX5la26.exe
PID 3212 wrote to memory of 5036	3212	046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe	TX5la26.exe
PID 5036 wrote to memory of 3164	5036	TX5la26.exe	ue2vq20.exe
PID 5036 wrote to memory of 3164	5036	TX5la26.exe	ue2vq20.exe
PID 5036 wrote to memory of 3164	5036	TX5la26.exe	ue2vq20.exe
PID 3164 wrote to memory of 4852	3164	ue2vq20.exe	2rJ5149.exe
PID 3164 wrote to memory of 4852	3164	ue2vq20.exe	2rJ5149.exe
PID 3164 wrote to memory of 4852	3164	ue2vq20.exe	2rJ5149.exe
PID 4852 wrote to memory of 1856	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1856	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1856	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 5064	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 5064	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 5064	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1108	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1108	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1108	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1108	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1108	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1108	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1108	4852	2rJ5149.exe	AppLaunch.exe
PID 4852 wrote to memory of 1108	4852	2rJ5149.exe	AppLaunch.exe
PID 3164 wrote to memory of 5056	3164	ue2vq20.exe	3Zn63lL.exe
PID 3164 wrote to memory of 5056	3164	ue2vq20.exe	3Zn63lL.exe
PID 3164 wrote to memory of 5056	3164	ue2vq20.exe	3Zn63lL.exe
PID 5056 wrote to memory of 4092	5056	3Zn63lL.exe	schtasks.exe
PID 5056 wrote to memory of 4092	5056	3Zn63lL.exe	schtasks.exe
PID 5056 wrote to memory of 4092	5056	3Zn63lL.exe	schtasks.exe
PID 5056 wrote to memory of 1132	5056	3Zn63lL.exe	schtasks.exe
PID 5056 wrote to memory of 1132	5056	3Zn63lL.exe	schtasks.exe
PID 5056 wrote to memory of 1132	5056	3Zn63lL.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe
"C:\Users\Admin\AppData\Local\Temp\046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TX5la26.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TX5la26.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ue2vq20.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ue2vq20.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rJ5149.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rJ5149.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Zn63lL.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Zn63lL.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TX5la26.exe
Filesize
952KB

MD5
33af80a3e1c3413bd0d34ff72c80d18d

SHA1
d06630e0e69f9388e5eb570ed16c2d7001b6485b

SHA256
88d1192de35aede8ce26d9ef820d6f683e99e46e267b45bcf8b5c3426c67b252

SHA512
4581413cca8569f620771c7a8615e20766d2e70b379ed4a0ef2483c7de14d7609309240abea941c9699053857406dcffc17167499ec99939d0dee7b823353984

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ue2vq20.exe
Filesize
828KB

MD5
cea3e82efec513414343d5b9a361bb4f

SHA1
3619e7ae90bdb2bff94505fbb7bf932a0fa8f593

SHA256
59a79e3b23f7a4ca2d26b02774b7caa31e4e11dcd986aa730a410a63952da2ae

SHA512
eccb99c2f19a6e4dc4693c274ff6c7108e15d3b863a0589078895414b254ba59721fe926a0b8320d0752fb073afc3944a61d0c59e7540ea6ab9c6a05a15c4341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rJ5149.exe
Filesize
493KB

MD5
e73f9dd90baefe8557834de0dabcfed9

SHA1
26096038f8720544035e7c31e80fa63bc1cfc050

SHA256
d66ba28b6d94e000fe91b4a034c0419af0c0685ab9f5f81564537c0298505886

SHA512
ef682157920cebd3ad2828faa37625b7296c9b131567a76b0d8dbd2b4e93f2727c8f26139013fc7b5a4718d6420aea4ead5cc7edaf6a9409377adf2e7de482ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Zn63lL.exe
Filesize
1.3MB

MD5
1a7eaa0085de6f8d539fc37bcb941e11

SHA1
4a116723a40c10bd6e23a799e99747cf12c51a74

SHA256
727a84ba5e42b7da59f87fde25d640839b75f36f863473931c9d66db5384dc2b

SHA512
5693ad5220f6b84c828a9acf2c247309100c04ac7ecc08b0f9931884891b6c82f2df855cd6f4262041b1e983213853a6996a8e99fbcc2faf5d028823c0dd05e9

Download Submit
memory/1108-32-0x0000000007DA0000-0x0000000007E32000-memory.dmp

Filesize
584KB

Download
memory/1108-31-0x00000000082B0000-0x0000000008854000-memory.dmp

Filesize
5.6MB

Download
memory/1108-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-34-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/1108-35-0x0000000008E80000-0x0000000009498000-memory.dmp

Filesize
6.1MB

Download
memory/1108-36-0x00000000080A0000-0x00000000081AA000-memory.dmp

Filesize
1.0MB

Download
memory/1108-37-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

Filesize
72KB

Download
memory/1108-38-0x0000000008010000-0x000000000804C000-memory.dmp

Filesize
240KB

Download
memory/1108-39-0x0000000008050000-0x000000000809C000-memory.dmp

Filesize
304KB

Download