privateloader | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe
Size

829KB
MD5

da086bd413b2fb3f8311147d782bccc4
SHA1

c78490af8811ecb11627b5ab10e1d6466ccdd45b
SHA256

46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659
SHA512

97c12d0fc6a0e6f2f791f2659aea7397cc390c9e3555bcb8e33927def01bf4ff0f8ddd385fcbf83d7b0f4639e095611ed8a460b42c69cec0d55c07e45eb0fc25
SSDEEP

24576:TycRdHoBf/o6noHZu574bAeS49Lnmzmmy34/uCr9:mI4bn+ZuV4Mel9Lnmzmmy3Qu

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral5/memory/4240-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3QR08Iq.exe

Executes dropped EXE 2 IoCs

pid	Process
4420	2yu4652.exe
1792	3QR08Iq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3QR08Iq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4420 set thread context of 4240	4420	2yu4652.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1556	schtasks.exe
3504	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4420	3352	46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe	82
PID 3352 wrote to memory of 4420	3352	46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe	82
PID 3352 wrote to memory of 4420	3352	46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe	82
PID 4420 wrote to memory of 4240	4420	2yu4652.exe	96
PID 4420 wrote to memory of 4240	4420	2yu4652.exe	96
PID 4420 wrote to memory of 4240	4420	2yu4652.exe	96
PID 4420 wrote to memory of 4240	4420	2yu4652.exe	96
PID 4420 wrote to memory of 4240	4420	2yu4652.exe	96
PID 4420 wrote to memory of 4240	4420	2yu4652.exe	96
PID 4420 wrote to memory of 4240	4420	2yu4652.exe	96
PID 4420 wrote to memory of 4240	4420	2yu4652.exe	96
PID 3352 wrote to memory of 1792	3352	46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe	97
PID 3352 wrote to memory of 1792	3352	46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe	97
PID 3352 wrote to memory of 1792	3352	46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe	97
PID 1792 wrote to memory of 1556	1792	3QR08Iq.exe	98
PID 1792 wrote to memory of 1556	1792	3QR08Iq.exe	98
PID 1792 wrote to memory of 1556	1792	3QR08Iq.exe	98
PID 1792 wrote to memory of 3504	1792	3QR08Iq.exe	100
PID 1792 wrote to memory of 3504	1792	3QR08Iq.exe	100
PID 1792 wrote to memory of 3504	1792	3QR08Iq.exe	100

C:\Users\Admin\AppData\Local\Temp\46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe
"C:\Users\Admin\AppData\Local\Temp\46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2yu4652.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2yu4652.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QR08Iq.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QR08Iq.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2yu4652.exe

Filesize
493KB

MD5
b8e2db2423c3a1642c89e1d1f2b8c49b

SHA1
07e96a0e1f3fdce212c7a016a4174c4e3244c753

SHA256
ff5a52045e600ca04f646cbbb29e83fb2428fb5fefec187026f6fa00f254f2a1

SHA512
06c1bbfae7e34067c5cf73ba697eb0f545375a6a270bfd02791abbeb460874472307fefe41b09c3150424e62956926cb0b7ffc85bc229c0b92a74e9c7ef46fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QR08Iq.exe

Filesize
1.3MB

MD5
4c69e999e85a5267696c37218d2f5bec

SHA1
f2cca65ed4fead0e389ffd043dd3bf1fa8035daf

SHA256
2db20070344407973bde084c4808db7d2c3bae891750756551718a32298e8307

SHA512
51feba3e78d4fe813b624c0840dc056b1cc0328d1f9a88bb799e51514979e3086918b17cacf9f092ee5d51b3b0c9050a3bc15bd01ee2e75f0035068e22e3b982

Download Submit
memory/4240-21-0x0000000004A30000-0x0000000004A3A000-memory.dmp

Filesize
40KB

Download
memory/4240-11-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/4240-18-0x0000000007A00000-0x0000000007FA4000-memory.dmp

Filesize
5.6MB

Download
memory/4240-19-0x00000000074F0000-0x0000000007582000-memory.dmp

Filesize
584KB

Download
memory/4240-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-22-0x00000000085D0000-0x0000000008BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4240-23-0x00000000078B0000-0x00000000079BA000-memory.dmp

Filesize
1.0MB

Download
memory/4240-24-0x00000000075C0000-0x00000000075D2000-memory.dmp

Filesize
72KB

Download
memory/4240-25-0x0000000007650000-0x000000000768C000-memory.dmp

Filesize
240KB

Download
memory/4240-26-0x00000000075F0000-0x000000000763C000-memory.dmp

Filesize
304KB

Download
memory/4240-27-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads