privateloader | 02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe
Size

1.0MB
MD5

b8c8a180572fa9f5d2abc29e8f5225de
SHA1

70b0b356bc4a0bf194d6cc8dc2b000ac7e49c1b7
SHA256

367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103
SHA512

fd90da55beae0cc7727900aff75d39a03d7986db109beb32ef5f0303cca309768e6ecbe2db25a32a6cb64eb7f3ee7209143a60fbde957182b1ddf5b58aba9162
SSDEEP

24576:Kylv3LOmDlvjAHW7XNs5uCq3bMKgMjUlP6wSCzLw+:Rlv3LOejLNsB5KvUlPyx

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2988-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3Jj94vS.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3Jj94vS.exe
Executes dropped EXE 3 IoCs

Processes:

dw7mh79.exe2Gz9949.exe3Jj94vS.exe

pid process

2760 dw7mh79.exe
4088 2Gz9949.exe
4048 3Jj94vS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3Jj94vS.exe

pid	process
2760	dw7mh79.exe
4088	2Gz9949.exe
4048	3Jj94vS.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3Jj94vS.exe367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exedw7mh79.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3Jj94vS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dw7mh79.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2Gz9949.exe

description pid process target process

PID 4088 set thread context of 2988 4088 2Gz9949.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3048 4088 WerFault.exe 2Gz9949.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3500 schtasks.exe
3904 schtasks.exe

description	pid	process	target process
PID 4088 set thread context of 2988	4088	2Gz9949.exe	AppLaunch.exe

pid	pid_target	process	target process
3048	4088	WerFault.exe	2Gz9949.exe

pid	process
3500	schtasks.exe
3904	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exedw7mh79.exe2Gz9949.exe3Jj94vS.exe

description	pid	process	target process
PID 1248 wrote to memory of 2760	1248	367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe	dw7mh79.exe
PID 1248 wrote to memory of 2760	1248	367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe	dw7mh79.exe
PID 1248 wrote to memory of 2760	1248	367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe	dw7mh79.exe
PID 2760 wrote to memory of 4088	2760	dw7mh79.exe	2Gz9949.exe
PID 2760 wrote to memory of 4088	2760	dw7mh79.exe	2Gz9949.exe
PID 2760 wrote to memory of 4088	2760	dw7mh79.exe	2Gz9949.exe
PID 4088 wrote to memory of 2988	4088	2Gz9949.exe	AppLaunch.exe
PID 4088 wrote to memory of 2988	4088	2Gz9949.exe	AppLaunch.exe
PID 4088 wrote to memory of 2988	4088	2Gz9949.exe	AppLaunch.exe
PID 4088 wrote to memory of 2988	4088	2Gz9949.exe	AppLaunch.exe
PID 4088 wrote to memory of 2988	4088	2Gz9949.exe	AppLaunch.exe
PID 4088 wrote to memory of 2988	4088	2Gz9949.exe	AppLaunch.exe
PID 4088 wrote to memory of 2988	4088	2Gz9949.exe	AppLaunch.exe
PID 4088 wrote to memory of 2988	4088	2Gz9949.exe	AppLaunch.exe
PID 2760 wrote to memory of 4048	2760	dw7mh79.exe	3Jj94vS.exe
PID 2760 wrote to memory of 4048	2760	dw7mh79.exe	3Jj94vS.exe
PID 2760 wrote to memory of 4048	2760	dw7mh79.exe	3Jj94vS.exe
PID 4048 wrote to memory of 3500	4048	3Jj94vS.exe	schtasks.exe
PID 4048 wrote to memory of 3500	4048	3Jj94vS.exe	schtasks.exe
PID 4048 wrote to memory of 3500	4048	3Jj94vS.exe	schtasks.exe
PID 4048 wrote to memory of 3904	4048	3Jj94vS.exe	schtasks.exe
PID 4048 wrote to memory of 3904	4048	3Jj94vS.exe	schtasks.exe
PID 4048 wrote to memory of 3904	4048	3Jj94vS.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe
"C:\Users\Admin\AppData\Local\Temp\367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw7mh79.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw7mh79.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gz9949.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gz9949.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 140
4⤵
- Program crash
PID:3048

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jj94vS.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jj94vS.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3500

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw7mh79.exe

Filesize
948KB

MD5
5ffbfb649f5b887a031efcc31826e254

SHA1
f5d9657b152d73d9ce6c583c70ca3d927073522b

SHA256
aa19512f2ad59b5bed358f92c3760fb88934bea7d410d0855cc93b2b92d9bb8d

SHA512
fb3599d72cfca2c9ad39d86dbded461c93d32f31c89e06d1f36b813b03c52c1dce53c84adeb9e28cd341047e29962ab43913806ac8bbe5d1d2e07f0eb81944dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gz9949.exe

Filesize
1.1MB

MD5
503996518197b0d5f339f01b2077809b

SHA1
4c49cb3aa48109987dd035ba03c1cbcedda1c8cd

SHA256
94a9d8adfeeeafc2cec74d7801765a8fe19a9627d9aab335f2140c4f66b7cc11

SHA512
b3528d0928ec70cd8018f301252dc1daa60144cb2c42695a0e800d8e5205f0b00521132536d57d9a4feedd5d76ee68c22b03273b9cf456b46b212e9ed535ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jj94vS.exe

Filesize
1.3MB

MD5
224c5e3fb94f0bedb563ed316fe20519

SHA1
2f133eb786c582a623f4d8295602427346e34e3e

SHA256
0e406fe86d88d7d0f95febd7e0a0bb67f1a1310270230eaa808da4caf36ad6d7

SHA512
acb0099855e080b98164abdb71d83eb913f5ac6613da8e9ea6a0799dc3994ef4f538c7db3789e86bf8097d9e63cd7d1b9aa4efebc604a45c2cb58cf5b6046c7e

Download Submit
memory/2988-18-0x0000000002790000-0x000000000279A000-memory.dmp

Filesize
40KB

Download
memory/2988-16-0x0000000007840000-0x0000000007DE4000-memory.dmp

Filesize
5.6MB

Download
memory/2988-17-0x0000000007340000-0x00000000073D2000-memory.dmp

Filesize
584KB

Download
memory/2988-15-0x0000000073DAE000-0x0000000073DAF000-memory.dmp

Filesize
4KB

Download
memory/2988-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2988-28-0x0000000008410000-0x0000000008A28000-memory.dmp

Filesize
6.1MB

Download
memory/2988-29-0x00000000076E0000-0x00000000077EA000-memory.dmp

Filesize
1.0MB

Download
memory/2988-30-0x0000000007530000-0x0000000007542000-memory.dmp

Filesize
72KB

Download
memory/2988-31-0x0000000007590000-0x00000000075CC000-memory.dmp

Filesize
240KB

Download
memory/2988-32-0x00000000075D0000-0x000000000761C000-memory.dmp

Filesize
304KB

Download
memory/2988-34-0x0000000073DAE000-0x0000000073DAF000-memory.dmp

Filesize
4KB

Download