privateloader | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exe
Size

1.0MB
MD5

c51058281df6130d5aca94b364a37ff9
SHA1

5e6c0434b0813d9607a6dad81d8b091f90865593
SHA256

446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be
SHA512

c49ef6acb8f3f0e371a422b87a126354283983843ee42cb06c9821be55e6bd4b023db0ee33ee4cee393770e913ed24319401df5176cb2cb3e102c53ec6f9ad87
SSDEEP

24576:1yZR0bDq7NVaZfI4VPfiwotOVN0WwGUo8ggaf47wETK:Qcq7b9qP3VL//5w7wET

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5068-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3fp16oI.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3fp16oI.exe
Executes dropped EXE 3 IoCs

Processes:

fN8TZ42.exe2uz4234.exe3fp16oI.exe

pid process

3244 fN8TZ42.exe
1392 2uz4234.exe
4244 3fp16oI.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3fp16oI.exe

pid	process
3244	fN8TZ42.exe
1392	2uz4234.exe
4244	3fp16oI.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fN8TZ42.exe3fp16oI.exe446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fN8TZ42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3fp16oI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2uz4234.exe

description pid process target process

PID 1392 set thread context of 5068 1392 2uz4234.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1576 1392 WerFault.exe 2uz4234.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4080 schtasks.exe
4500 schtasks.exe

description	pid	process	target process
PID 1392 set thread context of 5068	1392	2uz4234.exe	AppLaunch.exe

pid	pid_target	process	target process
1576	1392	WerFault.exe	2uz4234.exe

pid	process
4080	schtasks.exe
4500	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exefN8TZ42.exe2uz4234.exe3fp16oI.exe

description	pid	process	target process
PID 1388 wrote to memory of 3244	1388	446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exe	fN8TZ42.exe
PID 1388 wrote to memory of 3244	1388	446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exe	fN8TZ42.exe
PID 1388 wrote to memory of 3244	1388	446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exe	fN8TZ42.exe
PID 3244 wrote to memory of 1392	3244	fN8TZ42.exe	2uz4234.exe
PID 3244 wrote to memory of 1392	3244	fN8TZ42.exe	2uz4234.exe
PID 3244 wrote to memory of 1392	3244	fN8TZ42.exe	2uz4234.exe
PID 1392 wrote to memory of 4224	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 4224	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 4224	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 5068	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 5068	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 5068	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 5068	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 5068	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 5068	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 5068	1392	2uz4234.exe	AppLaunch.exe
PID 1392 wrote to memory of 5068	1392	2uz4234.exe	AppLaunch.exe
PID 3244 wrote to memory of 4244	3244	fN8TZ42.exe	3fp16oI.exe
PID 3244 wrote to memory of 4244	3244	fN8TZ42.exe	3fp16oI.exe
PID 3244 wrote to memory of 4244	3244	fN8TZ42.exe	3fp16oI.exe
PID 4244 wrote to memory of 4500	4244	3fp16oI.exe	schtasks.exe
PID 4244 wrote to memory of 4500	4244	3fp16oI.exe	schtasks.exe
PID 4244 wrote to memory of 4500	4244	3fp16oI.exe	schtasks.exe
PID 4244 wrote to memory of 4080	4244	3fp16oI.exe	schtasks.exe
PID 4244 wrote to memory of 4080	4244	3fp16oI.exe	schtasks.exe
PID 4244 wrote to memory of 4080	4244	3fp16oI.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exe
"C:\Users\Admin\AppData\Local\Temp\446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fN8TZ42.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fN8TZ42.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2uz4234.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2uz4234.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 152
4⤵
- Program crash
PID:1576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fp16oI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fp16oI.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1392 -ip 1392
1⤵
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fN8TZ42.exe
Filesize
945KB

MD5
ef9bd93043ce3bfbcca8163727ff0464

SHA1
ba9eadddd82fcc2c8aef784c1f10bfb31c588b08

SHA256
11c6baafddb56e4cb5da02215a0b9b4b35298d7d6aea0265516f9b5d024e94f3

SHA512
0bd57db17ee170a674487403302c883b7e82be0b72fa63df8d892eff1be746efc29f3ee7b05e11107053ae3ead98fd43805911cfd6890f0d979440844da9f3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2uz4234.exe
Filesize
1.1MB

MD5
23374572d1f265004bc00e752af88829

SHA1
07de950d87e5057cc6646983bfe9c0c456fcdca4

SHA256
07b525d29776766f392dee13b5cda0f54218e3cc8062949b78147377f0b17826

SHA512
e9b29aaaf1304a49dc77ca6e1929faf455ffa6c2cdde4c51446fb497ce1637c5493fbf5e4f0b37c8a9683031021022287fd5da312e4820605c0780e76f1da576

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fp16oI.exe
Filesize
1.3MB

MD5
f3e286aa2a0dc5b8db2f38cd14713a0c

SHA1
d208409edba2e2ae313ece237a99b6d82d2630ca

SHA256
65aadb41c6e52a835408630d6d0408a505c6c32219eb6b7b594aff9563431135

SHA512
4c4b015d61291eb6ced46fef38a8f5c1e65ab35d805d70f34a0b0e4ff614069775db2d8338c1730e9cae66a9f9c3fc8f8932dc9220757e178084935cd571f6f7

Download Submit
memory/5068-18-0x0000000002E10000-0x0000000002E1A000-memory.dmp

Filesize
40KB

Download
memory/5068-16-0x0000000007D40000-0x00000000082E4000-memory.dmp

Filesize
5.6MB

Download
memory/5068-17-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/5068-15-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/5068-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-24-0x0000000008910000-0x0000000008F28000-memory.dmp

Filesize
6.1MB

Download
memory/5068-29-0x0000000007C00000-0x0000000007D0A000-memory.dmp

Filesize
1.0MB

Download
memory/5068-30-0x0000000007A40000-0x0000000007A52000-memory.dmp

Filesize
72KB

Download
memory/5068-31-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

Filesize
240KB

Download
memory/5068-32-0x0000000007AE0000-0x0000000007B2C000-memory.dmp

Filesize
304KB

Download
memory/5068-34-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download