privateloader | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
Size

1.1MB
MD5

220a3457bac0b7e002558e635cc38c53
SHA1

c7de62cda431e4166e2a4f77b0522f5195caf86c
SHA256

04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d
SHA512

f627940e941ce4b632dcea6a7ffa85cc5727e0937550f1c8543438e9ceedd529a9d0dbf9501a311b1db9ed60880a298c8cdffdde14b1705488220b97bbe714fb
SSDEEP

24576:cyiWn8NR7Ih++UoI4yYGhmAkkW+rc29OeK+:LiWnyReuYGhmr+f9TK

Score

10^/10

privateloader redline risepro smokeloader horda backdoor infostealer loader persistence stealer trojan

Malware Config

Extracted

Family

risepro

194.49.94.152

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2100-34-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
3192	Ax7hw73.exe
2864	1GU36Hg3.exe
2056	2Lw6913.exe
5116	3RY29ZY.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ax7hw73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	AppLaunch.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	AppLaunch.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AppLaunch.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AppLaunch.exe
File opened for modification	C:\Windows\System32\GroupPolicy	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 5052	2864	1GU36Hg3.exe	86
PID 2056 set thread context of 2100	2056	2Lw6913.exe	95

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3RY29ZY.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3RY29ZY.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3RY29ZY.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3540	schtasks.exe
3464	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 3192	3824	04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe	83
PID 3824 wrote to memory of 3192	3824	04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe	83
PID 3824 wrote to memory of 3192	3824	04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe	83
PID 3192 wrote to memory of 2864	3192	Ax7hw73.exe	84
PID 3192 wrote to memory of 2864	3192	Ax7hw73.exe	84
PID 3192 wrote to memory of 2864	3192	Ax7hw73.exe	84
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 2864 wrote to memory of 5052	2864	1GU36Hg3.exe	86
PID 3192 wrote to memory of 2056	3192	Ax7hw73.exe	87
PID 3192 wrote to memory of 2056	3192	Ax7hw73.exe	87
PID 3192 wrote to memory of 2056	3192	Ax7hw73.exe	87
PID 5052 wrote to memory of 3464	5052	AppLaunch.exe	89
PID 5052 wrote to memory of 3464	5052	AppLaunch.exe	89
PID 5052 wrote to memory of 3464	5052	AppLaunch.exe	89
PID 2056 wrote to memory of 4544	2056	2Lw6913.exe	90
PID 2056 wrote to memory of 4544	2056	2Lw6913.exe	90
PID 2056 wrote to memory of 4544	2056	2Lw6913.exe	90
PID 2056 wrote to memory of 1752	2056	2Lw6913.exe	93
PID 2056 wrote to memory of 1752	2056	2Lw6913.exe	93
PID 2056 wrote to memory of 1752	2056	2Lw6913.exe	93
PID 2056 wrote to memory of 2100	2056	2Lw6913.exe	95
PID 2056 wrote to memory of 2100	2056	2Lw6913.exe	95
PID 2056 wrote to memory of 2100	2056	2Lw6913.exe	95
PID 2056 wrote to memory of 2100	2056	2Lw6913.exe	95
PID 2056 wrote to memory of 2100	2056	2Lw6913.exe	95
PID 2056 wrote to memory of 2100	2056	2Lw6913.exe	95
PID 2056 wrote to memory of 2100	2056	2Lw6913.exe	95
PID 2056 wrote to memory of 2100	2056	2Lw6913.exe	95
PID 3824 wrote to memory of 5116	3824	04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe	96
PID 3824 wrote to memory of 5116	3824	04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe	96
PID 3824 wrote to memory of 5116	3824	04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe	96
PID 5052 wrote to memory of 3540	5052	AppLaunch.exe	97
PID 5052 wrote to memory of 3540	5052	AppLaunch.exe	97
PID 5052 wrote to memory of 3540	5052	AppLaunch.exe	97

C:\Users\Admin\AppData\Local\Temp\04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
"C:\Users\Admin\AppData\Local\Temp\04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7hw73.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7hw73.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GU36Hg3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GU36Hg3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3464
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Lw6913.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Lw6913.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RY29ZY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RY29ZY.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RY29ZY.exe

Filesize
38KB

MD5
6de74d790957732ad4286b37c916ecc8

SHA1
7513d0d61c3cf465438f0da835587619b764e7ad

SHA256
bf7e28a91285d2d8780a1e9500b169990567eed902869a54272ed8929b9230b9

SHA512
5ff127849a3ded3a18da2180adeb1d4ac3cbac3b601aa770fc5b3f5de3faa1d647347bbc554310c7e27fe8302185b1dbbbbd66eefa381174e5f75b0373922990

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7hw73.exe

Filesize
966KB

MD5
197dc6ea355ffa77ad6f35918358167e

SHA1
e043a2e94c3f44352cce0c3c81804c2403656673

SHA256
4cf63499559d37753345b8f185b58a946b50bcd57378e617044f01ca32562102

SHA512
13097546c4a36b9d37983927006537dda3a6250201fd71f1e27a88c61fe4707316341c2f144f4fcef844a7aead2199078900aa542632865987842a093a00f856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GU36Hg3.exe

Filesize
1.6MB

MD5
9fdec9669237bf48150127ac4b38d665

SHA1
42ac8a807ae7f427fbcf888fba34e153da9e8939

SHA256
22fd7fda451c56372d0c27e29a89777791e618541d34350d65780504c91addc4

SHA512
2041823d562e1c5ab79b2919f17a7170d8972ade936ff919c57429072120f87e6feff1f0ef9031d04f0b0601edcd0065616be1e71481be47a708915f43fbfa50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Lw6913.exe

Filesize
401KB

MD5
26a76bfd58645c9ba017a3eede906221

SHA1
0f8ff57f441d1341e46c6d1ce9f542ff17654ffd

SHA256
a0bb30459799df7b8091572eb5b33a63580af63b8e01318425e722da0f52ec96

SHA512
5e49155061313a3e3a32f7d98ac222045e0d8a262a504d99b25230a9c28c4a2f6cf2da812d6fe24136b187d7967c6ba9dc7ce53322620221bc918fe513474626

Download Submit
memory/2100-47-0x0000000007BB0000-0x0000000007BC2000-memory.dmp

Filesize
72KB

Download
memory/2100-43-0x0000000007A90000-0x0000000007B22000-memory.dmp

Filesize
584KB

Download
memory/2100-48-0x0000000007D60000-0x0000000007D9C000-memory.dmp

Filesize
240KB

Download
memory/2100-34-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2100-49-0x0000000007DA0000-0x0000000007DEC000-memory.dmp

Filesize
304KB

Download
memory/2100-46-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/2100-45-0x0000000008B70000-0x0000000009188000-memory.dmp

Filesize
6.1MB

Download
memory/2100-40-0x0000000007FA0000-0x0000000008544000-memory.dmp

Filesize
5.6MB

Download
memory/2100-44-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/5052-16-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5052-42-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5052-18-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5052-15-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5052-14-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5116-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5116-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads