privateloader | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
Size

1.1MB
MD5

58fbe2631b6d26d8eb1373d1b0f26a38
SHA1

aa924759ffbcd271588b7377a27cea3fe79f66f3
SHA256

93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741
SHA512

a0d72c2adae3f592268316d1ef117dd3f3d17ddfa616f2fb1a313a8c71683adc9ad7cf92f4b3ab0a370f0d9a15730a190443506220b23bc13877d901761fe373
SSDEEP

24576:myMppGdEcszyiSpAlNAj7m21oy0+F4+Z3P6d:1hdQGiSC8j79oy/P

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral15/memory/3964-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3kY76da.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3kY76da.exe
Executes dropped EXE 4 IoCs

Processes:

HY2Tw95.exePS4LJ88.exe2Qn2920.exe3kY76da.exe

pid process

1392 HY2Tw95.exe
3200 PS4LJ88.exe
1656 2Qn2920.exe
3628 3kY76da.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3kY76da.exe

pid	process
1392	HY2Tw95.exe
3200	PS4LJ88.exe
1656	2Qn2920.exe
3628	3kY76da.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exeHY2Tw95.exePS4LJ88.exe3kY76da.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	HY2Tw95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PS4LJ88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3kY76da.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2Qn2920.exe

description pid process target process

PID 1656 set thread context of 3964 1656 2Qn2920.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3020 1656 WerFault.exe 2Qn2920.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4848 schtasks.exe
2528 schtasks.exe

description	pid	process	target process
PID 1656 set thread context of 3964	1656	2Qn2920.exe	AppLaunch.exe

pid	pid_target	process	target process
3020	1656	WerFault.exe	2Qn2920.exe

pid	process
4848	schtasks.exe
2528	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exeHY2Tw95.exePS4LJ88.exe2Qn2920.exe3kY76da.exe

description	pid	process	target process
PID 3788 wrote to memory of 1392	3788	93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe	HY2Tw95.exe
PID 3788 wrote to memory of 1392	3788	93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe	HY2Tw95.exe
PID 3788 wrote to memory of 1392	3788	93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe	HY2Tw95.exe
PID 1392 wrote to memory of 3200	1392	HY2Tw95.exe	PS4LJ88.exe
PID 1392 wrote to memory of 3200	1392	HY2Tw95.exe	PS4LJ88.exe
PID 1392 wrote to memory of 3200	1392	HY2Tw95.exe	PS4LJ88.exe
PID 3200 wrote to memory of 1656	3200	PS4LJ88.exe	2Qn2920.exe
PID 3200 wrote to memory of 1656	3200	PS4LJ88.exe	2Qn2920.exe
PID 3200 wrote to memory of 1656	3200	PS4LJ88.exe	2Qn2920.exe
PID 1656 wrote to memory of 3964	1656	2Qn2920.exe	AppLaunch.exe
PID 1656 wrote to memory of 3964	1656	2Qn2920.exe	AppLaunch.exe
PID 1656 wrote to memory of 3964	1656	2Qn2920.exe	AppLaunch.exe
PID 1656 wrote to memory of 3964	1656	2Qn2920.exe	AppLaunch.exe
PID 1656 wrote to memory of 3964	1656	2Qn2920.exe	AppLaunch.exe
PID 1656 wrote to memory of 3964	1656	2Qn2920.exe	AppLaunch.exe
PID 1656 wrote to memory of 3964	1656	2Qn2920.exe	AppLaunch.exe
PID 1656 wrote to memory of 3964	1656	2Qn2920.exe	AppLaunch.exe
PID 3200 wrote to memory of 3628	3200	PS4LJ88.exe	3kY76da.exe
PID 3200 wrote to memory of 3628	3200	PS4LJ88.exe	3kY76da.exe
PID 3200 wrote to memory of 3628	3200	PS4LJ88.exe	3kY76da.exe
PID 3628 wrote to memory of 4848	3628	3kY76da.exe	schtasks.exe
PID 3628 wrote to memory of 4848	3628	3kY76da.exe	schtasks.exe
PID 3628 wrote to memory of 4848	3628	3kY76da.exe	schtasks.exe
PID 3628 wrote to memory of 2528	3628	3kY76da.exe	schtasks.exe
PID 3628 wrote to memory of 2528	3628	3kY76da.exe	schtasks.exe
PID 3628 wrote to memory of 2528	3628	3kY76da.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
"C:\Users\Admin\AppData\Local\Temp\93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HY2Tw95.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HY2Tw95.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PS4LJ88.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PS4LJ88.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qn2920.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qn2920.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 152
        5⤵
        Program crash
        
        PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3kY76da.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3kY76da.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4848
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1656 -ip 1656
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HY2Tw95.exe

Filesize
935KB

MD5
715af9e0fa391a3d89c64a8c17441ca7

SHA1
fa139edca516b272b219dd23ff501ad075a29350

SHA256
fd64949d9133bba652eb8e11de0b5f198d4a7b6c9951de795e989e18d3c017a4

SHA512
1a7847882fb7bb6ce1db4366615fb1640f6831febfd1e8afded03ee84b7de84b6baafe5ab46db44050aa8907dacb7bebc7a58d2dbbf65f375f8708577c1e7eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PS4LJ88.exe

Filesize
810KB

MD5
b24d7df0e0bfa791f3a99e4528e9467b

SHA1
9bae7881e957679c6a9c17852178194007a75ce0

SHA256
a1b17fae66eb378bd1944cc86d1bcf13e33d2c15b691e2ea16b5c912abdcd96a

SHA512
78923c94012bde1f301cd35ff9d0e95c71a63c72b1a3eb0b0b39497d7b1d6782836fe9253535211c211028ec549c9115cc8cec9a39370be1a639a3a45711f10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qn2920.exe

Filesize
432KB

MD5
d4de764755bafc9310eb13c86a3d40ec

SHA1
70123c5f93e6a533719e8478e266eff88dd0eb38

SHA256
680bf8b502fb1d3ede6ee0870483e78f91a3809900b338cb870a8ea1cfc32584

SHA512
193eaf85f79a0758098ecbc7af861ebd35619b4004febebce23c7dd0563b0a43f51e3da7336f6c485dc3289648d05c9022bb3573c73d86522f720f5aa993c953

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3kY76da.exe

Filesize
1.3MB

MD5
f87f58e9f64b7cee2d55c18059f49eef

SHA1
b6fd66c89608f2a357cc026040e721c2ef6bfa5d

SHA256
7dcb0469d44b2e01bffdd0da57ad2cba3dcd144d7317cfd38c5b0d14ee39d059

SHA512
b208251d5424c5bac8d92b62de539ce3a9ff90b624372402d36b85c10f92a4a0e5c4e8291f5bdb3c363350b1ce362f1d97493d9de63968ce5dd2c45e61d2288b

Download Submit
memory/3964-24-0x0000000004C10000-0x0000000004C1A000-memory.dmp

Filesize
40KB

Download
memory/3964-23-0x00000000076A0000-0x0000000007732000-memory.dmp

Filesize
584KB

Download
memory/3964-22-0x0000000007BB0000-0x0000000008154000-memory.dmp

Filesize
5.6MB

Download
memory/3964-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3964-30-0x0000000008780000-0x0000000008D98000-memory.dmp

Filesize
6.1MB

Download
memory/3964-31-0x0000000008160000-0x000000000826A000-memory.dmp

Filesize
1.0MB

Download
memory/3964-32-0x00000000077D0000-0x00000000077E2000-memory.dmp

Filesize
72KB

Download
memory/3964-33-0x0000000007940000-0x000000000797C000-memory.dmp

Filesize
240KB

Download
memory/3964-38-0x00000000079C0000-0x0000000007A0C000-memory.dmp

Filesize
304KB

Download