privateloader | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
Size

1.1MB
MD5

5452b94dde083093d8e942c9a2807354
SHA1

423f9d52c1a7a369cc48400d83ffd558b99d918d
SHA256

15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd
SHA512

951a9d584fd98e161849b78145cb4e2ca6130c7a98b89c06e54b067bebc79d65bdf80311e5b42af67a679fd66727370d189f3b496b1df9e1e3feaf7b1f8ba19c
SSDEEP

24576:SybMeEolioKBv2E6m/ci9MaEbID2Qhk+S3R0:5bIolbKZD6JdtbI6G/S3

Score

10^/10

privateloader redline risepro smokeloader horda backdoor infostealer loader persistence stealer trojan

Malware Config

Extracted

Family

risepro

194.49.94.152

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2268-34-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Drops startup file 1 IoCs

Processes:

AppLaunch.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk AppLaunch.exe
Executes dropped EXE 4 IoCs

Processes:

eC4IU88.exe1pl18rs2.exe2tC5993.exe3Cs62IB.exe

pid process

4448 eC4IU88.exe
2288 1pl18rs2.exe
2420 2tC5993.exe
3236 3Cs62IB.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	AppLaunch.exe

pid	process
4448	eC4IU88.exe
2288	1pl18rs2.exe
2420	2tC5993.exe
3236	3Cs62IB.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exeeC4IU88.exeAppLaunch.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eC4IU88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	AppLaunch.exe

Drops file in System32 directory 4 IoCs

Processes:

AppLaunch.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	AppLaunch.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	AppLaunch.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AppLaunch.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1pl18rs2.exe2tC5993.exe

description	pid	process	target process
PID 2288 set thread context of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2420 set thread context of 2268	2420	2tC5993.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Cs62IB.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Cs62IB.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Cs62IB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Cs62IB.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

436 schtasks.exe
2872 schtasks.exe

pid	process
436	schtasks.exe
2872	schtasks.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exeeC4IU88.exe1pl18rs2.exeAppLaunch.exe2tC5993.exe

description	pid	process	target process
PID 1776 wrote to memory of 4448	1776	15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe	eC4IU88.exe
PID 1776 wrote to memory of 4448	1776	15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe	eC4IU88.exe
PID 1776 wrote to memory of 4448	1776	15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe	eC4IU88.exe
PID 4448 wrote to memory of 2288	4448	eC4IU88.exe	1pl18rs2.exe
PID 4448 wrote to memory of 2288	4448	eC4IU88.exe	1pl18rs2.exe
PID 4448 wrote to memory of 2288	4448	eC4IU88.exe	1pl18rs2.exe
PID 2288 wrote to memory of 4188	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 4188	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 4188	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 2288 wrote to memory of 1964	2288	1pl18rs2.exe	AppLaunch.exe
PID 4448 wrote to memory of 2420	4448	eC4IU88.exe	2tC5993.exe
PID 4448 wrote to memory of 2420	4448	eC4IU88.exe	2tC5993.exe
PID 4448 wrote to memory of 2420	4448	eC4IU88.exe	2tC5993.exe
PID 1964 wrote to memory of 436	1964	AppLaunch.exe	schtasks.exe
PID 1964 wrote to memory of 436	1964	AppLaunch.exe	schtasks.exe
PID 1964 wrote to memory of 436	1964	AppLaunch.exe	schtasks.exe
PID 2420 wrote to memory of 2268	2420	2tC5993.exe	AppLaunch.exe
PID 2420 wrote to memory of 2268	2420	2tC5993.exe	AppLaunch.exe
PID 2420 wrote to memory of 2268	2420	2tC5993.exe	AppLaunch.exe
PID 2420 wrote to memory of 2268	2420	2tC5993.exe	AppLaunch.exe
PID 2420 wrote to memory of 2268	2420	2tC5993.exe	AppLaunch.exe
PID 2420 wrote to memory of 2268	2420	2tC5993.exe	AppLaunch.exe
PID 2420 wrote to memory of 2268	2420	2tC5993.exe	AppLaunch.exe
PID 2420 wrote to memory of 2268	2420	2tC5993.exe	AppLaunch.exe
PID 1776 wrote to memory of 3236	1776	15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe	3Cs62IB.exe
PID 1776 wrote to memory of 3236	1776	15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe	3Cs62IB.exe
PID 1776 wrote to memory of 3236	1776	15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe	3Cs62IB.exe
PID 1964 wrote to memory of 2872	1964	AppLaunch.exe	schtasks.exe
PID 1964 wrote to memory of 2872	1964	AppLaunch.exe	schtasks.exe
PID 1964 wrote to memory of 2872	1964	AppLaunch.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
"C:\Users\Admin\AppData\Local\Temp\15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC4IU88.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC4IU88.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pl18rs2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pl18rs2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4188
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:436
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tC5993.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tC5993.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Cs62IB.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Cs62IB.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Cs62IB.exe

Filesize
38KB

MD5
05b147e7dba9efd735659a12b8adf8a1

SHA1
3e35f3f62731d8ae5b7e5d0def47e4f26f6f7524

SHA256
872bf4502b417a19b406b4e5f7e9f49ae66c9862d81083df8e3468560f3986df

SHA512
c645ddafbdcc6c7b3fb948252edd7a04964195b3eed9e7424ce4b26424ccbc0a3320bd96444e5a2bbf3272e19c9aefdbd2935090026c494ad208e45039469cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC4IU88.exe

Filesize
966KB

MD5
6bf9a2c5e5e624527a96ee96c9220198

SHA1
044ae282d6eb4c71ec7dc792376bada2dad5d27f

SHA256
bf00582df4ee43bffd1ce11b8ecd824c08f647248118715ada47bf5ad06e900c

SHA512
a428b99b7d39edf6e79763cfdfe47f3592e6794c298b6aabbfd5652ab752dc4e072aea4ea3dc2bb3a3b891a7e90e13a5e962bb95628fd2ade959d79b87698bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pl18rs2.exe

Filesize
1.6MB

MD5
938aa589f01bf591e63a4bdb67f86e25

SHA1
414d38967534f7eaabfd932ddc03f5375590764e

SHA256
c6ac039e233b46cdc9d86a56f9514e0273c7a6315cdf0b8d349fcc70218f7a8d

SHA512
42b7381e782e08acaaf0ad2d4757e1c64f3c4f0b7fb42f2fbbfa8a78ed6aa82bac61d61f4d3bd67737c60aef08e3a9cd0c957dd521e7ef24b3001de395d860f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tC5993.exe

Filesize
401KB

MD5
38d31f559b3f20b81d66ac94b0fe5b4d

SHA1
7887d753be29e2e533f3e0185f2881b793e2d9af

SHA256
98074ef529bd61ce1381f7cdaefd5b0a0059af88b222fca767ebe464767918b3

SHA512
acfd46a3a5a6beadc5c422acb7cef353102f422297362f875adfcf43881310c034efabae683efaeb120a297008b3b71576d6bac622f046974b1a8a956e1b6217

Download Submit
memory/1964-40-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1964-14-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1964-15-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1964-16-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1964-18-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2268-44-0x0000000008670000-0x0000000008C88000-memory.dmp

Filesize
6.1MB

Download
memory/2268-41-0x0000000007AA0000-0x0000000008044000-memory.dmp

Filesize
5.6MB

Download
memory/2268-42-0x00000000075D0000-0x0000000007662000-memory.dmp

Filesize
584KB

Download
memory/2268-43-0x0000000002B20000-0x0000000002B2A000-memory.dmp

Filesize
40KB

Download
memory/2268-34-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-45-0x00000000078E0000-0x00000000079EA000-memory.dmp

Filesize
1.0MB

Download
memory/2268-46-0x0000000007810000-0x0000000007822000-memory.dmp

Filesize
72KB

Download
memory/2268-47-0x0000000007870000-0x00000000078AC000-memory.dmp

Filesize
240KB

Download
memory/2268-48-0x00000000079F0000-0x0000000007A3C000-memory.dmp

Filesize
304KB

Download
memory/3236-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3236-49-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download