privateloader | 3bad5318d1eadf9f6d544fc5ed49c1e737fb2db130f60b70bab6f26392c87c30 | Triage

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 10:50 UTC

Sharing

Report Analysis Logs

General

Target

09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe
Size

1.1MB
MD5

a27c8f92315fff917e750c7b89355067
SHA1

f65c7a885fddf4bf583dbab9bc512e789aaba54b
SHA256

09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1
SHA512

e73ce1b88e20897d61bb259b0ca7110684c734add5ca22f7ed919a9d1fe711dd42a2b58b4a8c359463e29720770ae2ec12d9853d6be390d2f0eafff828219364
SSDEEP

24576:eyHOpuii4QQInraJDD2qk1cFF7K6AFjv6ojMmDo9kQaYo:tHUi4QTraDD2qk1a0fzBVWx

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3368-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3sL90Yq.exe

Executes dropped EXE 4 IoCs

pid	Process
5020	xy9Wu12.exe
3508	up9UQ42.exe
3496	2ax0352.exe
1568	3sL90Yq.exe

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3sL90Yq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xy9Wu12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	up9UQ42.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 3368	3496	2ax0352.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
4836	schtasks.exe
2172	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 5020	1128	09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe	90
PID 1128 wrote to memory of 5020	1128	09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe	90
PID 1128 wrote to memory of 5020	1128	09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe	90
PID 5020 wrote to memory of 3508	5020	xy9Wu12.exe	91
PID 5020 wrote to memory of 3508	5020	xy9Wu12.exe	91
PID 5020 wrote to memory of 3508	5020	xy9Wu12.exe	91
PID 3508 wrote to memory of 3496	3508	up9UQ42.exe	92
PID 3508 wrote to memory of 3496	3508	up9UQ42.exe	92
PID 3508 wrote to memory of 3496	3508	up9UQ42.exe	92
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	108
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	108
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	108
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	108
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	108
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	108
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	108
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	108
PID 3508 wrote to memory of 1568	3508	up9UQ42.exe	109
PID 3508 wrote to memory of 1568	3508	up9UQ42.exe	109
PID 3508 wrote to memory of 1568	3508	up9UQ42.exe	109
PID 1568 wrote to memory of 4836	1568	3sL90Yq.exe	110
PID 1568 wrote to memory of 4836	1568	3sL90Yq.exe	110
PID 1568 wrote to memory of 4836	1568	3sL90Yq.exe	110
PID 1568 wrote to memory of 2172	1568	3sL90Yq.exe	112
PID 1568 wrote to memory of 2172	1568	3sL90Yq.exe	112
PID 1568 wrote to memory of 2172	1568	3sL90Yq.exe	112

C:\Users\Admin\AppData\Local\Temp\09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe
"C:\Users\Admin\AppData\Local\Temp\09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3496
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4836
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:4612

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

249.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.197.17.2.in-addr.arpa

IN PTR

Response

249.197.17.2.in-addr.arpa

IN PTR

a2-17-197-249deploystaticakamaitechnologiescom
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.72:443

Request

GET /th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 999
date: Fri, 24 May 2024 10:55:06 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.443d3e17.1716548106.59f52e6
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

72.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.61.62.23.in-addr.arpa

IN PTR

Response

72.61.62.23.in-addr.arpa

IN PTR

a23-62-61-72deploystaticakamaitechnologiescom
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

88.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.16.208.104.in-addr.arpa

IN PTR

Response

23.62.61.72:443

https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.4kB
6.2kB
16
11

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
194.49.94.152:50500

3sL90Yq.exe

260 B
5
194.49.94.152:19053

AppLaunch.exe

260 B
5
194.49.94.152:50500

3sL90Yq.exe

260 B
5
194.49.94.152:19053

AppLaunch.exe

260 B
5
194.49.94.152:50500

3sL90Yq.exe

260 B
5
194.49.94.152:19053

AppLaunch.exe

260 B
5
194.49.94.152:50500

3sL90Yq.exe

260 B
5
194.49.94.152:19053

AppLaunch.exe

260 B
5
194.49.94.152:50500

3sL90Yq.exe

260 B
5
194.49.94.152:19053

AppLaunch.exe

260 B
5
194.49.94.152:50500

3sL90Yq.exe

260 B
5
194.49.94.152:50500

3sL90Yq.exe

156 B
3
194.49.94.152:19053

AppLaunch.exe

104 B
2

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

249.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

249.197.17.2.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

72.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

72.61.62.23.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

88.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

88.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe

Filesize
951KB

MD5
a9240895ad74b577be2ee119b6ce26b3

SHA1
08d4ed8edb3e31f28825e1d9569a420c364e82c9

SHA256
590781ab10dae129b785a23be4d59a1f2d8f009b5f1e36837b28476888a2cf6d

SHA512
575a7f2f3422b4b03729799d29611dcbcededfdba73bf7cf59fc01210d296baeaa4361bb41d0319faa1e74a6e1b139ea5179ab3f1679dda3224ed1250d2cfef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe

Filesize
828KB

MD5
2db43090bdae85d7f7fb362871e06f50

SHA1
97337af110d5c0f19bf06ec791289bcb99eb9cef

SHA256
58becc941136b16ffc11fbbd32f8c7d974c1e9ba55b20eba908de3993a08f84f

SHA512
1e6a44527db294294474c5ef96c1d2781dc22ce7a3f7656da70f680bcac19e3320e8eb01f7fdb2bf3a56856a950549e777946e281e5163815515fd0c245f8a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe

Filesize
493KB

MD5
0c1e38c6de88c2c301d606e22cfddda6

SHA1
1027e56b9ec0d1e5ee38b288ad93112bc361ad91

SHA256
d3bee4ed07ba1d7e19eb809ff54293f23e15c75cc96a9300d1551d7c81caab7e

SHA512
c54a62b387ef4fb454131e7106352a065ed97558097bd342d5974352753285e8d60139ae6ae28bef8010d5abf29e8ed9c361880125a31b092345fc379d33170e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe

Filesize
1.3MB

MD5
4a7fbc3312c329d8a1359b467fe3c39c

SHA1
6158f71b301bcebdd1149f0f2ea8c7620a45aa16

SHA256
89541d92fa8b702286107e3df24bf1397fe5811e55caf90a8127a76f732aff7e

SHA512
8ef55599ab59e7f1f2d40cdeee20fec633f79b744e2fda48bf22a34d46279456449899d8cd68c1bedf46a79866ced84c6aaa0b7df0d6d8f5e2169147517a3c14

Download Submit
memory/3368-32-0x0000000006E30000-0x0000000006EC2000-memory.dmp

Filesize
584KB

Download
memory/3368-31-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/3368-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3368-34-0x0000000002240000-0x000000000224A000-memory.dmp

Filesize
40KB

Download
memory/3368-35-0x0000000007F10000-0x0000000008528000-memory.dmp

Filesize
6.1MB

Download
memory/3368-36-0x00000000078F0000-0x00000000079FA000-memory.dmp

Filesize
1.0MB

Download
memory/3368-37-0x0000000006F40000-0x0000000006F52000-memory.dmp

Filesize
72KB

Download
memory/3368-38-0x00000000071C0000-0x00000000071FC000-memory.dmp

Filesize
240KB

Download
memory/3368-39-0x0000000007200000-0x000000000724C000-memory.dmp

Filesize
304KB

Download