privateloader | 3bad5318d1eadf9f6d544fc5ed49c1e737fb2db130f60b70bab6f26392c87c30

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe
Size

1.1MB
MD5

a27c8f92315fff917e750c7b89355067
SHA1

f65c7a885fddf4bf583dbab9bc512e789aaba54b
SHA256

09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1
SHA512

e73ce1b88e20897d61bb259b0ca7110684c734add5ca22f7ed919a9d1fe711dd42a2b58b4a8c359463e29720770ae2ec12d9853d6be390d2f0eafff828219364
SSDEEP

24576:eyHOpuii4QQInraJDD2qk1cFF7K6AFjv6ojMmDo9kQaYo:tHUi4QTraDD2qk1a0fzBVWx

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3368-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3sL90Yq.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3sL90Yq.exe
Executes dropped EXE 4 IoCs

Processes:

xy9Wu12.exeup9UQ42.exe2ax0352.exe3sL90Yq.exe

pid process

5020 xy9Wu12.exe
3508 up9UQ42.exe
3496 2ax0352.exe
1568 3sL90Yq.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3sL90Yq.exe

pid	process
5020	xy9Wu12.exe
3508	up9UQ42.exe
3496	2ax0352.exe
1568	3sL90Yq.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3sL90Yq.exe09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exexy9Wu12.exeup9UQ42.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3sL90Yq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xy9Wu12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	up9UQ42.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ax0352.exe

description pid process target process

PID 3496 set thread context of 3368 3496 2ax0352.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4836 schtasks.exe
2172 schtasks.exe

description	pid	process	target process
PID 3496 set thread context of 3368	3496	2ax0352.exe	AppLaunch.exe

pid	process
4836	schtasks.exe
2172	schtasks.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exexy9Wu12.exeup9UQ42.exe2ax0352.exe3sL90Yq.exe

description	pid	process	target process
PID 1128 wrote to memory of 5020	1128	09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe	xy9Wu12.exe
PID 1128 wrote to memory of 5020	1128	09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe	xy9Wu12.exe
PID 1128 wrote to memory of 5020	1128	09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe	xy9Wu12.exe
PID 5020 wrote to memory of 3508	5020	xy9Wu12.exe	up9UQ42.exe
PID 5020 wrote to memory of 3508	5020	xy9Wu12.exe	up9UQ42.exe
PID 5020 wrote to memory of 3508	5020	xy9Wu12.exe	up9UQ42.exe
PID 3508 wrote to memory of 3496	3508	up9UQ42.exe	2ax0352.exe
PID 3508 wrote to memory of 3496	3508	up9UQ42.exe	2ax0352.exe
PID 3508 wrote to memory of 3496	3508	up9UQ42.exe	2ax0352.exe
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	AppLaunch.exe
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	AppLaunch.exe
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	AppLaunch.exe
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	AppLaunch.exe
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	AppLaunch.exe
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	AppLaunch.exe
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	AppLaunch.exe
PID 3496 wrote to memory of 3368	3496	2ax0352.exe	AppLaunch.exe
PID 3508 wrote to memory of 1568	3508	up9UQ42.exe	3sL90Yq.exe
PID 3508 wrote to memory of 1568	3508	up9UQ42.exe	3sL90Yq.exe
PID 3508 wrote to memory of 1568	3508	up9UQ42.exe	3sL90Yq.exe
PID 1568 wrote to memory of 4836	1568	3sL90Yq.exe	schtasks.exe
PID 1568 wrote to memory of 4836	1568	3sL90Yq.exe	schtasks.exe
PID 1568 wrote to memory of 4836	1568	3sL90Yq.exe	schtasks.exe
PID 1568 wrote to memory of 2172	1568	3sL90Yq.exe	schtasks.exe
PID 1568 wrote to memory of 2172	1568	3sL90Yq.exe	schtasks.exe
PID 1568 wrote to memory of 2172	1568	3sL90Yq.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe
"C:\Users\Admin\AppData\Local\Temp\09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:4836

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe

Filesize
951KB

MD5
a9240895ad74b577be2ee119b6ce26b3

SHA1
08d4ed8edb3e31f28825e1d9569a420c364e82c9

SHA256
590781ab10dae129b785a23be4d59a1f2d8f009b5f1e36837b28476888a2cf6d

SHA512
575a7f2f3422b4b03729799d29611dcbcededfdba73bf7cf59fc01210d296baeaa4361bb41d0319faa1e74a6e1b139ea5179ab3f1679dda3224ed1250d2cfef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe

Filesize
828KB

MD5
2db43090bdae85d7f7fb362871e06f50

SHA1
97337af110d5c0f19bf06ec791289bcb99eb9cef

SHA256
58becc941136b16ffc11fbbd32f8c7d974c1e9ba55b20eba908de3993a08f84f

SHA512
1e6a44527db294294474c5ef96c1d2781dc22ce7a3f7656da70f680bcac19e3320e8eb01f7fdb2bf3a56856a950549e777946e281e5163815515fd0c245f8a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe

Filesize
493KB

MD5
0c1e38c6de88c2c301d606e22cfddda6

SHA1
1027e56b9ec0d1e5ee38b288ad93112bc361ad91

SHA256
d3bee4ed07ba1d7e19eb809ff54293f23e15c75cc96a9300d1551d7c81caab7e

SHA512
c54a62b387ef4fb454131e7106352a065ed97558097bd342d5974352753285e8d60139ae6ae28bef8010d5abf29e8ed9c361880125a31b092345fc379d33170e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe

Filesize
1.3MB

MD5
4a7fbc3312c329d8a1359b467fe3c39c

SHA1
6158f71b301bcebdd1149f0f2ea8c7620a45aa16

SHA256
89541d92fa8b702286107e3df24bf1397fe5811e55caf90a8127a76f732aff7e

SHA512
8ef55599ab59e7f1f2d40cdeee20fec633f79b744e2fda48bf22a34d46279456449899d8cd68c1bedf46a79866ced84c6aaa0b7df0d6d8f5e2169147517a3c14

Download Submit
memory/3368-32-0x0000000006E30000-0x0000000006EC2000-memory.dmp

Filesize
584KB

Download
memory/3368-31-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/3368-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3368-34-0x0000000002240000-0x000000000224A000-memory.dmp

Filesize
40KB

Download
memory/3368-35-0x0000000007F10000-0x0000000008528000-memory.dmp

Filesize
6.1MB

Download
memory/3368-36-0x00000000078F0000-0x00000000079FA000-memory.dmp

Filesize
1.0MB

Download
memory/3368-37-0x0000000006F40000-0x0000000006F52000-memory.dmp

Filesize
72KB

Download
memory/3368-38-0x00000000071C0000-0x00000000071FC000-memory.dmp

Filesize
240KB

Download
memory/3368-39-0x0000000007200000-0x000000000724C000-memory.dmp

Filesize
304KB

Download