privateloader | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe
Size

2.7MB
MD5

f67f35ac7610cbe97a565edb1bb21888
SHA1

b1e29296bf2ce79986ce6a6e838cec54674b41a6
SHA256

d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e
SHA512

51cbe2476a144e6627ba4b255e34356474a5b8767bf3771a452bb2842149d04fa77332165e42bbce8868d70d7e9336332456efbcb21c725c10c8d9d728a8513a
SSDEEP

49152:XDCyB8KcRG7A2LrmPovoLFXU44EMT7OGxV8vFamCkRyNo+n8a:ZO1G7A2LcowLqPEC7Oe8vAmCkwn9

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral19/memory/3904-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3be78vH.exe

Executes dropped EXE 5 IoCs

pid	Process
3700	pt1jj85.exe
4132	wL8lv90.exe
3076	KN6aQ97.exe
1196	2iB8864.exe
2596	3be78vH.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pt1jj85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wL8lv90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	KN6aQ97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3be78vH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 3904	1196	2iB8864.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2912	schtasks.exe
2952	schtasks.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3700	3496	d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe	83
PID 3496 wrote to memory of 3700	3496	d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe	83
PID 3496 wrote to memory of 3700	3496	d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe	83
PID 3700 wrote to memory of 4132	3700	pt1jj85.exe	85
PID 3700 wrote to memory of 4132	3700	pt1jj85.exe	85
PID 3700 wrote to memory of 4132	3700	pt1jj85.exe	85
PID 4132 wrote to memory of 3076	4132	wL8lv90.exe	86
PID 4132 wrote to memory of 3076	4132	wL8lv90.exe	86
PID 4132 wrote to memory of 3076	4132	wL8lv90.exe	86
PID 3076 wrote to memory of 1196	3076	KN6aQ97.exe	87
PID 3076 wrote to memory of 1196	3076	KN6aQ97.exe	87
PID 3076 wrote to memory of 1196	3076	KN6aQ97.exe	87
PID 1196 wrote to memory of 3904	1196	2iB8864.exe	100
PID 1196 wrote to memory of 3904	1196	2iB8864.exe	100
PID 1196 wrote to memory of 3904	1196	2iB8864.exe	100
PID 1196 wrote to memory of 3904	1196	2iB8864.exe	100
PID 1196 wrote to memory of 3904	1196	2iB8864.exe	100
PID 1196 wrote to memory of 3904	1196	2iB8864.exe	100
PID 1196 wrote to memory of 3904	1196	2iB8864.exe	100
PID 1196 wrote to memory of 3904	1196	2iB8864.exe	100
PID 3076 wrote to memory of 2596	3076	KN6aQ97.exe	101
PID 3076 wrote to memory of 2596	3076	KN6aQ97.exe	101
PID 3076 wrote to memory of 2596	3076	KN6aQ97.exe	101
PID 2596 wrote to memory of 2912	2596	3be78vH.exe	102
PID 2596 wrote to memory of 2912	2596	3be78vH.exe	102
PID 2596 wrote to memory of 2912	2596	3be78vH.exe	102
PID 2596 wrote to memory of 2952	2596	3be78vH.exe	104
PID 2596 wrote to memory of 2952	2596	3be78vH.exe	104
PID 2596 wrote to memory of 2952	2596	3be78vH.exe	104

C:\Users\Admin\AppData\Local\Temp\d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe
"C:\Users\Admin\AppData\Local\Temp\d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt1jj85.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt1jj85.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wL8lv90.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wL8lv90.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN6aQ97.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN6aQ97.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iB8864.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iB8864.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3904
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3be78vH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3be78vH.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2912
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt1jj85.exe

Filesize
2.2MB

MD5
856d53e39dfe9b19f16ddbcb7527ec1c

SHA1
c93bca96739f8c46e02e622659e056bd7f013903

SHA256
2d8cde3148a5cf90d740ca95624e990f56e2d543aa387cb688d0286d36d69f9c

SHA512
682e9bfaf985da40d5ede1093638631c92a49e5194653449c1d7e25ed2a21db5c6974f3b58fc76c5d570a7886fb81562769803101faa3dfdc4cff8a8dd357530

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wL8lv90.exe

Filesize
1.2MB

MD5
4ff5123767d84fe552518b31a0cfb73d

SHA1
b3d146e7ec87b7b898b747edfc0f46201ab61e69

SHA256
47fc49574d1b3be00ad09eb0085f9b898cfc112e7bc398245b0c29438a579257

SHA512
a4efb4800a7f0f43fc8fb661e10e241f5c7071bff14953c208248826159d2250a1f111fe8bbee20082f8c4f9aad6c5981f10ca79d9b25ba399a08e7c359ed62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN6aQ97.exe

Filesize
1.1MB

MD5
6980c1088a0a2c4cee438e328613242e

SHA1
d18ec494cd93ccfdba62c992b2d3c33298e15862

SHA256
8e873a2c8996f82b8074895af909e112f554ec03aff012db4adcfa9fa93a3ff9

SHA512
e00b24582f8f231be5262fd0b1f934823b472091d29687e840945bff9e42265f10d99ea5b9d971401895325961dd9615bfb4ff6ce2b3982e1f9023a70c44be4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iB8864.exe

Filesize
1.9MB

MD5
a760819157daf3eb6ed2eb5cf1c1542d

SHA1
bbdee89a84d7a1e34c4fb89ee89f891eeca23cf7

SHA256
42965b93b3381a67782d1162777f6a7e4cab72ede66081d648c8608acc330983

SHA512
46a9576cd80316229c226367232f66f2e170ebaa60cf2b25128e392016c611c0f555354d3e216574e860f6307be40aed533cc2cc60b192a8e751cf229c97312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3be78vH.exe

Filesize
1.3MB

MD5
b3494ab8d5b48563caef32cd4c31d81e

SHA1
0fe13a913168c3855ea9516203b960e7f0a19bf7

SHA256
75d8bf7d6c3ec973b0df24372060410c08dcc92db4f9602fb63b9e421f8b9fe7

SHA512
058aa10967eaf4f1344cea8bcc396d5cff4482dc97f64bcd957b63f83015e670e51e28525b048d8477aa4ebe486c19620c333b91df95a79a8fbbb29bd1c4ea47

Download Submit
memory/3904-38-0x0000000007F90000-0x0000000008534000-memory.dmp

Filesize
5.6MB

Download
memory/3904-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3904-39-0x0000000007A80000-0x0000000007B12000-memory.dmp

Filesize
584KB

Download
memory/3904-41-0x0000000002E30000-0x0000000002E3A000-memory.dmp

Filesize
40KB

Download
memory/3904-42-0x0000000008B60000-0x0000000009178000-memory.dmp

Filesize
6.1MB

Download
memory/3904-43-0x0000000007E00000-0x0000000007F0A000-memory.dmp

Filesize
1.0MB

Download
memory/3904-44-0x0000000007A60000-0x0000000007A72000-memory.dmp

Filesize
72KB

Download
memory/3904-45-0x0000000007B60000-0x0000000007B9C000-memory.dmp

Filesize
240KB

Download
memory/3904-46-0x0000000007BA0000-0x0000000007BEC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads