privateloader | 78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe
Size

829KB
MD5

96a6440125d3f9fb6e325bc1e4b5bc88
SHA1

ad7c47b9c2dd836b2da0e0e012141f8d30906c22
SHA256

b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370
SHA512

b1b759316dcf09f46e55480f19a6d39b43cbae707037eb01d1c51cff5a700ab00d869e24a446d59d86eabdb8852a6b9943e82f43825dc00499c588e180c4fa11
SSDEEP

12288:fMrYy90gR2R2SMb01E22U7bbe1pT0w2urAy3DOA2L8oHhiCo3uMZAUIg:ryFR2qu/2U7sGyh2cPug

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral14/memory/2516-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3yh57xa.exe

Executes dropped EXE 2 IoCs

pid	Process
228	2sM8303.exe
4936	3yh57xa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3yh57xa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 2516	228	2sM8303.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5084	schtasks.exe
1988	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 228	444	b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe	84
PID 444 wrote to memory of 228	444	b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe	84
PID 444 wrote to memory of 228	444	b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe	84
PID 228 wrote to memory of 2516	228	2sM8303.exe	97
PID 228 wrote to memory of 2516	228	2sM8303.exe	97
PID 228 wrote to memory of 2516	228	2sM8303.exe	97
PID 228 wrote to memory of 2516	228	2sM8303.exe	97
PID 228 wrote to memory of 2516	228	2sM8303.exe	97
PID 228 wrote to memory of 2516	228	2sM8303.exe	97
PID 228 wrote to memory of 2516	228	2sM8303.exe	97
PID 228 wrote to memory of 2516	228	2sM8303.exe	97
PID 444 wrote to memory of 4936	444	b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe	98
PID 444 wrote to memory of 4936	444	b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe	98
PID 444 wrote to memory of 4936	444	b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe	98
PID 4936 wrote to memory of 1988	4936	3yh57xa.exe	99
PID 4936 wrote to memory of 1988	4936	3yh57xa.exe	99
PID 4936 wrote to memory of 1988	4936	3yh57xa.exe	99
PID 4936 wrote to memory of 5084	4936	3yh57xa.exe	101
PID 4936 wrote to memory of 5084	4936	3yh57xa.exe	101
PID 4936 wrote to memory of 5084	4936	3yh57xa.exe	101

C:\Users\Admin\AppData\Local\Temp\b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe
"C:\Users\Admin\AppData\Local\Temp\b88e4acc8b5bc7d78960ffffe70c54c5b2d30e7010e22306b70f7cc6b4629370.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2sM8303.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2sM8303.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3yh57xa.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3yh57xa.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2sM8303.exe

Filesize
493KB

MD5
20c919da744f572b1dd1d8da292011d9

SHA1
74185b8c1c0cf13b46d6947ca46bc8a21cbb7502

SHA256
bcd4fa885268348178639e4ac4727ca6525aa4e53d429c4f714d280ee5eba16a

SHA512
09cd02d824aaf54b400c1481888c78ab41671539992b5b661958685df78637969fa5212d9ca87d1a1b8aa5efce6056dff37675436ee150b25be3e5b16d3f051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3yh57xa.exe

Filesize
1.3MB

MD5
b6d06fd8722f65bb8e4619ad2004c9f1

SHA1
76b92ae5bf607701676b2b3969b13dcd6f28507c

SHA256
000bbd0580b17516fd45dad5bc43fa4a93ca43225947db85e94296df89a77413

SHA512
d9dd530a397e869dec47dd4a12ffe5ebbf36a265df0f97191c5b1b95c32e9d3ac9decfe22d1ee893887b4d220e37daf1ef145784f497d6310a872501171eb27a

Download Submit
memory/2516-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-17-0x0000000007DA0000-0x0000000008344000-memory.dmp

Filesize
5.6MB

Download
memory/2516-19-0x00000000078A0000-0x0000000007932000-memory.dmp

Filesize
584KB

Download
memory/2516-20-0x0000000002D00000-0x0000000002D0A000-memory.dmp

Filesize
40KB

Download
memory/2516-21-0x0000000008970000-0x0000000008F88000-memory.dmp

Filesize
6.1MB

Download
memory/2516-22-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/2516-23-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/2516-24-0x0000000007B00000-0x0000000007B3C000-memory.dmp

Filesize
240KB

Download
memory/2516-25-0x0000000007B40000-0x0000000007B8C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads