privateloader | 78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7343af258896b872f85a24f931bee9fc4d58298b4225602c4a002334ee484164.exe
Size

2.7MB
MD5

c5cdbbdd202788ff8fa33f596c4ccaee
SHA1

e832a2983baf87f37d193a2a678b94d33388471d
SHA256

7343af258896b872f85a24f931bee9fc4d58298b4225602c4a002334ee484164
SHA512

851aa7fbf1cfe9478cd4b1945a5544774939cc3f2a382e4d2d154b3e0caf2cf25305871fd25eebb0e889234f9fb5247a88dccc00cadfcbfb639b936e54f6b886
SSDEEP

49152:1BewLNXu0gElU2JGxhn34DKD3HXSdsGj9Q9ytayBjrbElZjf3H/1vPG:KwLNXu01PGXKiXXSdsQiytT9bEfjv/12

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral6/memory/532-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3Vq11FO.exe

Executes dropped EXE 5 IoCs

pid	Process
2668	wW4yh73.exe
2956	JD9HQ64.exe
4528	Hb5un58.exe
1908	2yE1519.exe
8	3Vq11FO.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7343af258896b872f85a24f931bee9fc4d58298b4225602c4a002334ee484164.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wW4yh73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	JD9HQ64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Hb5un58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3Vq11FO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 532	1908	2yE1519.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2172	schtasks.exe
5092	schtasks.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2668	4524	7343af258896b872f85a24f931bee9fc4d58298b4225602c4a002334ee484164.exe	82
PID 4524 wrote to memory of 2668	4524	7343af258896b872f85a24f931bee9fc4d58298b4225602c4a002334ee484164.exe	82
PID 4524 wrote to memory of 2668	4524	7343af258896b872f85a24f931bee9fc4d58298b4225602c4a002334ee484164.exe	82
PID 2668 wrote to memory of 2956	2668	wW4yh73.exe	83
PID 2668 wrote to memory of 2956	2668	wW4yh73.exe	83
PID 2668 wrote to memory of 2956	2668	wW4yh73.exe	83
PID 2956 wrote to memory of 4528	2956	JD9HQ64.exe	84
PID 2956 wrote to memory of 4528	2956	JD9HQ64.exe	84
PID 2956 wrote to memory of 4528	2956	JD9HQ64.exe	84
PID 4528 wrote to memory of 1908	4528	Hb5un58.exe	85
PID 4528 wrote to memory of 1908	4528	Hb5un58.exe	85
PID 4528 wrote to memory of 1908	4528	Hb5un58.exe	85
PID 1908 wrote to memory of 4132	1908	2yE1519.exe	94
PID 1908 wrote to memory of 4132	1908	2yE1519.exe	94
PID 1908 wrote to memory of 4132	1908	2yE1519.exe	94
PID 1908 wrote to memory of 532	1908	2yE1519.exe	95
PID 1908 wrote to memory of 532	1908	2yE1519.exe	95
PID 1908 wrote to memory of 532	1908	2yE1519.exe	95
PID 1908 wrote to memory of 532	1908	2yE1519.exe	95
PID 1908 wrote to memory of 532	1908	2yE1519.exe	95
PID 1908 wrote to memory of 532	1908	2yE1519.exe	95
PID 1908 wrote to memory of 532	1908	2yE1519.exe	95
PID 1908 wrote to memory of 532	1908	2yE1519.exe	95
PID 4528 wrote to memory of 8	4528	Hb5un58.exe	96
PID 4528 wrote to memory of 8	4528	Hb5un58.exe	96
PID 4528 wrote to memory of 8	4528	Hb5un58.exe	96
PID 8 wrote to memory of 2172	8	3Vq11FO.exe	97
PID 8 wrote to memory of 2172	8	3Vq11FO.exe	97
PID 8 wrote to memory of 2172	8	3Vq11FO.exe	97
PID 8 wrote to memory of 5092	8	3Vq11FO.exe	99
PID 8 wrote to memory of 5092	8	3Vq11FO.exe	99
PID 8 wrote to memory of 5092	8	3Vq11FO.exe	99

C:\Users\Admin\AppData\Local\Temp\7343af258896b872f85a24f931bee9fc4d58298b4225602c4a002334ee484164.exe
"C:\Users\Admin\AppData\Local\Temp\7343af258896b872f85a24f931bee9fc4d58298b4225602c4a002334ee484164.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wW4yh73.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wW4yh73.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD9HQ64.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD9HQ64.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hb5un58.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hb5un58.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yE1519.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yE1519.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4132
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:532
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Vq11FO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Vq11FO.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2172
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wW4yh73.exe

Filesize
2.2MB

MD5
5e7d22ce4a4bf08723fa70311da6e3ec

SHA1
25fe7bb5304184bc3fe99203b7ed2ced6bd48391

SHA256
e7bbc0204a3901f935a98e541f67c4a41ee41ebb7f886c9f7b4a25440e4af40a

SHA512
c53dde4ff66f14fc78cbd3b70a66382ff548e11dfeeb1744c5fd838b995329e3a0a135d418d4c94416fae2a1e25bb5f5ce4478dfc91da02f0e45b9955700913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JD9HQ64.exe

Filesize
1.2MB

MD5
cd08eb4119726a1ce480959ef948f145

SHA1
c6fa2ca19dd52ac0aabaf4a36336bc73a10a0983

SHA256
d3d10f8534d8dba0e5f87ed7b4477b4efb8f8070d2213f17f2fdcbc33a30638c

SHA512
7facc4ab82d463b0536c17f5cf7969e3639518fb28cd1cf84ae58d55269846caaa552168ea227d220730ea359259c7647932c0f976af61c3fb58df71e9e9d21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hb5un58.exe

Filesize
1.1MB

MD5
d60d6b62902d19a156a3cd1952b7e208

SHA1
ecaf08a060ec4dda7b1bd317b1054f5add9d4c13

SHA256
05ebbcba94ba04f042f19d6ac7a8309e855e2f3712d17922dd090558aeeff549

SHA512
0aa40d5e2d28f2f40ac073289f4361583e20832c9cac152fccd34480d4aefe39fd824e11dda2ff502977ee3ad34633580558a15bf1f6fdcb65e42cf329ec5923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yE1519.exe

Filesize
1.9MB

MD5
8ef708b42e4cdce607dc5720c3738531

SHA1
e0e420cf0cb5bbe9d93535f267a7047a40428691

SHA256
c6716d89cd574425e12a8b9195b4cba9932c212ec7c9f2bab2546c1940ee8531

SHA512
3852010ed93bdde6bf8ee5c2b74362b10491807cf907f92277ab53e9307b1f48904deb6a8db542a332cb7f7d5d4bb2da80203577028eed64f97d8a65fd210a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Vq11FO.exe

Filesize
1.3MB

MD5
84f59f78ac277c10e1a4db1e3c623a32

SHA1
72feddb9ccd0c0c67537090589bffa8eb1fb7ce4

SHA256
264f8f963e1429e0bef8cc52421814294e77d20c5de77c606405240ac26136d4

SHA512
a290a285261f92ef857e7911356b10cd181ed9305f312aedd19188ec0b860fd0ca744a724857ae5d89a5ed590a20ce6057add919aef47a8cf82ed11312c213e9

Download Submit
memory/532-38-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/532-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/532-39-0x0000000007690000-0x0000000007722000-memory.dmp

Filesize
584KB

Download
memory/532-41-0x0000000002BE0000-0x0000000002BEA000-memory.dmp

Filesize
40KB

Download
memory/532-42-0x0000000008730000-0x0000000008D48000-memory.dmp

Filesize
6.1MB

Download
memory/532-43-0x0000000008110000-0x000000000821A000-memory.dmp

Filesize
1.0MB

Download
memory/532-44-0x0000000007870000-0x0000000007882000-memory.dmp

Filesize
72KB

Download
memory/532-45-0x00000000078F0000-0x000000000792C000-memory.dmp

Filesize
240KB

Download
memory/532-46-0x0000000007930000-0x000000000797C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads