privateloader | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe
Size

2.7MB
MD5

f67f35ac7610cbe97a565edb1bb21888
SHA1

b1e29296bf2ce79986ce6a6e838cec54674b41a6
SHA256

d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e
SHA512

51cbe2476a144e6627ba4b255e34356474a5b8767bf3771a452bb2842149d04fa77332165e42bbce8868d70d7e9336332456efbcb21c725c10c8d9d728a8513a
SSDEEP

49152:XDCyB8KcRG7A2LrmPovoLFXU44EMT7OGxV8vFamCkRyNo+n8a:ZO1G7A2LcowLqPEC7Oe8vAmCkwn9

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral19/memory/3564-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3be78vH.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3be78vH.exe
Executes dropped EXE 5 IoCs

Processes:

pt1jj85.exewL8lv90.exeKN6aQ97.exe2iB8864.exe3be78vH.exe

pid process

3556 pt1jj85.exe
452 wL8lv90.exe
3324 KN6aQ97.exe
3356 2iB8864.exe
3420 3be78vH.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3be78vH.exe

pid	process
3556	pt1jj85.exe
452	wL8lv90.exe
3324	KN6aQ97.exe
3356	2iB8864.exe
3420	3be78vH.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wL8lv90.exeKN6aQ97.exe3be78vH.exed0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exept1jj85.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wL8lv90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	KN6aQ97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3be78vH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pt1jj85.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2iB8864.exe

description pid process target process

PID 3356 set thread context of 3564 3356 2iB8864.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2832 schtasks.exe
5064 schtasks.exe

description	pid	process	target process
PID 3356 set thread context of 3564	3356	2iB8864.exe	AppLaunch.exe

pid	process
2832	schtasks.exe
5064	schtasks.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exept1jj85.exewL8lv90.exeKN6aQ97.exe2iB8864.exe3be78vH.exe

description	pid	process	target process
PID 4868 wrote to memory of 3556	4868	d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe	pt1jj85.exe
PID 4868 wrote to memory of 3556	4868	d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe	pt1jj85.exe
PID 4868 wrote to memory of 3556	4868	d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe	pt1jj85.exe
PID 3556 wrote to memory of 452	3556	pt1jj85.exe	wL8lv90.exe
PID 3556 wrote to memory of 452	3556	pt1jj85.exe	wL8lv90.exe
PID 3556 wrote to memory of 452	3556	pt1jj85.exe	wL8lv90.exe
PID 452 wrote to memory of 3324	452	wL8lv90.exe	KN6aQ97.exe
PID 452 wrote to memory of 3324	452	wL8lv90.exe	KN6aQ97.exe
PID 452 wrote to memory of 3324	452	wL8lv90.exe	KN6aQ97.exe
PID 3324 wrote to memory of 3356	3324	KN6aQ97.exe	2iB8864.exe
PID 3324 wrote to memory of 3356	3324	KN6aQ97.exe	2iB8864.exe
PID 3324 wrote to memory of 3356	3324	KN6aQ97.exe	2iB8864.exe
PID 3356 wrote to memory of 3564	3356	2iB8864.exe	AppLaunch.exe
PID 3356 wrote to memory of 3564	3356	2iB8864.exe	AppLaunch.exe
PID 3356 wrote to memory of 3564	3356	2iB8864.exe	AppLaunch.exe
PID 3356 wrote to memory of 3564	3356	2iB8864.exe	AppLaunch.exe
PID 3356 wrote to memory of 3564	3356	2iB8864.exe	AppLaunch.exe
PID 3356 wrote to memory of 3564	3356	2iB8864.exe	AppLaunch.exe
PID 3356 wrote to memory of 3564	3356	2iB8864.exe	AppLaunch.exe
PID 3356 wrote to memory of 3564	3356	2iB8864.exe	AppLaunch.exe
PID 3324 wrote to memory of 3420	3324	KN6aQ97.exe	3be78vH.exe
PID 3324 wrote to memory of 3420	3324	KN6aQ97.exe	3be78vH.exe
PID 3324 wrote to memory of 3420	3324	KN6aQ97.exe	3be78vH.exe
PID 3420 wrote to memory of 2832	3420	3be78vH.exe	schtasks.exe
PID 3420 wrote to memory of 2832	3420	3be78vH.exe	schtasks.exe
PID 3420 wrote to memory of 2832	3420	3be78vH.exe	schtasks.exe
PID 3420 wrote to memory of 5064	3420	3be78vH.exe	schtasks.exe
PID 3420 wrote to memory of 5064	3420	3be78vH.exe	schtasks.exe
PID 3420 wrote to memory of 5064	3420	3be78vH.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe
"C:\Users\Admin\AppData\Local\Temp\d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt1jj85.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt1jj85.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wL8lv90.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wL8lv90.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN6aQ97.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN6aQ97.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iB8864.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iB8864.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3356
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3564
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3be78vH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3be78vH.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2832
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt1jj85.exe

Filesize
2.2MB

MD5
856d53e39dfe9b19f16ddbcb7527ec1c

SHA1
c93bca96739f8c46e02e622659e056bd7f013903

SHA256
2d8cde3148a5cf90d740ca95624e990f56e2d543aa387cb688d0286d36d69f9c

SHA512
682e9bfaf985da40d5ede1093638631c92a49e5194653449c1d7e25ed2a21db5c6974f3b58fc76c5d570a7886fb81562769803101faa3dfdc4cff8a8dd357530

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wL8lv90.exe

Filesize
1.2MB

MD5
4ff5123767d84fe552518b31a0cfb73d

SHA1
b3d146e7ec87b7b898b747edfc0f46201ab61e69

SHA256
47fc49574d1b3be00ad09eb0085f9b898cfc112e7bc398245b0c29438a579257

SHA512
a4efb4800a7f0f43fc8fb661e10e241f5c7071bff14953c208248826159d2250a1f111fe8bbee20082f8c4f9aad6c5981f10ca79d9b25ba399a08e7c359ed62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN6aQ97.exe

Filesize
1.1MB

MD5
6980c1088a0a2c4cee438e328613242e

SHA1
d18ec494cd93ccfdba62c992b2d3c33298e15862

SHA256
8e873a2c8996f82b8074895af909e112f554ec03aff012db4adcfa9fa93a3ff9

SHA512
e00b24582f8f231be5262fd0b1f934823b472091d29687e840945bff9e42265f10d99ea5b9d971401895325961dd9615bfb4ff6ce2b3982e1f9023a70c44be4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iB8864.exe

Filesize
1.9MB

MD5
a760819157daf3eb6ed2eb5cf1c1542d

SHA1
bbdee89a84d7a1e34c4fb89ee89f891eeca23cf7

SHA256
42965b93b3381a67782d1162777f6a7e4cab72ede66081d648c8608acc330983

SHA512
46a9576cd80316229c226367232f66f2e170ebaa60cf2b25128e392016c611c0f555354d3e216574e860f6307be40aed533cc2cc60b192a8e751cf229c97312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3be78vH.exe

Filesize
1.3MB

MD5
b3494ab8d5b48563caef32cd4c31d81e

SHA1
0fe13a913168c3855ea9516203b960e7f0a19bf7

SHA256
75d8bf7d6c3ec973b0df24372060410c08dcc92db4f9602fb63b9e421f8b9fe7

SHA512
058aa10967eaf4f1344cea8bcc396d5cff4482dc97f64bcd957b63f83015e670e51e28525b048d8477aa4ebe486c19620c333b91df95a79a8fbbb29bd1c4ea47

Download Submit
memory/3564-38-0x0000000007B20000-0x00000000080C4000-memory.dmp

Filesize
5.6MB

Download
memory/3564-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3564-39-0x0000000007650000-0x00000000076E2000-memory.dmp

Filesize
584KB

Download
memory/3564-41-0x0000000002B30000-0x0000000002B3A000-memory.dmp

Filesize
40KB

Download
memory/3564-42-0x00000000086F0000-0x0000000008D08000-memory.dmp

Filesize
6.1MB

Download
memory/3564-43-0x00000000080D0000-0x00000000081DA000-memory.dmp

Filesize
1.0MB

Download
memory/3564-44-0x0000000007780000-0x0000000007792000-memory.dmp

Filesize
72KB

Download
memory/3564-45-0x0000000007900000-0x000000000793C000-memory.dmp

Filesize
240KB

Download
memory/3564-46-0x0000000007970000-0x00000000079BC000-memory.dmp

Filesize
304KB

Download