privateloader | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exe
Size

1.3MB
MD5

86cbb67c990eec1b056fb82f113bebbf
SHA1

dc1ffa43dc573d580c698f8a350f33fbb7704a93
SHA256

26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998
SHA512

9f0752b57f62dd6f397c24c92d9efa143e603e10347f6114fbf41cfdeed0906f88eef1d6a8cdbcd88ca6e2e0c7b91ab6d897ca89830c4ff1ececaaf0df05e249
SSDEEP

24576:cyY2jqXwFqvrXZsVeppEX0tywAQWg+UZGfRhwcLXvRMKUPR:LxjqXwirSWY0tymRGdXpMLP

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4692-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3lh15Xn.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3lh15Xn.exe
Executes dropped EXE 4 IoCs

Processes:

Vk6py32.exehL2LY94.exe2GJ7514.exe3lh15Xn.exe

pid process

1444 Vk6py32.exe
2376 hL2LY94.exe
1904 2GJ7514.exe
376 3lh15Xn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3lh15Xn.exe

pid	process
1444	Vk6py32.exe
2376	hL2LY94.exe
1904	2GJ7514.exe
376	3lh15Xn.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exeVk6py32.exehL2LY94.exe3lh15Xn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Vk6py32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hL2LY94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3lh15Xn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2GJ7514.exe

description pid process target process

PID 1904 set thread context of 4692 1904 2GJ7514.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1836 1904 WerFault.exe 2GJ7514.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4852 schtasks.exe
4960 schtasks.exe

description	pid	process	target process
PID 1904 set thread context of 4692	1904	2GJ7514.exe	AppLaunch.exe

pid	pid_target	process	target process
1836	1904	WerFault.exe	2GJ7514.exe

pid	process
4852	schtasks.exe
4960	schtasks.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exeVk6py32.exehL2LY94.exe2GJ7514.exe3lh15Xn.exe

description	pid	process	target process
PID 4484 wrote to memory of 1444	4484	26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exe	Vk6py32.exe
PID 4484 wrote to memory of 1444	4484	26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exe	Vk6py32.exe
PID 4484 wrote to memory of 1444	4484	26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exe	Vk6py32.exe
PID 1444 wrote to memory of 2376	1444	Vk6py32.exe	hL2LY94.exe
PID 1444 wrote to memory of 2376	1444	Vk6py32.exe	hL2LY94.exe
PID 1444 wrote to memory of 2376	1444	Vk6py32.exe	hL2LY94.exe
PID 2376 wrote to memory of 1904	2376	hL2LY94.exe	2GJ7514.exe
PID 2376 wrote to memory of 1904	2376	hL2LY94.exe	2GJ7514.exe
PID 2376 wrote to memory of 1904	2376	hL2LY94.exe	2GJ7514.exe
PID 1904 wrote to memory of 808	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 808	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 808	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 4692	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 4692	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 4692	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 4692	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 4692	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 4692	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 4692	1904	2GJ7514.exe	AppLaunch.exe
PID 1904 wrote to memory of 4692	1904	2GJ7514.exe	AppLaunch.exe
PID 2376 wrote to memory of 376	2376	hL2LY94.exe	3lh15Xn.exe
PID 2376 wrote to memory of 376	2376	hL2LY94.exe	3lh15Xn.exe
PID 2376 wrote to memory of 376	2376	hL2LY94.exe	3lh15Xn.exe
PID 376 wrote to memory of 4852	376	3lh15Xn.exe	schtasks.exe
PID 376 wrote to memory of 4852	376	3lh15Xn.exe	schtasks.exe
PID 376 wrote to memory of 4852	376	3lh15Xn.exe	schtasks.exe
PID 376 wrote to memory of 4960	376	3lh15Xn.exe	schtasks.exe
PID 376 wrote to memory of 4960	376	3lh15Xn.exe	schtasks.exe
PID 376 wrote to memory of 4960	376	3lh15Xn.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exe
"C:\Users\Admin\AppData\Local\Temp\26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vk6py32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vk6py32.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hL2LY94.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hL2LY94.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2GJ7514.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2GJ7514.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:808
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 620
        5⤵
        Program crash
        
        PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lh15Xn.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lh15Xn.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4852
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1904 -ip 1904
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vk6py32.exe

Filesize
1.0MB

MD5
a73e73014d058c552d4d4caece68e74a

SHA1
aac61e4ca6964798ce2435da557f25c9d8d3fc5f

SHA256
ba7633951d62e23156dfce327cd0f3a36cdacac80ca48209628c093e687fc4e9

SHA512
1d65b4b8e7b8968430f14a77d83b02fa0077c3a68ea4cfe8c3030896174f1efdc1090efefca503eadc3511cc6e9e7fa37ba48c18f7b7276ac188a2fa10b4f33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hL2LY94.exe

Filesize
946KB

MD5
44c279acb78d699381c3f28097539b24

SHA1
7128e4839540cb215c6132c707d8cf7a99edaf4f

SHA256
a39d3ff341bfb5c90d04a65464017ce9fad04ca0df5319810b250099233ca402

SHA512
95602538bbec80e08a6487e08634658e871c89ebd4ce25909bdaa925b960c7cf020249f49022f2d981f8f73dbc6db0a466aabe041d3d97fc3494c1eae4cd7543

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2GJ7514.exe

Filesize
1.1MB

MD5
5207cee391c428d2666438a7d9018b5d

SHA1
9a132811966083342c52e996fed13de4c9e1748e

SHA256
0fb467a149ba340e2d1a7c2d17b47638bc19a2a8b0e811d9e76afd4b8f144cd4

SHA512
21a33ea00392f37c984253cd4bcc9d7282c90154f53d25a8675513dbe7f556cc90a303f3da20dd15f5b8ac0d463e99e69c71e98d133b24ca0dd86269ae81231a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3lh15Xn.exe

Filesize
1.3MB

MD5
712f17e627cf44c17946798512d49dc1

SHA1
d448475d5089f6aa263072e245647fc69abbf17b

SHA256
accfe94a5c8ac0a3c134a510cbcc08079b233fba1fe24e0e4036a7e8445ba810

SHA512
69be4649d213221581f6c99e14d3fecb71b997aadf91694ab60fb2c72eafe197e6cc8f53ad283aba56eabab56f3ca163a5deea92f290b53e0c75be2f82411ef2

Download Submit
memory/4692-24-0x0000000002EE0000-0x0000000002EEA000-memory.dmp

Filesize
40KB

Download
memory/4692-23-0x0000000007A20000-0x0000000007AB2000-memory.dmp

Filesize
584KB

Download
memory/4692-22-0x0000000007F30000-0x00000000084D4000-memory.dmp

Filesize
5.6MB

Download
memory/4692-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4692-30-0x0000000008B00000-0x0000000009118000-memory.dmp

Filesize
6.1MB

Download
memory/4692-35-0x0000000007DD0000-0x0000000007EDA000-memory.dmp

Filesize
1.0MB

Download
memory/4692-36-0x00000000079E0000-0x00000000079F2000-memory.dmp

Filesize
72KB

Download
memory/4692-37-0x0000000007B00000-0x0000000007B3C000-memory.dmp

Filesize
240KB

Download
memory/4692-38-0x0000000007CC0000-0x0000000007D0C000-memory.dmp

Filesize
304KB

Download