privateloader

General

Target

Win32.RisePro.b.7z
Size

86.9MB
Sample

240630-zzbbbavhqc
MD5

f7bb7295336d27fa9c400de44e9d2865
SHA1

9a9b4b194bd0e716f57006875131214918bcece6
SHA256

b2bc73e8be2ce4c4fa2ece4694f8d707a8529572d98948dd0a79dc882a028717
SHA512

4c4454980c2e0397ed1e28ab1f5d5743e1cb6487a573274f99d9a901d44081977d374ef673cb0c239c37a034fea7ce2f65ea018e98c5d0c4eed611089018db1f
SSDEEP

1572864:qlhpv/OUiqHb9OFEFseUVN3yBZ47dr1o2PqDNcFTKhLyPxx//lBCkbCFee:ql7OUpZOFAseUj3VRMO5emznlo9Me

Score

10^/10

Malware Config

Targets

- Target
  
  Win32.RisePro.b/Panel/RisePro_Server.exe
- Size
  
  57.5MB
- MD5
  
  1e09287be79ea9e8970b009c60ec71e4
- SHA1
  
  fa44121e58fd7115842269053c0434d90a0dda2d
- SHA256
  
  3f1065fe34fb5335fcf26d96565d669af0eb18a8ff0b1dc5ab2f4cd172e27272
- SHA512
  
  902f0ba30ff8a3c72b32c8693c56dfa0aaa9955b42f65a1181873c710383fd76ca922752ffbcb81be4eebf6926f80f0a8f8dfdb467e77fbe935843f009f00174
- SSDEEP
  
  1572864:LcMpLABVCAtQbu4P5im/GpXyNqDK2vERS:LrpLaVFtQS4P6pZa
Score

10^/10

privateloader risepro evasion loader persistence privilege_escalation stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  Win32.RisePro.b/Proxy/RisePro_Proxy.exe
- Size
  
  568KB
- MD5
  
  fe8d041d2fbdedd9627f1a55976bdc61
- SHA1
  
  fe88fc39efb0e2b29bfc2730bf8a4bf3e71657f2
- SHA256
  
  af26b57034cbd6ee66cedba4abe6d247da5ae5e6beb74314ebdc80f1d1299f7c
- SHA512
  
  8df251518c17434b04895589d5c78780f6ca7a97d10730a4240d1fc82bc64ad1869288c7dd395d29fd0159ad082d7dcf98198d17a573c79e4880d7a7f7cdfa9a
- SSDEEP
  
  12288:aSxtHZFviRZe7Zg5KlPvNvw4iVfUxpDGzwIolidy/j:fxrFviRZe7Zg5KlPvNvMV8x+voliu
Score

8^/10

evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
behavioral2
- Target
  
  Win32.RisePro.b/Tools/ChromeSetup.exe
- Size
  
  1.4MB
- MD5
  
  884b10d1a2bbf20fd014cba4d4b5fe25
- SHA1
  
  5a62499dcea6188e677d1ff0a46a61ee16d34197
- SHA256
  
  105b0257de6092e26aba12a9df72a7529f02f5addd92d63852176921bf67e059
- SHA512
  
  094b5fa5cfeed69d38a24a8a6353afd793ddbe196c2e5c99fe6ac945a5a8411d742c51add015329af3d980e7edf907d8b3a384c2094659b5509f7be0170ddd22
- SSDEEP
  
  24576:Jw8KjKjGFygcc23L1/NVOmOSGb6E3ecS4fzrjxJh9UZXlpbPvC7xtYUrEmFlo+LT:PKjKWQc2b1FVgbjrjxPe1pbPSQm1FloS
Score

7^/10

discovery persistence privilege_escalation spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral3
- Target
  
  Win32.RisePro.b/Tools/VC_redist.x64.exe
- Size
  
  24.2MB
- MD5
  
  077f0abdc2a3881d5c6c774af821f787
- SHA1
  
  c483f66c48ba83e99c764d957729789317b09c6b
- SHA256
  
  917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
- SHA512
  
  70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939
- SSDEEP
  
  786432:Rip+Ty2SfUfnRLL96rFyZrimbJdCnoJpOhX+dx:Mp+Ty2SfWnFJ6rQVdKhX+dx
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral4
- Target
  
  Win32.RisePro.b/Tools/VC_redist.x86.exe
- Size
  
  13.2MB
- MD5
  
  ae427c1329c3b211a6d09f8d9506eb74
- SHA1
  
  c9b5b7969e499a4fd9e580ef4187322778e1936a
- SHA256
  
  5365a927487945ecb040e143ea770adbb296074ece4021b1d14213bde538c490
- SHA512
  
  ec70786704ead0494fab8f7a9f46554feaca45c79b831c5963ecc20243fa0f31053b6e0ceb450f86c16e67e739c4be53ad202c2397c8541365b7252904169b41
- SSDEEP
  
  393216:yvRtlptVYmfr7yBG/41w0vJROFTfCTKw27:y1pttD7yBG/OTvJRGCN27
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5
- Target
  
  Win32.RisePro.b/[ENG] FAQ.docx
- Size
  
  478KB
- MD5
  
  908a1f0bf4bcae984246ab5a17fd467a
- SHA1
  
  ebf7cec2bab5cd8f73258848e189a3f92b234d4d
- SHA256
  
  fa3ee0c8bb106b40c9e87426acc70abe33783323f4cc4bec69694522ccbcc995
- SHA512
  
  f8fca2878df0091a247ce5746742afc0f6f6ddcc985f5643f8a1b3996245bdc7f3f5c1ca08c736159e96d0b4400c90adc10a3ce33a0a490d438e5f91eb23fd7d
- SSDEEP
  
  12288:GbxwUVcSFtyRhjiJqOAl1ErZi2nTLpPpdaLh5HusW:GFwEcSTWUk/WlDnTL5ad5HvW
Score

1^/10
behavioral6
- Target
  
  Win32.RisePro.b/[RUS] FAQ.docx
- Size
  
  479KB
- MD5
  
  9bd37876b264f1cfd401ef7ef4aca942
- SHA1
  
  d64a1482805f7d825a26aba998a4ba6698aa4905
- SHA256
  
  37758034e8ed40d0a748b4065caefce35d82046c6786adb5c8bc735714c639aa
- SHA512
  
  c9aa56836c13a86cc60bd8721c73d13350c5ec08f39ea492307e3f39836a913821e3b28b6aeb4f6465d7259b4f698b86d255a71d15b68ace02989978a83d9a48
- SSDEEP
  
  12288:byxwUVcSFtyRhjiJqOAl1ErZi2nTLpPpdaLh5HusP:wwEcSTWUk/WlDnTL5ad5HvP
Score

1^/10
behavioral7