privateloader | 6eedc33f633438f8e5b63150941b5356c3d2d5aae68e3d177200756305912c07

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a38fd050fda5f392478698c1b623bb1.exe
Size

1.6MB
MD5

5a38fd050fda5f392478698c1b623bb1
SHA1

bd82796b2c0210a147afe1b6dbb8a98a6acd57db
SHA256

6eedc33f633438f8e5b63150941b5356c3d2d5aae68e3d177200756305912c07
SHA512

16721c8930d70d9174c8a973345f2b9d058f2b695c9bdc84e758133ace3777fbe8dab4006f3f192ddac849e0c8cb7941f799e320abcc52f1e1e7aa24fae8e85d
SSDEEP

49152:kzpn+XjLM2v2VKDRl3CR4eHpKdxHg5Rdi:fXjGKL3CvH21g5Rd

Score

10^/10

privateloader redline risepro smokeloader horda backdoor discovery infostealer loader persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1532-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2552-46-0x0000000002490000-0x00000000024B0000-memory.dmp	net_reactor
behavioral1/memory/2552-47-0x0000000005050000-0x000000000506E000-memory.dmp	net_reactor

Executes dropped EXE 6 IoCs

pid	Process
1000	EM1Mx31.exe
356	kJ4KJ92.exe
1928	2Mx0334.exe
1300	4Dr463kY.exe
2372	5et5jj1.exe
2552	6fI3vN7.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a38fd050fda5f392478698c1b623bb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	EM1Mx31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kJ4KJ92.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 1532	1928	2Mx0334.exe	91
PID 1300 set thread context of 3492	1300	4Dr463kY.exe	94

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a38fd050fda5f392478698c1b623bb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5et5jj1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EM1Mx31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kJ4KJ92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Mx0334.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4Dr463kY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fI3vN7.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5et5jj1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5et5jj1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5et5jj1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1928	2Mx0334.exe
Token: SeSecurityPrivilege	1300	4Dr463kY.exe
Token: SeDebugPrivilege	2552	6fI3vN7.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1000	3056	5a38fd050fda5f392478698c1b623bb1.exe	84
PID 3056 wrote to memory of 1000	3056	5a38fd050fda5f392478698c1b623bb1.exe	84
PID 3056 wrote to memory of 1000	3056	5a38fd050fda5f392478698c1b623bb1.exe	84
PID 1000 wrote to memory of 356	1000	EM1Mx31.exe	85
PID 1000 wrote to memory of 356	1000	EM1Mx31.exe	85
PID 1000 wrote to memory of 356	1000	EM1Mx31.exe	85
PID 356 wrote to memory of 1928	356	kJ4KJ92.exe	86
PID 356 wrote to memory of 1928	356	kJ4KJ92.exe	86
PID 356 wrote to memory of 1928	356	kJ4KJ92.exe	86
PID 1928 wrote to memory of 1532	1928	2Mx0334.exe	91
PID 1928 wrote to memory of 1532	1928	2Mx0334.exe	91
PID 1928 wrote to memory of 1532	1928	2Mx0334.exe	91
PID 1928 wrote to memory of 1532	1928	2Mx0334.exe	91
PID 1928 wrote to memory of 1532	1928	2Mx0334.exe	91
PID 1928 wrote to memory of 1532	1928	2Mx0334.exe	91
PID 1928 wrote to memory of 1532	1928	2Mx0334.exe	91
PID 1928 wrote to memory of 1532	1928	2Mx0334.exe	91
PID 356 wrote to memory of 1300	356	kJ4KJ92.exe	92
PID 356 wrote to memory of 1300	356	kJ4KJ92.exe	92
PID 356 wrote to memory of 1300	356	kJ4KJ92.exe	92
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1300 wrote to memory of 3492	1300	4Dr463kY.exe	94
PID 1000 wrote to memory of 2372	1000	EM1Mx31.exe	95
PID 1000 wrote to memory of 2372	1000	EM1Mx31.exe	95
PID 1000 wrote to memory of 2372	1000	EM1Mx31.exe	95
PID 3056 wrote to memory of 2552	3056	5a38fd050fda5f392478698c1b623bb1.exe	105
PID 3056 wrote to memory of 2552	3056	5a38fd050fda5f392478698c1b623bb1.exe	105
PID 3056 wrote to memory of 2552	3056	5a38fd050fda5f392478698c1b623bb1.exe	105

C:\Users\Admin\AppData\Local\Temp\5a38fd050fda5f392478698c1b623bb1.exe
"C:\Users\Admin\AppData\Local\Temp\5a38fd050fda5f392478698c1b623bb1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EM1Mx31.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EM1Mx31.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ4KJ92.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ4KJ92.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Mx0334.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Mx0334.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Dr463kY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Dr463kY.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5et5jj1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5et5jj1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    PID:2372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6fI3vN7.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6fI3vN7.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6fI3vN7.exe

Filesize
189KB

MD5
f4af3a9bb5b128ea7f4a49016ae8de1f

SHA1
77e47932af41b3af5bfff73d2a4c9773dc224f0d

SHA256
195fa6ff08dd55ff8f112c0323885bc06e1d28ce38edae26cce1e33b23337ff1

SHA512
1067017da68040e8e1eab228773c37cba180731f8792462d94e1e52cc12eb63e5306b3ffbc1fb4f0047a9d29e8a060649b5914bb25ece9c2c37b75e143c50df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EM1Mx31.exe

Filesize
1.4MB

MD5
7c235d397d7dfd259ccedc3b5a659e49

SHA1
9b9898caf13648c52aafabef55d0d54499f73b5a

SHA256
b23fbfa797078f5a61254e169f9d48947a210ddea2952689c5ac7f90e83ba01e

SHA512
331ca26c11803184d32a0a4350b072a8b595db7c08d9914a4272b7b57998fd6967423c2c62452eb779d448017a84eb8a042ef238e98cba1d43d64c546f9d85e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5et5jj1.exe

Filesize
37KB

MD5
0347ea57ab6936886c20088c49d651d2

SHA1
8e1cb53b2528b0edd515fd60fe50fde8423af6d2

SHA256
9cd2a65eaad5be25fcf2f3c80070f42d6de27e2296857ad7b65e98be2af217a2

SHA512
55507702a488c9c20c783cc731722ef7b7c5af4a8890fe838f59f79266262304b3515c93e66fc16aa701ddb40233cee58bcc11873a88280b99e4d6876ea4c3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ4KJ92.exe

Filesize
1.2MB

MD5
983f102e6c759b28bc05d04e43602729

SHA1
c397bab5e11dabcdc41ca20bd0383082aa35669b

SHA256
2a2c03e7b420d469d9aab2884f5ff1c7c257b557d7b686a12c0d06476009e591

SHA512
3d70c8b415e3d0ed853f255d735d9791b9185872af68caf5207bd10771d64cecd2534bf53c004f723a11263c107f9866e862f3eb99b3625135e31d623bc719b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Mx0334.exe

Filesize
2.0MB

MD5
8b65ddbcd20ed63807d8b4a4490724b1

SHA1
4594165f3858c775c76129a350d1f5e7e755694a

SHA256
ed60b8cb9ef17afc3520f2d04ff7b2b05447fa50d31ef16581755f09e6215ade

SHA512
c8cb04ce07829a1cc5941d09e8d78082969517f9c05da6fc2d140e7652d04be9a8247cfb6d39c6c8d48268d20f50773887056f71640b0ebd7a9805a9eb3a51ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Dr463kY.exe

Filesize
3.2MB

MD5
25db5a1700c68e76a696027d45f7a470

SHA1
e2b5716b1da0397454624e9b8fece3f6244f3f85

SHA256
bcdf056a85b5eb4ba790ceab98a74091794686d760edfda91e6377c7fb115995

SHA512
c9fcbe7f8911f97581086979c9637e26ee091aba57c9e3d146111d9b68d24a3eecf6507543968710d2b7a38e8824e69c0902b4ebc65b1669e7a1fe7f78b95183

Download Submit
memory/1532-30-0x0000000007D70000-0x0000000007D82000-memory.dmp

Filesize
72KB

Download
memory/1532-28-0x0000000008D10000-0x0000000009328000-memory.dmp

Filesize
6.1MB

Download
memory/1532-29-0x00000000086F0000-0x00000000087FA000-memory.dmp

Filesize
1.0MB

Download
memory/1532-26-0x0000000007C40000-0x0000000007CD2000-memory.dmp

Filesize
584KB

Download
memory/1532-27-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/1532-31-0x0000000007E10000-0x0000000007E4C000-memory.dmp

Filesize
240KB

Download
memory/1532-33-0x0000000007F80000-0x0000000007FCC000-memory.dmp

Filesize
304KB

Download
memory/1532-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-25-0x0000000008140000-0x00000000086E4000-memory.dmp

Filesize
5.6MB

Download
memory/2372-42-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2372-41-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2552-47-0x0000000005050000-0x000000000506E000-memory.dmp

Filesize
120KB

Download
memory/2552-46-0x0000000002490000-0x00000000024B0000-memory.dmp

Filesize
128KB

Download
memory/3492-32-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3492-37-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3492-35-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3492-36-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads