privateloader | eafc2bfbeaeddb89f86da75f29f14435b745b919f0b99dd1d0d30b9d33efb415

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe
Size

1.0MB
MD5

1e122a6f0ed6181bda7d4bf1eb33f793
SHA1

6b1eb80241e7e528ca1e807c72313668ae8975a5
SHA256

14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de
SHA512

b4bd70d297c2912540da9ec529070d31b9ef73b846a225fa4705402ba7fb75fc08c573512a8f7e0ed37476643b08455de7f68818b5677452a76f251c412cd082
SSDEEP

24576:hyKI2pjfsvcRzmYqFpts/vsBBpjW08KzPAf1pq:UK1f8c/OXovsjpK085f1

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral3/memory/4680-14-0x0000000000400000-0x000000000043C000-memory.dmp family_redline
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3pE92xl.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3pE92xl.exe
Executes dropped EXE 3 IoCs

Processes:

Rp6qu35.exe2Jv9134.exe3pE92xl.exe

pid process

2816 Rp6qu35.exe
4904 2Jv9134.exe
1100 3pE92xl.exe

resource	yara_rule
behavioral3/memory/4680-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3pE92xl.exe

pid	process
2816	Rp6qu35.exe
4904	2Jv9134.exe
1100	3pE92xl.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exeRp6qu35.exe3pE92xl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rp6qu35.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3pE92xl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2Jv9134.exe

description pid process target process

PID 4904 set thread context of 4680 4904 2Jv9134.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4280 4904 WerFault.exe 2Jv9134.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

216 schtasks.exe
3648 schtasks.exe

description	pid	process	target process
PID 4904 set thread context of 4680	4904	2Jv9134.exe	AppLaunch.exe

pid	pid_target	process	target process
4280	4904	WerFault.exe	2Jv9134.exe

pid	process
216	schtasks.exe
3648	schtasks.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exeRp6qu35.exe2Jv9134.exe3pE92xl.exe

description	pid	process	target process
PID 872 wrote to memory of 2816	872	14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe	Rp6qu35.exe
PID 872 wrote to memory of 2816	872	14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe	Rp6qu35.exe
PID 872 wrote to memory of 2816	872	14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe	Rp6qu35.exe
PID 2816 wrote to memory of 4904	2816	Rp6qu35.exe	2Jv9134.exe
PID 2816 wrote to memory of 4904	2816	Rp6qu35.exe	2Jv9134.exe
PID 2816 wrote to memory of 4904	2816	Rp6qu35.exe	2Jv9134.exe
PID 4904 wrote to memory of 1240	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1240	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1240	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 2932	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 2932	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 2932	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1408	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1408	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1408	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1448	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1448	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 1448	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 4680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 4680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 4680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 4680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 4680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 4680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 4680	4904	2Jv9134.exe	AppLaunch.exe
PID 4904 wrote to memory of 4680	4904	2Jv9134.exe	AppLaunch.exe
PID 2816 wrote to memory of 1100	2816	Rp6qu35.exe	3pE92xl.exe
PID 2816 wrote to memory of 1100	2816	Rp6qu35.exe	3pE92xl.exe
PID 2816 wrote to memory of 1100	2816	Rp6qu35.exe	3pE92xl.exe
PID 1100 wrote to memory of 216	1100	3pE92xl.exe	schtasks.exe
PID 1100 wrote to memory of 216	1100	3pE92xl.exe	schtasks.exe
PID 1100 wrote to memory of 216	1100	3pE92xl.exe	schtasks.exe
PID 1100 wrote to memory of 3648	1100	3pE92xl.exe	schtasks.exe
PID 1100 wrote to memory of 3648	1100	3pE92xl.exe	schtasks.exe
PID 1100 wrote to memory of 3648	1100	3pE92xl.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe
"C:\Users\Admin\AppData\Local\Temp\14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rp6qu35.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rp6qu35.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Jv9134.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Jv9134.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 636
4⤵
- Program crash
PID:4280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3pE92xl.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3pE92xl.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:216

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4904 -ip 4904
1⤵
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rp6qu35.exe
Filesize
946KB

MD5
6ed94b05647d7b713063fc8eef0aa7ca

SHA1
0699a92d19c598c3e274bb152c5a31e5f815fbc7

SHA256
587dff0ac038d2d69f8307f8ad030872d00dbc7d4fbb7053e044a9f1e94b7e4f

SHA512
a530437ab63a8898f0377477a29e416c8dc0133068e82acd21c54cce8ae80eab327e1e33f02d8af3f4b459cfdf3b0ac1e1904fc4935483eaf8741017277db7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Jv9134.exe
Filesize
1.1MB

MD5
a996f1f8ca16ac9d38982563918c429a

SHA1
fcc91279b440715b06a6245c202f9c43d4fabb77

SHA256
ffa310b561393b4d2921bfab23ff37e83ee8f28da0a6cd693528d9c5d28d9242

SHA512
b197c9063c05389425b1444af012a58330c8ace1190a8420d759477b45ccf59e0ec0a6ac0fad14dc38d8366d5af1fee0f9e6c6f7a816377ccdfcd016ed4f763a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3pE92xl.exe
Filesize
1.3MB

MD5
34c2b74ff04eaa70dbadc8e9916029b0

SHA1
76bfc5ef4e15e8d700e6f04791dac4fa8775cee8

SHA256
484b7657b8c88fba0357da676c330bbf82e3aace1889a14722c03a645bee77b5

SHA512
ade66e6f4f46167a3c903de8aee3a773ef2a23a6097cbf2f0880f5257b3003c0c7c7a2090dca688eb834a771678c12b11423d94462822547aecf249cb0afd37e

Download Submit
memory/4680-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4680-15-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/4680-16-0x00000000077A0000-0x0000000007832000-memory.dmp

Filesize
584KB

Download
memory/4680-17-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

Filesize
40KB

Download
memory/4680-18-0x0000000008880000-0x0000000008E98000-memory.dmp

Filesize
6.1MB

Download
memory/4680-19-0x0000000008260000-0x000000000836A000-memory.dmp

Filesize
1.0MB

Download
memory/4680-24-0x00000000079B0000-0x00000000079EC000-memory.dmp

Filesize
240KB

Download
memory/4680-22-0x0000000007950000-0x0000000007962000-memory.dmp

Filesize
72KB

Download
memory/4680-27-0x0000000007A20000-0x0000000007A6C000-memory.dmp

Filesize
304KB

Download