privateloader | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exe
Size

935KB
MD5

29f8033f3fbdf91c2e89357c4b49602e
SHA1

d2d542baf9f23e26ba33885b633328e71e71f5c4
SHA256

f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85
SHA512

a3132e83c71a98612b408ecbc985b0ad7680a16893e8016514b24ecf0dba4bb6ae781f0513daa3efb29498ae8985f94ae63c13be285c2eb8e22f928afd115d9e
SSDEEP

24576:jyFWNEi4niX5JDHaWnqHbpoGkA4FJKMCGrru:2zJniXzaWnWt07pCGr

Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral19/memory/4332-14-0x0000000000400000-0x000000000043C000-memory.dmp family_redline
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Drops startup file 1 IoCs

Processes:

3qW67EY.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3qW67EY.exe
Executes dropped EXE 3 IoCs

Processes:

fh1le64.exe2mY3893.exe3qW67EY.exe

pid process

384 fh1le64.exe
3408 2mY3893.exe
5100 3qW67EY.exe

resource	yara_rule
behavioral19/memory/4332-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	3qW67EY.exe

pid	process
384	fh1le64.exe
3408	2mY3893.exe
5100	3qW67EY.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fh1le64.exe3qW67EY.exef46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fh1le64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	3qW67EY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2mY3893.exe

description pid process target process

PID 3408 set thread context of 4332 3408 2mY3893.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

520 3408 WerFault.exe 2mY3893.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3540 schtasks.exe
5104 schtasks.exe

description	pid	process	target process
PID 3408 set thread context of 4332	3408	2mY3893.exe	AppLaunch.exe

pid	pid_target	process	target process
520	3408	WerFault.exe	2mY3893.exe

pid	process
3540	schtasks.exe
5104	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exefh1le64.exe2mY3893.exe3qW67EY.exe

description	pid	process	target process
PID 3992 wrote to memory of 384	3992	f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exe	fh1le64.exe
PID 3992 wrote to memory of 384	3992	f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exe	fh1le64.exe
PID 3992 wrote to memory of 384	3992	f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exe	fh1le64.exe
PID 384 wrote to memory of 3408	384	fh1le64.exe	2mY3893.exe
PID 384 wrote to memory of 3408	384	fh1le64.exe	2mY3893.exe
PID 384 wrote to memory of 3408	384	fh1le64.exe	2mY3893.exe
PID 3408 wrote to memory of 4332	3408	2mY3893.exe	AppLaunch.exe
PID 3408 wrote to memory of 4332	3408	2mY3893.exe	AppLaunch.exe
PID 3408 wrote to memory of 4332	3408	2mY3893.exe	AppLaunch.exe
PID 3408 wrote to memory of 4332	3408	2mY3893.exe	AppLaunch.exe
PID 3408 wrote to memory of 4332	3408	2mY3893.exe	AppLaunch.exe
PID 3408 wrote to memory of 4332	3408	2mY3893.exe	AppLaunch.exe
PID 3408 wrote to memory of 4332	3408	2mY3893.exe	AppLaunch.exe
PID 3408 wrote to memory of 4332	3408	2mY3893.exe	AppLaunch.exe
PID 384 wrote to memory of 5100	384	fh1le64.exe	3qW67EY.exe
PID 384 wrote to memory of 5100	384	fh1le64.exe	3qW67EY.exe
PID 384 wrote to memory of 5100	384	fh1le64.exe	3qW67EY.exe
PID 5100 wrote to memory of 3540	5100	3qW67EY.exe	schtasks.exe
PID 5100 wrote to memory of 3540	5100	3qW67EY.exe	schtasks.exe
PID 5100 wrote to memory of 3540	5100	3qW67EY.exe	schtasks.exe
PID 5100 wrote to memory of 5104	5100	3qW67EY.exe	schtasks.exe
PID 5100 wrote to memory of 5104	5100	3qW67EY.exe	schtasks.exe
PID 5100 wrote to memory of 5104	5100	3qW67EY.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exe
"C:\Users\Admin\AppData\Local\Temp\f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fh1le64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fh1le64.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2mY3893.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2mY3893.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 140
4⤵
- Program crash
PID:520

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3qW67EY.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3qW67EY.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3540

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3408 -ip 3408
1⤵
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fh1le64.exe
Filesize
811KB

MD5
17c3abd1cbb560276dbc6b16cdecfdba

SHA1
8dab3c71f7ba847e037a6c1c4db1fe10b8e72732

SHA256
2b355af97a8c03dcd7deaec65e882840dd5c8bf1fb2e4a5071bd779e628f25b6

SHA512
234cc5752cdbff1b2f2b08e07f19e8d06c92ff758a00c90c4f38ba9ed965af355d5812a5801744ea27013651ce6f31baa16aea0774368f8dff0b9c797ebeda06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2mY3893.exe
Filesize
432KB

MD5
b86658f28e3cc7a49271b015c9aefaad

SHA1
2ba24a865917af376eaea66b76db6bc148fbfaac

SHA256
3a60a03ad579df890125bd5be83047a41d63a287b1f99fa10e49175ced42e76b

SHA512
fe551a7c974287df73b10b6acd9b01c6bc5d9247bfc381c55f434cf48851503d44d05446152e1a6f7ae78a6f971003db5dabe171c7abecd99748b91b3208d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3qW67EY.exe
Filesize
1.3MB

MD5
370232f382fad5472b4d6f67fd588f0a

SHA1
ee5dff4fc801c398218e542cc6448bf8c6b6c151

SHA256
e09a8cd2fc52501df33ee97688d2ebc83db62e3836dd4a15ed7ac66fd9f5188d

SHA512
223e3336e1feb30626f1756ddfd4aecee372dfefd7e845d8b9f3106e697131f37ff0a2ea22afce3683def25b60e5d425b0a1a5feb42f62fc4a0cb270e34ab444

Download Submit
memory/4332-18-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/4332-16-0x0000000007D90000-0x0000000008334000-memory.dmp

Filesize
5.6MB

Download
memory/4332-17-0x0000000007880000-0x0000000007912000-memory.dmp

Filesize
584KB

Download
memory/4332-15-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/4332-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4332-22-0x0000000008960000-0x0000000008F78000-memory.dmp

Filesize
6.1MB

Download
memory/4332-25-0x0000000008340000-0x000000000844A000-memory.dmp

Filesize
1.0MB

Download
memory/4332-26-0x0000000007840000-0x0000000007852000-memory.dmp

Filesize
72KB

Download
memory/4332-27-0x0000000007A50000-0x0000000007A8C000-memory.dmp

Filesize
240KB

Download
memory/4332-32-0x0000000007AB0000-0x0000000007AFC000-memory.dmp

Filesize
304KB

Download
memory/4332-34-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download