Windows Analysis Report
SajWKdHxdF.exe

Overview

General Information

Sample name: SajWKdHxdF.exe
renamed because original name is a hash value
Original sample name: d72b925c4abaf97c5eb47514ee82f7f2.exe
Analysis ID: 1429096
MD5: d72b925c4abaf97c5eb47514ee82f7f2
SHA1: 5768f62f599d2682b205f6beec17064f14e0646b
SHA256: 7729b2ed03cca1153854c35ac85fd23c1e0d34347be0e29a8a6aecbba088a95f
Tags: 32exetrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SajWKdHxdF.exe ReversingLabs: Detection: 26%
Source: SajWKdHxdF.exe Virustotal: Detection: 28% Perma Link
Uses 32bit PE files
Source: SajWKdHxdF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049028223.00000000005CB000.00000040.00000001.01000000.00000003.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49738 -> 193.233.132.226:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.226:50500 -> 192.168.2.4:49738
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 193.233.132.226:50500
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.226:50500 -> 192.168.2.4:49738
Source: Traffic Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.4:49738 -> 193.233.132.226:50500
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49732 -> 193.233.132.226:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.226 193.233.132.226
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: SajWKdHxdF.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SajWKdHxdF.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SajWKdHxdF.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: SajWKdHxdF.exe String found in binary or memory: https://sectigo.com/CPS0
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
PE / OLE file has an invalid certificate
Source: SajWKdHxdF.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs SajWKdHxdF.exe
Source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs SajWKdHxdF.exe
Uses 32bit PE files
Source: SajWKdHxdF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\SajWKdHxdF.exe File created: C:\Users\user\AppData\Local\Temp\adobe_WCOljeGXatR Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SajWKdHxdF.exe ReversingLabs: Detection: 26%
Source: SajWKdHxdF.exe Virustotal: Detection: 28%
Source: C:\Users\user\Desktop\SajWKdHxdF.exe File read: C:\Users\user\Desktop\SajWKdHxdF.exe Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Section loaded: devobj.dll Jump to behavior
Source: SajWKdHxdF.exe Static file information: File size 4156656 > 1048576
Source: SajWKdHxdF.exe Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x3d0000
Source: Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049028223.00000000005CB000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Unpacked PE file: 1.2.SajWKdHxdF.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains sections with non-standard names
Source: SajWKdHxdF.exe Static PE information: section name: .MPRESS1
Source: SajWKdHxdF.exe Static PE information: section name: .MPRESS2

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Window searched: window name: RegmonClass Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Special instruction interceptor: First address: 6CCCA0 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Window / User API: threadDelayed 3211 Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Window / User API: threadDelayed 6642 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212 Thread sleep count: 3211 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212 Thread sleep time: -324311s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212 Thread sleep count: 6642 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212 Thread sleep time: -670842s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Last function: Thread delayed
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SajWKdHxdF.exe, 00000001.00000003.2214578242.0000000000E80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000002.4048821640.0000000000193000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SajWKdHxdF.exe, 00000001.00000003.2214462223.0000000000E80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SajWKdHxdF.exe, 00000001.00000003.2215301089.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2215187926.0000000000E80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000003.2214731973.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2214843586.0000000000E80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: SajWKdHxdF.exe, 00000001.00000003.2215415343.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2215074046.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2214959564.0000000000E80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f5
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000s
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\SajWKdHxdF.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Process Stats: CPU usage > 42% for more than 60s
Hides threads from debuggers
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 1.2.SajWKdHxdF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: SajWKdHxdF.exe PID: 1424, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 1.2.SajWKdHxdF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: SajWKdHxdF.exe PID: 1424, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429096 Sample: SajWKdHxdF.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 11 Snort IDS alert for network traffic 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected RisePro Stealer 2->15 5 SajWKdHxdF.exe 2 2->5         started        process3 dnsIp4 9 193.233.132.226, 49732, 50500 FREE-NET-ASFREEnetEU Russian Federation 5->9 17 Detected unpacking (changes PE section rights) 5->17 19 Query firmware table information (likely to detect VMs) 5->19 21 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->21 23 5 other signatures 5->23 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.226
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true