Edit tour

Windows Analysis Report
SajWKdHxdF.exe

Overview

General Information

Sample name:	SajWKdHxdF.exe renamed because original name is a hash value
Original sample name:	d72b925c4abaf97c5eb47514ee82f7f2.exe
Analysis ID:	1429096
MD5:	d72b925c4abaf97c5eb47514ee82f7f2
SHA1:	5768f62f599d2682b205f6beec17064f14e0646b
SHA256:	7729b2ed03cca1153854c35ac85fd23c1e0d34347be0e29a8a6aecbba088a95f
Tags:	32exetrojan
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SajWKdHxdF.exe (PID: 1424 cmdline: "C:\Users\user\Desktop\SajWKdHxdF.exe" MD5: D72B925C4ABAF97C5EB47514EE82F7F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: SajWKdHxdF.exe PID: 1424	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.SajWKdHxdF.exe.400000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.226

Timestamp:	04/20/24-21:20:26.757895
SID:	2049060
Source Port:	49738
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.226

Timestamp:	04/20/24-21:23:04.222005
SID:	2046269
Source Port:	49738
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.226

Timestamp:	04/20/24-21:21:43.683511
SID:	2046268
Source Port:	49738
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 193.233.132.226 - Destination IP: 192.168.2.4

Timestamp:	04/20/24-21:20:26.979618
SID:	2046266
Source Port:	50500
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 193.233.132.226 - Destination IP: 192.168.2.4

Timestamp:	04/20/24-21:21:42.303911
SID:	2046267
Source Port:	50500
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SajWKdHxdF.exe	ReversingLabs: Detection: 26%
Source: SajWKdHxdF.exe	Virustotal: Detection: 28%			Perma Link

Source: SajWKdHxdF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049028223.00000000005CB000.00000040.00000001.01000000.00000003.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49738 -> 193.233.132.226:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.226:50500 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 193.233.132.226:50500
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.226:50500 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.4:49738 -> 193.233.132.226:50500

Source: global traffic

TCP traffic: 192.168.2.6:49732 -> 193.233.132.226:50500

Source: Joe Sandbox View

IP Address: 193.233.132.226 193.233.132.226

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226

Source: SajWKdHxdF.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SajWKdHxdF.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SajWKdHxdF.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: SajWKdHxdF.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT

Source: SajWKdHxdF.exe

Static PE information: invalid certificate

Source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs SajWKdHxdF.exe
Source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs SajWKdHxdF.exe

Source: SajWKdHxdF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

File created: C:\Users\user\AppData\Local\Temp\adobe_WCOljeGXatR

Jump to behavior

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: SajWKdHxdF.exe	ReversingLabs: Detection: 26%
Source: SajWKdHxdF.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

File read: C:\Users\user\Desktop\SajWKdHxdF.exe

Jump to behavior

Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Section loaded: devobj.dll	Jump to behavior

Source: SajWKdHxdF.exe

Static file information: File size 4156656 > 1048576

Source: SajWKdHxdF.exe

Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x3d0000

Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049028223.00000000005CB000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

Unpacked PE file: 1.2.SajWKdHxdF.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: SajWKdHxdF.exe	Static PE information: section name: .MPRESS1
Source: SajWKdHxdF.exe	Static PE information: section name: .MPRESS2

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Window searched: window name: RegmonClass	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

Special instruction interceptor: First address: 6CCCA0 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Window / User API: threadDelayed 3211			Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Window / User API: threadDelayed 6642			Jump to behavior

Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212	Thread sleep count: 3211 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212	Thread sleep time: -324311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212	Thread sleep count: 6642 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212	Thread sleep time: -670842s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Last function: Thread delayed

Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SajWKdHxdF.exe, 00000001.00000003.2214578242.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000002.4048821640.0000000000193000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SajWKdHxdF.exe, 00000001.00000003.2214462223.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SajWKdHxdF.exe, 00000001.00000003.2215301089.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2215187926.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000003.2214731973.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2214843586.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: SajWKdHxdF.exe, 00000001.00000003.2215415343.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2215074046.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2214959564.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__=l{TW
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f5
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000s
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

Process Stats: CPU usage > 42% for more than 60s

Hides threads from debuggers

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SajWKdHxdF.exe	Process queried: DebugPort	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SajWKdHxdF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 1.2.SajWKdHxdF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: SajWKdHxdF.exe PID: 1424, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 1.2.SajWKdHxdF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: SajWKdHxdF.exe PID: 1424, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	431 Virtualization/Sandbox Evasion	OS Credential Dumping	721 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	431 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	114 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SajWKdHxdF.exe	26%	ReversingLabs	Win32.Infostealer.Generic
SajWKdHxdF.exe	28%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	SajWKdHxdF.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.winimage.com/zLibDll	SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp	false		high
https://t.me/RiseProSUPPORT	SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	SajWKdHxdF.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	SajWKdHxdF.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	SajWKdHxdF.exe	false	URL Reputation: safe	unknown
http://www.winimage.com/zLibDllDpRTpR	SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.226	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429096
Start date and time:	2024-04-20 21:26:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SajWKdHxdF.exe renamed because original name is a hash value
Original Sample Name:	d72b925c4abaf97c5eb47514ee82f7f2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
21:29:41	API Interceptor	16828x Sleep call for process: SajWKdHxdF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.233.132.226	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	SecuriteInfo.com.FileRepMalware.17769.21135.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.FileRepMalware.17769.21135.exe	Get hash	malicious	RisePro Stealer	Browse
	PlcTuM1NlF.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	jNeaezBuo8.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	193.233.132.175
	74fa486WVX.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	193.233.132.234
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	193.233.132.226
	s2dwlCsA95.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	193.233.132.167
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	193.233.132.226
	UeW2b6mU6Z.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.167

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.990203109901368
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SajWKdHxdF.exe
File size:	4'156'656 bytes
MD5:	d72b925c4abaf97c5eb47514ee82f7f2
SHA1:	5768f62f599d2682b205f6beec17064f14e0646b
SHA256:	7729b2ed03cca1153854c35ac85fd23c1e0d34347be0e29a8a6aecbba088a95f
SHA512:	47c9a10df6edf8036e49c925bf13bdb2ede32a879428c29a6ace0cfd3d38323e2da7bd1c2382b4bf9a7342073244662e46ef558c9eeb57cc8e889c5edac6ef45
SSDEEP:	98304:PtjsJ7v/yR+fIH9vM2s8xULTssu5mysVOBKGf3GTWFzCJNIAIszo:lAJTyR+fAvMT8xgwXAcFPGiFObIn
TLSH:	2416331C5771ACF8FA25C9B92137C67D5CA23C4B29C71D4E4EA2BC467642A7F083D4A2
File Content Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L......f...............'.4...........c.......P....@...................................?..............................`..L...L`..H....p..d............0?..<.................................

File Icon


Icon Hash:	034d51391e446107

Static PE Info

General

Entrypoint:	0xe26394
Entrypoint Section:	.MPRESS2
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x660FE6E7 [Fri Apr 5 11:56:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2f93cd80e5dfeca07d7e8b0f35545fb5

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=JetBrains s.r.o. \xef~\ufffd\u2030E\xb0j\xef~\ufffd\u2030E\xb0j\xef~\ufffd\u2030E\xb0j
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	17/04/2024 16:34:05 18/04/2034 16:34:05
Subject Chain	CN=JetBrains s.r.o. \xef~\ufffd\u2030E\xb0j\xef~\ufffd\u2030E\xb0j\xef~\ufffd\u2030E\xb0j
Version:	3
Thumbprint MD5:	A96F06B6F24AD5AC1F53F9E5FDC0816B
Thumbprint SHA-1:	1D5DFDA0FA0BA343BFD2968DF6A15E25F35D6528
Thumbprint SHA-256:	7FFEEEB0D9CA132A77BA827622D3E460C6720D7036CE7D88F80DC97C059696E4
Serial:	5E264BB6F748A1A54136979D5C99F11C

Entrypoint Preview

Instruction
pushad
call 00007FA2F07D7825h
pop eax
add eax, 00000B5Ah
mov esi, dword ptr [eax]
add esi, eax
sub eax, eax
mov edi, esi
lodsw
shl eax, 0Ch
mov ecx, eax
push eax
lodsd
sub ecx, eax
add esi, ecx
mov ecx, eax
push edi
push ecx
dec ecx
mov al, byte ptr [ecx+edi+06h]
mov byte ptr [ecx+esi], al
jne 00007FA2F07D7818h
sub eax, eax
lodsb
mov ecx, eax
and cl, FFFFFFF0h
and al, 0Fh
shl ecx, 0Ch
mov ch, al
lodsb
or ecx, eax
push ecx
add cl, ch
mov ebp, FFFFFD00h
shl ebp, cl
pop ecx
pop eax
mov ebx, esp
lea esp, dword ptr [esp+ebp*2-00000E70h]
push ecx
sub ecx, ecx
push ecx
push ecx
mov ecx, esp
push ecx
mov dx, word ptr [edi]
shl edx, 0Ch
push edx
push edi
add ecx, 04h
push ecx
push eax
add ecx, 04h
push esi
push ecx
call 00007FA2F07D7883h
mov esp, ebx
pop esi
pop edx
sub eax, eax
mov dword ptr [edx+esi], eax
mov ah, 10h
sub edx, eax
sub ecx, ecx
cmp ecx, edx
jnc 00007FA2F07D7848h
mov ebx, ecx
lodsb
inc ecx
and al, FEh
cmp al, E8h
jne 00007FA2F07D7814h
inc ebx
add ecx, 04h
lodsd
or eax, eax
js 00007FA2F07D7828h
cmp eax, edx
jnc 00007FA2F07D7807h
jmp 00007FA2F07D7828h
add eax, ebx
js 00007FA2F07D7801h
add eax, edx
sub eax, ebx
mov dword ptr [esi-04h], eax
jmp 00007FA2F07D77F8h
call 00007FA2F07D7825h
pop edi
add edi, FFFFFF4Dh
mov al, E9h
stosb
mov eax, 00000B56h
stosd
call 00007FA2F07D7825h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xa26000	0x4c	.MPRESS2
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa2604c	0x348	.MPRESS2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa27000	0x21c64	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3f3000	0x3cf0	.MPRESS1
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa26f00	0x18	.MPRESS2
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa26178	0x68	.MPRESS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x7deb40	0x40	.MPRESS1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.MPRESS1	0x1000	0xa25000	0x3d0000	5df8657ceffe89dbbd2e5cc2cb8f9b69	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.MPRESS2	0xa26000	0xf20	0x1000	363a8eb7b8f720984410cbf5d90d6c5a	False	0.546875	data	5.815329468699206	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xa27000	0x21c64	0x21e00	a8ff207d7a2f5af5781aebbd8978c20f	False	0.5540244464944649	data	6.591321755931618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
REGINST	0x9cec64	0x33d	empty	English	United States	0
RTKICON	0x9cefa4	0x4780e	empty	English	United States	0
SETUPSERVICE_WIN7	0xa167b4	0x6000	empty	English	United States	0
SETUPSERVICE_WIN8	0xa1c7b4	0x2a00	empty	English	United States	0
RT_ICON	0xa27220	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.6780018761726079
RT_ICON	0xa282f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384			0.4562470477090222
RT_ICON	0xa2c540	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536			0.2785993138530699
RT_ICON	0xa3cd90	0xb115	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			1.0001985308715504
RT_MENU	0xa1f1b4	0x357c	empty			0
RT_MENU	0xa22730	0x8e	empty			0
RT_MENU	0xa227c0	0x1fe	empty			0
RT_MENU	0xa229c0	0x190	empty			0
RT_MENU	0xa22b50	0x7a2	empty			0
RT_MENU	0xa232f4	0x25c	empty			0
RT_MENU	0xa23550	0x7ce	empty	Korean	North Korea	0
RT_MENU	0xa23550	0x7ce	empty	Korean	South Korea	0
RT_MENU	0xa23d20	0x86	empty			0
RT_MENU	0xa23da8	0x88	empty			0
RT_MENU	0xa23e30	0x64	empty			0
RT_MENU	0xa23e94	0xba	empty			0
RT_MENU	0xa23f50	0x126	empty			0
RT_MENU	0xa24078	0xa4	empty			0
RT_MENU	0xa2411c	0x28	empty			0
RT_MENU	0xa24144	0x9c	empty			0
RT_MENU	0xa241e0	0x74	empty			0
RT_MENU	0xa24254	0xce	empty			0
RT_MENU	0xa24324	0xd6	empty			0
RT_MENU	0xa243fc	0x80	empty			0
RT_MENU	0xa2447c	0x24	empty			0
RT_MENU	0xa244a0	0x26	empty			0
RT_MENU	0xa244c8	0x11c	empty			0
RT_MENU	0xa245e4	0x76	empty			0
RT_MENU	0xa2465c	0xe6	empty			0
RT_MENU	0xa24744	0x142	empty			0
RT_MENU	0xa24888	0x18a	empty			0
RT_MENU	0xa24a14	0xc6	empty			0
RT_MENU	0xa24adc	0x19c	empty			0
RT_MENU	0xa24c78	0x142	empty			0
RT_MENU	0xa24dbc	0x18a	empty			0
RT_MENU	0xa24f48	0xb4	empty			0
RT_MENU	0xa24ffc	0x122	empty			0
RT_GROUP_ICON	0xa484f8	0x3e	data			0.8225806451612904
RT_MANIFEST	0xa48578	0x6ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.41694915254237286

Imports

DLL	Import
KERNEL32.DLL	GetModuleHandleA, GetProcAddress
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession

Exports

Name	Ordinal	Address
Start	1	0x461330

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Korean	North Korea
Korean	South Korea

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/20/24-21:20:26.757895	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49738	50500	192.168.2.4	193.233.132.226
04/20/24-21:23:04.222005	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49738	50500	192.168.2.4	193.233.132.226
04/20/24-21:21:43.683511	TCP	2046268	ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings)	49738	50500	192.168.2.4	193.233.132.226
04/20/24-21:20:26.979618	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49738	193.233.132.226	192.168.2.4
04/20/24-21:21:42.303911	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	50500	49738	193.233.132.226	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 21:29:05.676909924 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:29:05.924253941 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:29:05.924348116 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:29:05.945267916 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:29:06.169004917 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:29:06.214432955 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:29:06.238286018 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:29:09.292675018 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:29:09.738260031 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:29:41.105191946 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:29:41.439918041 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:30:01.589741945 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:30:01.945236921 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:30:14.121323109 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:30:14.441531897 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:30:20.417625904 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:30:20.740684986 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:30:23.558334112 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:30:23.946151972 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:30:26.683383942 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:30:27.041312933 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:30:29.808362007 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:30:30.142987013 CEST	50500	49732	193.233.132.226	192.168.2.6
Apr 20, 2024 21:30:32.949035883 CEST	49732	50500	192.168.2.6	193.233.132.226
Apr 20, 2024 21:30:33.241700888 CEST	50500	49732	193.233.132.226	192.168.2.6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SajWKdHxdF.exePID: 1424, Parent PID: 4004

General

Target ID:	1
Start time:	21:27:28
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\SajWKdHxdF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SajWKdHxdF.exe"
Imagebase:	0x400000
File size:	4'156'656 bytes
MD5 hash:	D72B925C4ABAF97C5EB47514EE82F7F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SajWKdHxdF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
SajWKdHxdF.exe