Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1430667
MD5: c6d4e7a7751714cacc798033a7405b3f
SHA1: c7a4c20ed1ff6b6eb9c6cc0d1388c05cb67a3be1
SHA256: c6ff8e76f68ee14c4c68827ad1eb0b49fbc2180c5ba1b44e85464c51469a2460
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found potential dummy code loops (likely to delay analysis)
Found stalling execution ending in API Sleep call
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential thread-based time evasion detected
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 20% Perma Link
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 193.233.132.47:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 193.233.132.47:50500
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 193.233.132.47:50500
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E14EB0 recv,recv,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep, 0_2_00E14EB0
Source: file.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe, 00000000.00000002.4096544778.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.4096544778.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTlLHT
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F32D85 0_2_00F32D85
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E940A0 0_2_00E940A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D9001D 0_2_00D9001D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E881A0 0_2_00E881A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_011AC316 0_2_011AC316
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E54220 0_2_00E54220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E64220 0_2_00E64220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D9035F 0_2_00D9035F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E40350 0_2_00E40350
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E50520 0_2_00E50520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DA47AD 0_2_00DA47AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E8C8D0 0_2_00E8C8D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D8C950 0_2_00D8C950
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E94AE0 0_2_00E94AE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E44AA0 0_2_00E44AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01040B69 0_2_01040B69
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E44CD0 0_2_00E44CD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01130D7A 0_2_01130D7A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E3CD20 0_2_00E3CD20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DA8E20 0_2_00DA8E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E3CFC0 0_2_00E3CFC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E44F70 0_2_00E44F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0118D145 0_2_0118D145
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E45070 0_2_00E45070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E51040 0_2_00E51040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5D199 0_2_00D5D199
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D61135 0_2_00D61135
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E4D320 0_2_00E4D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E554A0 0_2_00E554A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E3D7D0 0_2_00E3D7D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F557C3 0_2_00F557C3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D61743 0_2_00D61743
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E618D0 0_2_00E618D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E45960 0_2_00E45960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E95A40 0_2_00E95A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D9DA74 0_2_00D9DA74
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D59C90 0_2_00D59C90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E45EB0 0_2_00E45EB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E4DF20 0_2_00E4DF20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E820C0 0_2_00E820C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0116A5B5 0_2_0116A5B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EF269F 0_2_00EF269F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D8A918 0_2_00D8A918
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E86B30 0_2_00E86B30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00D84370 appears 39 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00E94890 appears 52 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.1640274378.000000000148D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSetup.exe@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSetup.exe@ vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\trixyJzclrbU7IL69 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe Virustotal: Detection: 20%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: devobj.dll Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 4019448 > 1048576
Source: file.exe Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x3a7e00
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E1C630 LoadLibraryA,GetProcAddress, 0_2_00E1C630
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .vmp
Source: file.exe Static PE information: section name: .vmp
Source: file.exe Static PE information: section name: .vmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01014B01 pushad ; iretd 0_2_01014B7F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010B0CD0 push edx; ret 0_2_010B0CE4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FD4E38 push eax; ret 0_2_00FD4E55
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_011992A3 push ss; iretd 0_2_011992F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FED780 push eax; ret 0_2_00FED836
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0110996D push ebx; ret 0_2_010E6B57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D762CE push ds; retf 0_2_00D762CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F6E854 push esp; ret 0_2_00F6E85F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0110E9E3 push eax; retf 0_2_0117CFFE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010E6B26 push ebx; ret 0_2_010E6B57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0108AD93 pushfd ; ret 0_2_0102181F

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: 7F0005 value: E9 2B BA 6D 76 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: 76ECBA30 value: E9 DA 45 92 89 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: B40008 value: E9 8B 8E 3D 76 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: 76F18E90 value: E9 80 71 C2 89 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: C60005 value: E9 8B 4D F9 74 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: 75BF4D90 value: E9 7A B2 06 8B Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: C70005 value: E9 EB EB F9 74 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: 75C0EBF0 value: E9 1A 14 06 8B Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: C90005 value: E9 8B 8A 34 74 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: 74FD8A90 value: E9 7A 75 CB 8B Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: CA0005 value: E9 2B 02 36 74 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 7044 base: 75000230 value: E9 DA FD C9 8B Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\file.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\file.exe Stalling execution: Execution stalls by calling Sleep
Potential thread-based time evasion detected
Source: Initial file Signature Results: Thread-based counter
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FB8A20 rdtsc 0_2_00FB8A20
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\file.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 0_2_00DADA50
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 2988 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 6871 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 9.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7072 Thread sleep count: 2988 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7072 Thread sleep time: -301788s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7072 Thread sleep count: 6871 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7072 Thread sleep time: -693971s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: file.exe, 00000000.00000002.4096544778.0000000000B50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: file.exe, 00000000.00000003.1661389596.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.4096544778.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}s
Source: file.exe, 00000000.00000003.1661389596.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.4096544778.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 42% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FB8A20 rdtsc 0_2_00FB8A20
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E1C630 LoadLibraryA,GetProcAddress, 0_2_00E1C630
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DADA50 mov eax, dword ptr fs:[00000030h] 0_2_00DADA50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DADA50 mov eax, dword ptr fs:[00000030h] 0_2_00DADA50
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430667 Sample: file.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 88 11 Snort IDS alert for network traffic 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected RisePro Stealer 2->15 17 Potential thread-based time evasion detected 2->17 5 file.exe 2 2->5         started        process3 dnsIp4 9 193.233.132.47, 49732, 50500 FREE-NET-ASFREEnetEU Russian Federation 5->9 19 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 5->19 21 Found stalling execution ending in API Sleep call 5->21 23 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 5->23 25 2 other signatures 5->25 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.47
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true