Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ke5ufWcgxp.exe

Overview

General Information

Sample name:Ke5ufWcgxp.exe
renamed because original name is a hash value
Original sample name:85b0f825ec9f8661f2b1237a0e33ad06.exe
Analysis ID:1461288
MD5:85b0f825ec9f8661f2b1237a0e33ad06
SHA1:16a3542ada51249be3b3a2939b79447b817b7a02
SHA256:9ae617395ad5440f6774902b04f331a59282737d0f3c897d9f21ab73c19b691e
Tags:32exetrojan
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Ke5ufWcgxp.exe (PID: 6172 cmdline: "C:\Users\user\Desktop\Ke5ufWcgxp.exe" MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
    • schtasks.exe (PID: 4024 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2504 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 320 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
  • MPGPH131.exe (PID: 6152 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
  • RageMP131.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
  • RageMP131.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Ke5ufWcgxp.exe PID: 6172JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    Process Memory Space: MPGPH131.exe PID: 320JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      Process Memory Space: MPGPH131.exe PID: 6152JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        Process Memory Space: RageMP131.exe PID: 7356JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          Process Memory Space: RageMP131.exe PID: 7692JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Ke5ufWcgxp.exe, ProcessId: 6172, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

            Snort Signatures

            Timestamp:06/23/24-16:17:36.899727
            SID:2046269
            Source Port:49707
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:38.200223
            SID:2046269
            Source Port:49716
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:04.473158
            SID:2046267
            Source Port:58709
            Destination Port:49716
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:15:23.534284
            SID:2046266
            Source Port:58709
            Destination Port:49716
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:36.899737
            SID:2046269
            Source Port:49706
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:37.415514
            SID:2046269
            Source Port:49708
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:15:00.772679
            SID:2049060
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:01.678127
            SID:2046267
            Source Port:58709
            Destination Port:49706
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:36.603047
            SID:2046269
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:02.960524
            SID:2046267