Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MqN5lD3LGo.exe

Overview

General Information

Sample name:MqN5lD3LGo.exe
renamed because original name is a hash value
Original sample name:c6c9f27d335d4e47b5ea12653e806be6.exe
Analysis ID:1462554
MD5:c6c9f27d335d4e47b5ea12653e806be6
SHA1:e53242d463e2c94383ec646e7e04504b96b4d176
SHA256:514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769
Tags:32exetrojan
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • MqN5lD3LGo.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\MqN5lD3LGo.exe" MD5: C6C9F27D335D4E47B5EA12653E806BE6)
    • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 4012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 3536 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 308 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: RegAsm.exe PID: 4012JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    Timestamp:06/25/24-18:12:57.603058
    SID:2049060
    Source Port:49705
    Destination Port:50500
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:06/25/24-18:12:58.145124
    SID:2046266
    Source Port:50500
    Destination Port:49705
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:06/25/24-18:16:59.942935
    SID:2046269
    Source Port:49705
    Destination Port:50500
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: MqN5lD3LGo.exeReversingLabs: Detection: 73%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: MqN5lD3LGo.exeJoe Sandbox ML: detected
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,3_2_004C6B00
    Source: MqN5lD3LGo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: MqN5lD3LGo.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000003.00000002.4473702920.0000000001546000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000003.00000002.4473702920.0000000001546000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\MqN5lD3LGo.exeCode function: 0_2_000CC8CD FindFirstFileExW,0_2_000CC8CD
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,3_2_004C6000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,3_2_00432022
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,3_2_004E6770
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,3_2_004938D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00493B60 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,3_2_00493B60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0044FC2F FindFirstFileExW,3_2_0044FC2F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,3_2_004DFF00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00431F9C FindClose,FindFirstFileExW,GetLastError,3_2_00431F9C

    Networking

    barindex
    Snort IDS alert for network traffic
    Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 5.42.67.8:50500
    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.5:49705
    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 5.42.67.8:50500
    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 5.42.67.8:50500
    Source: Joe Sandbox ViewIP Address: 5.42.67.8 5.42.67.8
    Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8
    Source: unknownTCP traffic detected without corresponding DNS query: 5.42.67.8