Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
installer.exe

Overview

General Information

Sample name:installer.exe
Analysis ID:1464451
MD5:a0e213177ee87cbb5ec32bef195bbfa9
SHA1:6265b138b96d83b070ce14cc16e528bdf68aa160
SHA256:141be7789497012b7911cabb1307e25e19f747e2e8fb5375f9cddff7e5f28265
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • installer.exe (PID: 4868 cmdline: "C:\Users\user\Desktop\installer.exe" MD5: A0E213177EE87CBB5EC32BEF195BBFA9)
    • schtasks.exe (PID: 2788 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2912 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 3896 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A0E213177EE87CBB5EC32BEF195BBFA9)
  • MPGPH131.exe (PID: 5040 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A0E213177EE87CBB5EC32BEF195BBFA9)
  • RageMP131.exe (PID: 4828 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A0E213177EE87CBB5EC32BEF195BBFA9)
  • RageMP131.exe (PID: 6108 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A0E213177EE87CBB5EC32BEF195BBFA9)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: installer.exe PID: 4868JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    Process Memory Space: MPGPH131.exe PID: 3896JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      Process Memory Space: MPGPH131.exe PID: 5040JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        Process Memory Space: RageMP131.exe PID: 4828JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          Process Memory Space: RageMP131.exe PID: 6108JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

            System Summary

            barindex
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\installer.exe, ProcessId: 4868, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131
            Timestamp:06/28/24-21:10:01.833498
            SID:2049060
            Source Port:49712
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 68%
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 68%
            Source: installer.exeReversingLabs: Detection: 68%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
            Source: installer.exeJoe Sandbox ML: detected
            Source: installer.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

            Networking

            barindex
            Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49712 -> 77.91.77.66:58709
            Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
            Source: global trafficTCP traffic: 192.168.2.6:49712 -> 77.91.77.66:58709
            Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66