Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.973044901234143
Filename:	file.exe
Filesize:	3112448
MD5:	cd26ea5b17fe98a375ddfb645d9da46b
SHA1:	9fb4c16c99cbb30e93aa338c01da54752d5c6fa5
SHA256:	3d4f14601b29fae585157887a3fc30dfa95f1e01b380ae9d2b6d7b0f8fbe7b1c
SHA512:	9082dd9b0183be0e6d000f457dc457bbdd03be8bb86897f5c257afc61d3a3a713313aaf6b8815e517ba2bda52b60f1366d00c4403b6c23cc511c3d9b30ad0058
SSDEEP:	49152:JECRjxCrm9u60kl9XCrmzempei3chLnl8VO5AJp6:mCJxC69/0GX7e/8VPJp
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion	Security Software Discovery
Hides threads from debuggers	Anti Debugging	Security Software Discovery
PE file has nameless sections	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Detected potential crypto function	System Summary	Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion	Security Software Discovery
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion	Security Software Discovery
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Binary may include packed or encrypted code	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains functionality to download additional files from the internet	Networking
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to modify the execution of threads in other processes		Security Software Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery Security Software Discovery System Owner/User Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary	Security Software Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter Security Software Discovery
Sample reads its own file content	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\MPGPH131\MPGPH131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe
Category:	dropped
Dump:	MPGPH131.exe.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.973044901234143
Encrypted:	false
Ssdeep:	49152:JECRjxCrm9u60kl9XCrmzempei3chLnl8VO5AJp6:mCJxC69/0GX7e/8VPJp
Size:	3112448
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Category:	dropped
Dump:	RageMP131.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.973044901234143
Encrypted:	false
Ssdeep:	49152:JECRjxCrm9u60kl9XCrmzempei3chLnl8VO5AJp6:mCJxC69/0GX7e/8VPJp
Size:	3112448
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier
Category:	dropped
Dump:	MPGPH131.exe_Zone.Identifier.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier
Category:	dropped
Dump:	RageMP131.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

ASCII text, with no line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\rage131MP.tmp
Category:	modified
Dump:	rage131MP.tmp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with no line terminators
Entropy:	3.0269868333592873
Encrypted:	false
Ssdeep:	3:LucckIn:KcckIn
Size:	13
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3536
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	3112448
MD5:	CD26EA5B17FE98A375DDFB645D9DA46B
Time:	01:26:47
Date:	03/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x450000
Modulesize:	11837440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
PE file has nameless sections	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	5428
Target ID:	2
Parent PID:	3536
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	01:26:51
Date:	03/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xea0000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	2716
Target ID:	4
Parent PID:	3536
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	01:26:51
Date:	03/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xea0000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	4712
Target ID:	6
Parent PID:	1068
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	3112448
MD5:	CD26EA5B17FE98A375DDFB645D9DA46B
Time:	01:26:52
Date:	03/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc90000
Modulesize:	11837440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	2568
Target ID:	7
Parent PID:	1068
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	3112448
MD5:	CD26EA5B17FE98A375DDFB645D9DA46B
Time:	01:26:53
Date:	03/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc90000
Modulesize:	11837440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5060
Target ID:	8
Parent PID:	1028
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	3112448
MD5:	CD26EA5B17FE98A375DDFB645D9DA46B
Time:	01:27:05
Date:	03/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x480000
Modulesize:	11837440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2320
Target ID:	10
Parent PID:	1028
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	3112448
MD5:	CD26EA5B17FE98A375DDFB645D9DA46B
Time:	01:27:14
Date:	03/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x480000
Modulesize:	11837440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3276
Target ID:	3
Parent PID:	5428
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	01:26:51
Date:	03/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6108
Target ID:	5
Parent PID:	2716
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	01:26:51
Date:	03/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://db-ip.com/demo/home.php?s=191.96.227.219/

unknown

https://db-ip.com/demo/home.php?s=191.96.227.219m

unknown

https://db-ip.com/demo/home.php?s=191.96.227.219(

unknown

https://ipinfo.io/widget/demo/191.96.227.219u

unknown

https://ipinfo.io/widget/demo/191.96.227.219

34.117.186.192

https://db-ip.com/demo/home.php?s=191.96.227.219%

unknown

http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07

unknown

http://www.microsoft.co

unknown

https://db-ip.com/

unknown

https://t.me/RiseProSUPPORTj

unknown

https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll

unknown

https://ipinfo.io/widget/demo/191.96.227.219~r

unknown

https://t.me/RiseProSUPPORT

unknown

https://db-ip.com/demo/home.php?s=191.96.227.219

104.26.4.15

http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr

unknown

https://db-ip.co

unknown

https://db-ip.com/demo/home.php?s=191.96.227.2197

unknown

https://ipinfo.io/Mozilla/5.0

unknown

https://db-ip.com/demo/home.php?s=191.96.227.219Bh

unknown

https://ipinfo.io:443/widget/demo/191.96.227.219

unknown

https://t.me/RiseProSUPPORTY

unknown

https://ipinfo.io:443/widget/demo/191.96.227.219_

unknown

https://db-ip.com/demo/home.php?s=191.96.227.219O

unknown

https://db-ip.com:443/demo/home.php?s=191.96.227.219P

unknown

https://db-ip.com/demo/home.php?s=191.96.227.219K

unknown

https://ipinfo.io/

unknown

https://db-ip.com/demo/home.php?s=191.96.227.2197g

unknown

http://pki-ocsp.symauth.com0

unknown

https://www.maxmind.com/en/locate-my-ip-address

unknown

https://db-ip.com/v

unknown

https://db-ip.com:443/demo/home.php?s=191.96.227.219

unknown

http://www.winimage.com/zLibDll

unknown

https://ipinfo.io/jX

unknown

https://db-ip.com/M

unknown

https://ipinfo.io/widget/demo/191.96.227.219F

unknown

https://t.me/RiseProSUPPORTq7

unknown

There are 26 hidden URLs, click here to show them.

Domains

Name

Malicious

ipinfo.io

34.117.186.192

Details

Name:	ipinfo.io
IP:	34.117.186.192
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

db-ip.com

104.26.4.15

Details

Name:	db-ip.com
IP:	104.26.4.15
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

147.45.47.93

unknown

Russian Federation

Details

IP:	147.45.47.93
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

34.117.186.192

ipinfo.io

United States

Details

IP:	34.117.186.192
TargetID:	8
Current Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Country:	United States
Countrycode:	USA
ASN number:	139070
ASN name:	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Private:	false
Domain:	ipinfo.io

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.26.4.15

db-ip.com

United States

Details

IP:	104.26.4.15
TargetID:	10
Current Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	db-ip.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

RageMP131

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	RageMP131
Value data:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

1DC0000

heap

page read and write

800000

unkown

page execute and read and write

14A0000

heap

page read and write

395E000

stack

page read and write

408E000

stack

page read and write

717F000

stack

page read and write

142A000

heap

page read and write

7F6E0000

direct allocation

page execute and read and write

146B000

heap

page read and write

1C23000

heap

page read and write

3DBF000

stack

page read and write

11F0000

remote allocation

page read and write

3B00000

direct allocation

page execute and read and write

7F890000

direct allocation

page execute and read and write

3B2E000

stack

page read and write

646C000

heap

page read and write

612000

unkown

page execute and write copy

E37000

unkown

page execute and write copy

37F0000

heap

page read and write

481000

unkown

page execute and read and write

30C0000

heap

page read and write

1E4B000

heap

page read and write

15E2000

heap

page read and write

C91000

unkown

page execute and write copy

E34000

unkown

page readonly

6A63000

heap

page read and write

61C000

unkown

page readonly

34B4000

direct allocation

page execute and read and write

F81000

unkown

page execute and read and write

3784000

direct allocation

page execute and read and write

16B000

stack

page read and write

800000

unkown

page execute and read and write

13D7000

heap

page read and write

38B0000

heap

page read and write

1407000

heap

page read and write

1280000

heap

page read and write

1560000

heap

page read and write

34A3000

direct allocation

page execute and read and write

1285000

heap

page read and write

7F570000

direct allocation

page execute and read and write

654E000

stack

page read and write

21DE000

stack

page read and write

39FE000

unkown

page read and write

3784000

direct allocation

page execute and read and write

2FA0000

direct allocation

page execute and read and write

13F1000

heap

page read and write

13AA000

heap

page read and write

61C000

unkown

page readonly

35D0000

heap

page read and write

15C3000

heap

page read and write

E22000

unkown

page execute and read and write

34B0000

direct allocation

page execute and read and write

716E000

stack

page read and write

621000

unkown

page readonly

1C9E000

stack

page read and write

3EA4000

direct allocation

page execute and read and write

6D7E000

stack

page read and write

13B8000

heap

page read and write

627000

unkown

page execute and write copy

E22000

unkown

page execute and write copy

B17000

unkown

page execute and read and write

13A0000

heap

page read and write

3484000

direct allocation

page execute and read and write

3170000

direct allocation

page execute and read and write

1D60000

heap

page read and write

1DB8000

heap

page read and write

612000

unkown

page execute and write copy

3498000

direct allocation

page execute and read and write

6DCF000

stack

page read and write

3784000

direct allocation

page execute and read and write

7B7F000

stack

page read and write

3470000

direct allocation

page execute and read and write

777F000

stack

page read and write

41B0000

heap

page read and write

2F4E000

stack

page read and write

14C2000

heap

page read and write

13BC000

heap

page read and write

E22000

unkown

page execute and read and write

141B000

heap

page read and write

5F4000

unkown

page readonly

DBC000

unkown

page execute and read and write

1DC2000

heap

page read and write

480000

unkown

page readonly

627000

unkown

page execute and read and write

14C1000

heap

page read and write

306E000

stack

page read and write

3474000

direct allocation

page execute and read and write

15CC000

unkown

page execute and read and write

3DF0000

heap

page read and write

5E2000

unkown

page execute and read and write

612000

unkown

page execute and read and write

34C0000

direct allocation

page execute and read and write

33E0000

heap

page read and write

602000

unkown

page execute and read and write

11F0000

remote allocation

page read and write

6F6F000

stack

page read and write

480000

unkown

page readonly

3ACE000

stack

page read and write

35C0000

heap

page read and write

6F6E000

stack

page read and write

3380000

heap

page read and write

1B90000

remote allocation

page read and write

11F0000

remote allocation

page read and write

602000

unkown

page execute and write copy

1D1A000

heap

page read and write

1D0F000

heap

page read and write

3BB0000

heap

page read and write

14B7000

heap

page read and write

156E000

heap

page read and write

39B0000

heap

page read and write

143C000

stack

page read and write

DB9000

unkown

page execute and write copy

2FEE000

stack

page read and write

33B0000

heap

page read and write

610D000

stack

page read and write

3A7E000

stack

page read and write

3784000

direct allocation

page execute and read and write

DB9000

unkown

page execute and write copy

C91000

unkown

page execute and read and write

2F60000

heap

page read and write

AE7000

unkown

page execute and read and write

757000

unkown

page execute and read and write

658E000

stack

page read and write

757000

unkown

page execute and read and write

607F000

heap

page read and write

6B6F000

stack

page read and write

7EE50000

direct allocation

page execute and read and write

1DAF000

heap

page read and write

1CFE000

stack

page read and write

33C0000

heap

page read and write

6979000

heap

page read and write

6F7F000

stack

page read and write

627000

unkown

page execute and read and write

13C3000

heap

page read and write

156A000

heap

page read and write

3484000

direct allocation

page execute and read and write

602000

unkown

page execute and read and write

1DF1000

heap

page read and write

6A71000

heap

page read and write

1AB000

stack

page read and write

15BC000

heap

page read and write

E37000

unkown

page execute and write copy

451000

unkown

page execute and write copy

39AE000

stack

page read and write

1443000

heap

page read and write

3CCF000

stack

page read and write

3F74000

direct allocation

page execute and read and write

3798000

direct allocation

page execute and read and write

460000

remote allocation

page read and write

3BC0000

direct allocation

page execute and read and write

771000

unkown

page execute and read and write

1490000

heap

page read and write

1B20000

heap

page read and write

3C00000

direct allocation

page execute and read and write

3EA4000

direct allocation

page execute and read and write

5D2000

unkown

page execute and read and write

437F000

stack

page read and write

34B4000

direct allocation

page execute and read and write

13B2000

heap

page read and write

3700000

heap

page read and write

736E000

stack

page read and write

1D6A000

heap

page read and write

E2C000

unkown

page readonly

15CC000

unkown

page execute and write copy

221E000

stack

page read and write

34B4000

direct allocation

page execute and read and write

1C60000

remote allocation

page read and write

3D8D000

stack

page read and write

621000

unkown

page readonly

3B6E000

stack

page read and write

5DA000

unkown

page execute and write copy

621000

unkown

page readonly

1D01000

heap

page read and write

123B000

stack

page read and write

1D35000

heap

page read and write

35B0000

heap

page read and write

13DD000

heap

page read and write

34A4000

direct allocation

page execute and read and write

1D38000

heap

page read and write

3400000

heap

page read and write

3EA4000

direct allocation

page execute and read and write

3EB0000

direct allocation

page execute and read and write

15CC000

unkown

page execute and read and write

1C3E000

stack

page read and write

DEA000

unkown

page execute and write copy

C90000

unkown

page readonly

1CB0000

heap

page read and write

145A000

heap

page read and write

6FAE000

stack

page read and write

C90000

unkown

page readonly

5F7000

unkown

page execute and write copy

5F4000

unkown

page readonly

3F74000

direct allocation

page execute and read and write

419D000

stack

page read and write

5F8A000

heap

page read and write

E31000

unkown

page readonly

1D13000

heap

page read and write

1250000

heap

page read and write

13E4000

heap

page read and write

756F000

stack

page read and write

D89000

unkown

page execute and write copy

1DDC000

heap

page read and write

164E000

heap

page read and write

1BF5000

heap

page read and write

1DC8000

heap

page read and write

13C8000

heap

page read and write

302E000

stack

page read and write

5FCD000

heap

page read and write

2F70000

heap

page read and write

69CE000

stack

page read and write

E2C000

unkown

page readonly

366E000

stack

page read and write

6FBF000

stack

page read and write

6A36000

heap

page read and write

215D000

stack

page read and write

3EB8000

direct allocation

page execute and read and write

11CC000

stack

page read and write

1423000

heap

page read and write

1285000

heap

page read and write

3784000

direct allocation

page execute and read and write

5F7000

unkown

page execute and read and write

142E000

heap

page read and write

3484000

direct allocation

page execute and read and write

3473000

direct allocation

page execute and read and write

C91000

unkown

page execute and read and write

DBC000

unkown

page execute and read and write

15CC000

unkown

page execute and write copy

737D000

stack

page read and write

1CC0000

heap

page read and write

3F74000

direct allocation

page execute and read and write

3E6E000

stack

page read and write

DBC000

unkown

page execute and write copy

1A40000

heap

page read and write

C90000

unkown

page readonly

3FBF000

stack

page read and write

1B90000

remote allocation

page read and write

5E2000

unkown

page execute and write copy

1CC7000

heap

page read and write

3460000

heap

page read and write

1C20000

heap

page read and write

451000

unkown

page execute and read and write

612000

unkown

page execute and read and write

E22000

unkown

page execute and write copy

771000

unkown

page execute and read and write

143D000

heap

page read and write

5D2000

unkown

page execute and write copy

3CC0000

direct allocation

page execute and read and write

496F000

stack

page read and write

1280000

heap

page read and write

3E0D000

stack

page read and write

1B6D000

stack

page read and write

34C8000

direct allocation

page execute and read and write

1210000

heap

page read and write

2F63000

heap

page read and write

481000

unkown

page execute and write copy

1C60000

remote allocation

page read and write

417F000

stack

page read and write

1450000

heap

page read and write

797F000

stack

page read and write

624000

unkown

page readonly

696F000

stack

page read and write

757000

unkown

page execute and read and write

BA0000

heap

page read and write

1C30000

direct allocation

page execute and read and write

1D33000

heap

page read and write

624000

unkown

page readonly

E34000

unkown

page readonly

13AF000

heap

page read and write

1220000

heap

page read and write

3ABE000

stack

page read and write

377E000

stack

page read and write

14BF000

heap

page read and write

159C000

heap

page read and write

3DD0000

heap

page read and write

1360000

heap

page read and write

1BF0000

heap

page read and write

1649000

heap

page read and write

3A3E000

stack

page read and write

727000

unkown

page execute and read and write

5FC5000

heap

page read and write

1D0000

heap

page read and write

C80000

heap

page read and write

3740000

direct allocation

page execute and read and write

3EA0000

direct allocation

page execute and read and write

E12000

unkown

page execute and read and write

E34000

unkown

page readonly

1D3D000

heap

page read and write

36FD000

stack

page read and write

60B7000

heap

page read and write

480000

unkown

page readonly

3A80000

remote allocation

page read and write

624000

unkown

page readonly

15C0000

heap

page read and write

3F80000

direct allocation

page execute and read and write

6A28000

heap

page read and write

1D6D000

heap

page read and write

F67000

unkown

page execute and read and write

796F000

stack

page read and write

E31000

unkown

page readonly

3EC0000

heap

page read and write

776F000

stack

page read and write

741000

unkown

page execute and read and write

34B4000

direct allocation

page execute and read and write

15C8000

heap

page read and write

1250000

heap

page read and write

602000

unkown

page execute and write copy

141F000

heap

page read and write

7D0000

unkown

page execute and read and write

61C000

unkown

page readonly

3E10000

heap

page read and write

1010000

unkown

page execute and read and write

3F88000

direct allocation

page execute and read and write

634E000

stack

page read and write

3E93000

direct allocation

page execute and read and write

1D1F000

heap

page read and write

153D000

stack

page read and write

1D20000

heap

page read and write

B17000

unkown

page execute and read and write

3EA4000

direct allocation

page execute and read and write

3270000

heap

page read and write

69BD000

stack

page read and write

1DD4000

heap

page read and write

621000

unkown

page readonly

481000

unkown

page execute and write copy

65BF000

stack

page read and write

627000

unkown

page execute and write copy

1C60000

remote allocation

page read and write

41A0000

heap

page read and write

450000

unkown

page readonly

420000

heap

page read and write

3913000

heap

page read and write

F67000

unkown

page execute and read and write

1C2E000

stack

page read and write

757000

unkown

page execute and read and write

1DAA000

heap

page read and write

15DD000

heap

page read and write

136E000

heap

page read and write

C91000

unkown

page execute and write copy

1D10000

heap

page read and write

E12000

unkown

page execute and write copy

3790000

direct allocation

page execute and read and write

1448000

heap

page read and write

1459000

heap

page read and write

1D53000

heap

page read and write

6434000

heap

page read and write

20BD000

stack

page read and write

627000

unkown

page execute and read and write

3EA4000

direct allocation

page execute and read and write

678F000

stack

page read and write

3F70000

direct allocation

page execute and read and write

6D6F000

stack

page read and write

3EA4000

direct allocation

page execute and read and write

1431000

heap

page read and write

1411000

heap

page read and write

6D6E000

stack

page read and write

1213000

heap

page read and write

33F0000

heap

page read and write

B75000

heap

page read and write

1DCB000

heap

page read and write

3798000

direct allocation

page execute and read and write

13D7000

heap

page read and write

800000

unkown

page execute and read and write

3774000

direct allocation

page execute and read and write

15E7000

heap

page read and write

800000

unkown

page execute and read and write

175D000

stack

page read and write

477F000

stack

page read and write

E34000

unkown

page readonly

3498000

direct allocation

page execute and read and write

3784000

direct allocation

page execute and read and write

1D49000

heap

page read and write

34B4000

direct allocation

page execute and read and write

3EA0000

heap

page read and write

1428000

heap

page read and write

139E000

stack

page read and write

140A000

heap

page read and write

415E000

stack

page read and write

6987000

heap

page read and write

3470000

direct allocation

page execute and read and write

3484000

direct allocation

page execute and read and write

1BFB000

stack

page read and write

369E000

stack

page read and write

14ED000

stack

page read and write

3F74000

direct allocation

page execute and read and write

E2C000

unkown

page readonly

139C000

heap

page read and write

3EB0000

heap

page read and write

627000

unkown

page execute and read and write

3400000

heap

page read and write

1DD6000

heap

page read and write

460000

remote allocation

page read and write

E37000

unkown

page execute and read and write

314E000

stack

page read and write

F81000

unkown

page execute and read and write

3F63000

direct allocation

page execute and read and write

17CD000

stack

page read and write

396E000

stack

page read and write

C8B000

stack

page read and write

B70000

heap

page read and write

3280000

direct allocation

page execute and read and write

5AA000

unkown

page execute and write copy

1C10000

heap

page read and write

1DA3000

heap

page read and write

14F0000

heap

page read and write

481000

unkown

page execute and read and write

5DA000

unkown

page execute and write copy

3410000

direct allocation

page execute and read and write

46E000

stack

page read and write

6A39000

heap

page read and write

3A2A000

heap

page read and write

32D0000

direct allocation

page execute and read and write

497F000

stack

page read and write

13D5000

heap

page read and write

3F74000

direct allocation

page execute and read and write

5F8D000

heap

page read and write

6BCF000

unkown

page read and write

3DE0000

heap

page read and write

3A21000

heap

page read and write

1D06000

heap

page read and write

15C9000

unkown

page execute and write copy

771000

unkown

page execute and read and write

5EDB000

heap

page read and write

3E60000

direct allocation

page execute and read and write

5EC000

unkown

page readonly

1645000

heap

page read and write

1327000

unkown

page execute and read and write

1327000

unkown

page execute and read and write

15AA000

heap

page read and write

40DD000

stack

page read and write

3F64000

direct allocation

page execute and read and write

5F1000

unkown

page readonly

71BF000

stack

page read and write

6DBE000

stack

page read and write

3BAE000

stack

page read and write

5F1000

unkown

page readonly

3484000

direct allocation

page execute and read and write

6431000

heap

page read and write

13FD000

heap

page read and write

3EB8000

direct allocation

page execute and read and write

460000

remote allocation

page read and write

897000

unkown

page execute and read and write

143B000

heap

page read and write

3F30000

direct allocation

page execute and read and write

3860000

direct allocation

page execute and read and write

3ECF000

stack

page read and write

480000

unkown

page readonly

3F88000

direct allocation

page execute and read and write

1A2C000

stack

page read and write

DBC000

unkown

page execute and write copy

6BBF000

unkown

page read and write

3910000

heap

page read and write

3640000

direct allocation

page execute and read and write

2F90000

heap

page read and write

E2C000

unkown

page readonly

14F5000

heap

page read and write

757F000

stack

page read and write

1471000

heap

page read and write

3440000

heap

page read and write

3A80000

remote allocation

page read and write

3784000

direct allocation

page execute and read and write

624000

unkown

page readonly

607C000

heap

page read and write

6382000

heap

page read and write

1D15000

heap

page read and write

D8C000

unkown

page execute and read and write

E31000

unkown

page readonly

3F74000

direct allocation

page execute and read and write

3DCE000

stack

page read and write

1B90000

remote allocation

page read and write

E37000

unkown

page execute and read and write

61C000

unkown

page readonly

1416000

heap

page read and write

1260000

direct allocation

page execute and read and write

3484000

direct allocation

page execute and read and write

38FE000

stack

page read and write

E12000

unkown

page execute and read and write

15DF000

heap

page read and write

2FAE000

unkown

page read and write

37BD000

stack

page read and write

630E000

stack

page read and write

15BE000

heap

page read and write

136A000

heap

page read and write

3590000

heap

page read and write

67BF000

stack

page read and write

140E000

heap

page read and write

476F000

stack

page read and write

1DB2000

heap

page read and write

3EA4000

direct allocation

page execute and read and write

33D0000

heap

page read and write

B2B000

stack

page read and write

1DE3000

heap

page read and write

3F74000

direct allocation

page execute and read and write

3440000

direct allocation

page execute and read and write

67CE000

stack

page read and write

1230000

direct allocation

page execute and read and write

5EC000

unkown

page readonly

3A5D000

stack

page read and write

3484000

direct allocation

page execute and read and write

15F0000

heap

page read and write

15C9000

unkown

page execute and write copy

1D35000

heap

page read and write

71AF000

stack

page read and write

219E000

unkown

page read and write

D8C000

unkown

page execute and write copy

E31000

unkown

page readonly

1010000

unkown

page execute and read and write

771000

unkown

page execute and read and write

1E0000

heap

page read and write

3490000

direct allocation

page execute and read and write

3780000

direct allocation

page execute and read and write

3A03000

heap

page read and write

11CC000

stack

page read and write

13D0000

heap

page read and write

373E000

stack

page read and write

3E94000

direct allocation

page execute and read and write

19DC000

stack

page read and write

43D000

stack

page read and write

3A00000

heap

page read and write

15AF000

heap

page read and write

34C8000

direct allocation

page execute and read and write

15B8000

heap

page read and write

410000

heap

page read and write

15C5000

heap

page read and write

1CB0000

heap

page read and write

1632000

heap

page read and write

3773000

direct allocation

page execute and read and write

E12000

unkown

page execute and write copy

676E000

stack

page read and write

63BE000

stack

page read and write

C90000

unkown

page readonly

13BE000

heap

page read and write

1E47000

heap

page read and write

34B4000

direct allocation

page execute and read and write

7F1E0000

direct allocation

page execute and read and write

450000

unkown

page readonly

DEA000

unkown

page execute and write copy

1CF6000

heap

page read and write

3A80000

remote allocation

page read and write

6A2B000

heap

page read and write

34B4000

direct allocation

page execute and read and write

3480000

direct allocation

page execute and read and write

310E000

unkown

page read and write

There are 532 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe