Windows
Analysis Report
LisectAVT_2403002A_262.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- LisectAVT_2403002A_262.exe (PID: 3300 cmdline:
"C:\Users\ user\Deskt op\LisectA VT_2403002 A_262.exe" MD5: 6EFB242EE7F7A8FAC1E25DEC0AC7F516)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security |
Timestamp: | 2024-07-25T03:00:23.355182+0200 |
SID: | 2046269 |
Source Port: | 49730 |
Destination Port: | 50500 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-25T03:00:38.371393+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49731 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-25T03:00:20.371409+0200 |
SID: | 2049060 |
Source Port: | 49730 |
Destination Port: | 50500 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-25T03:01:16.344989+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49737 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_002CE0A0 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process Stats: |
Source: | Code function: | 0_2_003340A0 | |
Source: | Code function: | 0_2_0033E0F0 | |
Source: | Code function: | 0_2_002BE150 | |
Source: | Code function: | 0_2_00306270 | |
Source: | Code function: | 0_2_003AE264 | |
Source: | Code function: | 0_2_003A8314 | |
Source: | Code function: | 0_2_0033E300 | |
Source: | Code function: | 0_2_0037E300 | |
Source: | Code function: | 0_2_00338370 | |
Source: | Code function: | 0_2_003B0413 | |
Source: | Code function: | 0_2_002DC470 | |
Source: | Code function: | 0_2_00324450 | |
Source: | Code function: | 0_2_002B24F0 | |
Source: | Code function: | 0_2_003104D0 | |
Source: | Code function: | 0_2_0037C580 | |
Source: | Code function: | 0_2_00366630 | |
Source: | Code function: | 0_2_00334610 | |
Source: | Code function: | 0_2_0039A65D | |
Source: | Code function: | 0_2_0036C770 | |
Source: | Code function: | 0_2_0049885E | |
Source: | Code function: | 0_2_0033A840 | |
Source: | Code function: | 0_2_002D88A0 | |
Source: | Code function: | 0_2_002FA900 | |
Source: | Code function: | 0_2_0039A99F | |
Source: | Code function: | 0_2_00332A70 | |
Source: | Code function: | 0_2_002DEA60 | |
Source: | Code function: | 0_2_00370A90 | |
Source: | Code function: | 0_2_002D4AD0 | |
Source: | Code function: | 0_2_0033CC30 | |
Source: | Code function: | 0_2_002DAE30 | |
Source: | Code function: | 0_2_00344EE0 | |
Source: | Code function: | 0_2_00394F58 | |
Source: | Code function: | 0_2_00396F90 | |
Source: | Code function: | 0_2_0033CF80 | |
Source: | Code function: | 0_2_0034B000 | |
Source: | Code function: | 0_2_00335040 | |
Source: | Code function: | 0_2_0033F110 | |
Source: | Code function: | 0_2_00341110 | |
Source: | Code function: | 0_2_00337100 | |
Source: | Code function: | 0_2_002F3160 | |
Source: | Code function: | 0_2_002E11D0 | |
Source: | Code function: | 0_2_002FF280 | |
Source: | Code function: | 0_2_002D3330 | |
Source: | Code function: | 0_2_003453D0 | |
Source: | Code function: | 0_2_0046B450 | |
Source: | Code function: | 0_2_0033D400 | |
Source: | Code function: | 0_2_00385470 | |
Source: | Code function: | 0_2_00381450 | |
Source: | Code function: | 0_2_002EB480 | |
Source: | Code function: | 0_2_003356F0 | |
Source: | Code function: | 0_2_003417F0 | |
Source: | Code function: | 0_2_002E77E0 | |
Source: | Code function: | 0_2_002E58A0 | |
Source: | Code function: | 0_2_0038B900 |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_002EB480 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0042A0EA | |
Source: | Code function: | 0_2_004C2191 | |
Source: | Code function: | 0_2_0038E59B | |
Source: | Code function: | 0_2_0041E999 | |
Source: | Code function: | 0_2_004F2F2A | |
Source: | Code function: | 0_2_004DCA6A | |
Source: | Code function: | 0_2_004ECB5F | |
Source: | Code function: | 0_2_004BF1C9 |
Source: | Code function: | 0_2_003340A0 |
Malware Analysis System Evasion |
---|
Source: | Sandbox detection routine: | graph_0-86472 |
Source: | Evasive API call chain: | graph_0-86473 |
Source: | Stalling execution: | graph_0-86563 |
Source: | Signature Results: |
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: |
Source: | Code function: | 0_2_004EA790 |
Source: | Code function: | 0_2_00312530 |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | API coverage: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | Process Stats: |
Source: | Code function: | 0_2_004EA790 |
Source: | Code function: | 0_2_002EB480 |
Source: | Code function: | 0_2_00312530 | |
Source: | Code function: | 0_2_00312530 | |
Source: | Code function: | 0_2_002C4100 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_0038E3B4 |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_002BA480 |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 211 Virtualization/Sandbox Evasion | OS Credential Dumping | 421 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 211 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 224 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
55% | ReversingLabs | Win32.Trojan.Leonem | ||
61% | Virustotal | Browse | ||
100% | Avira | TR/AVI.ClipBankercoin.sphdl | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
193.233.132.190 | unknown | Russian Federation | 2895 | FREE-NET-ASFREEnetEU | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1481019 |
Start date and time: | 2024-07-25 02:59:29 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | LisectAVT_2403002A_262.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@1/0@0/1 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
Time | Type | Description |
---|---|---|
21:00:52 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
193.233.132.190 | Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse | ||
Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse | |||
Get hash | malicious | Clipboard Hijacker, PrivateLoader, RisePro Stealer | Browse | |||
Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse | |||
Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse | |||
Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse | |||
Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse | |||
Get hash | malicious | RisePro Stealer | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
FREE-NET-ASFREEnetEU | Get hash | malicious | RisePro Stealer | Browse |
| |
Get hash | malicious | Bdaejec, RisePro Stealer | Browse |
| ||
Get hash | malicious | PureLog Stealer, RedLine, zgRAT | Browse |
| ||
Get hash | malicious | PureLog Stealer, RedLine, zgRAT | Browse |
| ||
Get hash | malicious | Bdaejec, RisePro Stealer | Browse |
| ||
Get hash | malicious | LummaC, PureLog Stealer, Xmrig, zgRAT | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RedLine, Xmrig | Browse |
|
File type: | |
Entropy (8bit): | 7.9567746793562995 |
TrID: |
|
File name: | LisectAVT_2403002A_262.exe |
File size: | 2'956'293 bytes |
MD5: | 6efb242ee7f7a8fac1e25dec0ac7f516 |
SHA1: | 65f5091253ff71b5fe2c5539413034dfdded3bdf |
SHA256: | 7cb0ebf40882b541a0afbe9e0c1fa73f78df98778d745e821d4abb209df37966 |
SHA512: | c4c45accca846279eb8bd0bd6cca89bdaea9a2eb144a62d1a40ee81123c7b4ba5f6a368f512d6f1246c559e3d4ff77d32eefbe3cad85fb6f850b2be239386bab |
SSDEEP: | 49152:daMLcLQK2pQxjS8p8/wXkT34LDMHcVKLu4Ncn/TC12oaho0U3sFOM+Hi9OiQHZZ8:3G2afwOaoLDMH8KK4NcCaysh+HiYi4Zn |
TLSH: | 5AD52344AAD71159D58957340B03FFBC31B23EA54BA48D59B7B8BACAE8F725421F3203 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...fS.e..............."..............6...........@...........................R.....$.-...@.........................4.1.J.. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x76feb1 |
Entrypoint Section: | .vmp$PH |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65FC5366 [Thu Mar 21 15:33:58 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 410a0b262f1c4d9a86c700f5864e57ee |
Instruction |
---|
push esi |
mov esi, 888DEE22h |
not si |
push esi |
pushfd |
sub byte ptr [esp+esi+7772EE27h], FFFFFF9Ch |
xor word ptr [esp+esi+7772EE27h], si |
mov esi, dword ptr [esp+esi+7772EE2Bh] |
mov dword ptr [esp+08h], 856776FFh |
push dword ptr [esp+00h] |
popfd |
lea esp, dword ptr [esp+08h] |
call 00007F2DA47B1CC4h |
push 5FBFE51Dh |
call 00007F2DA473C4AAh |
push ebx |
bt eax, eax |
imul bp, bp |
mov ebp, edi |
movzx ebx, al |
ror bl, FFFFFFE6h |
add bl, bh |
mov ebx, edx |
movsx edx, ax |
dec eax |
mov edx, ebx |
sal edx, 02h |
mov eax, ebp |
call 00007F2DA47C097Ah |
mov edx, 323C68A9h |
btc edx, edx |
movzx eax, dl |
mov al, byte ptr [eax+edi-000000A9h] |
adc dl, FFFFFFBDh |
adc edx, 8BB804A6h |
add dl, dh |
adc edi, 00000001h |
jmp 00007F2DA46C83CBh |
and dl, al |
not dl |
jmp 00007F2DA4790CDCh |
mov dword ptr [edi], ecx |
jmp 00007F2DA46B9062h |
push 7B3B273Dh |
sbb edi, 00000008h |
call 00007F2DA4966A9Eh |
mov si, word ptr [edi] |
mov ecx, 6F18162Ah |
mov ax, word ptr [edi+ecx-6F181628h] |
sal cx, FFC8h |
adc cl, byte ptr [edi+ecx+00E7D604h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x311634 | 0x4a | .vmp$PH |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x342f14 | 0x12c | .vmp$PH |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x523000 | 0x8940 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x521000 | 0x1a50 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5202e0 | 0x40 | .vmp$PH |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x251000 | 0x84 | .vmp$PH |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x10bbe8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x10d000 | 0x23b78 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x131000 | 0x48c0 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.vmp$PH | 0x136000 | 0x11aec9 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.vmp$PH | 0x251000 | 0x560 | 0x600 | 0221fb5e4225cc340ee4e43c8a9cb136 | False | 0.06770833333333333 | data | 0.40873607633360837 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.vmp$PH | 0x252000 | 0x2ce700 | 0x2ce800 | 4492772c4a9fb270cce5fba8cc9cd4f3 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0x521000 | 0x1a50 | 0x1c00 | 7f8eddde7fe19b79a3dbaa85406a4958 | False | 0.37723214285714285 | data | 5.789048687758576 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x523000 | 0x8940 | 0xe00 | e14a07ab56bcb473b6e032789458bd8b | False | 0.32254464285714285 | data | 3.5602061214740988 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
AFX_DIALOG_LAYOUT | 0x523d08 | 0x2 | data | 5.0 | ||
AFX_DIALOG_LAYOUT | 0x523d0c | 0x2 | data | 5.0 | ||
RT_DIALOG | 0x523d10 | 0x8e | data | 0.08450704225352113 | ||
RT_DIALOG | 0x523da0 | 0x1ea | data | 0.125 | ||
RT_DIALOG | 0x523f8c | 0x1bc | empty | 0 | ||
RT_STRING | 0x524148 | 0x44c | empty | 0 | ||
RT_STRING | 0x524594 | 0x422 | empty | 0 | ||
RT_STRING | 0x5249b8 | 0x45e | empty | 0 | ||
RT_STRING | 0x524e18 | 0x426 | empty | 0 | ||
RT_STRING | 0x525240 | 0x3c2 | empty | 0 | ||
RT_STRING | 0x525604 | 0x2d6 | empty | 0 | ||
RT_STRING | 0x5258dc | 0x62 | empty | 0 | ||
RT_RCDATA | 0x525940 | 0x6000 | empty | English | United States | 0 |
RT_MESSAGETABLE | 0x5233a4 | 0x74c | Matlab v4 mat-file (little endian) T, text, rows 200, columns 225, imaginary | English | United States | 0.30085653104925053 |
RT_MANIFEST | 0x523af0 | 0x216 | ASCII text, with CRLF line terminators | 0.5411985018726592 |
DLL | Import |
---|---|
KERNEL32.dll | GetVersionExA |
USER32.dll | wsprintfA |
GDI32.dll | CreateCompatibleBitmap |
ADVAPI32.dll | RegCloseKey |
SHELL32.dll | ShellExecuteA |
ole32.dll | CoInitialize |
WS2_32.dll | WSAStartup |
CRYPT32.dll | CryptUnprotectData |
SHLWAPI.dll | PathFindExtensionA |
gdiplus.dll | GdipGetImageEncoders |
SETUPAPI.dll | SetupDiEnumDeviceInfo |
ntdll.dll | RtlUnicodeStringToAnsiString |
RstrtMgr.DLL | RmStartSession |
KERNEL32.dll | HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress |
Name | Ordinal | Address |
---|---|---|
Start | 1 | 0x465970 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Signature | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
2024-07-25T03:00:23.355182+0200 | TCP | 2046269 | ET MALWARE [ANY.RUN] RisePro TCP (Activity) | 49730 | 50500 | 192.168.2.4 | 193.233.132.190 |
2024-07-25T03:00:38.371393+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49731 | 13.85.23.86 | 192.168.2.4 |
2024-07-25T03:00:20.371409+0200 | TCP | 2049060 | ET MALWARE RisePro TCP Heartbeat Packet | 49730 | 50500 | 192.168.2.4 | 193.233.132.190 |
2024-07-25T03:01:16.344989+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49737 | 20.12.23.50 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 25, 2024 03:00:20.336462975 CEST | 49730 | 50500 | 192.168.2.4 | 193.233.132.190 |
Jul 25, 2024 03:00:20.341460943 CEST | 50500 | 49730 | 193.233.132.190 | 192.168.2.4 |
Jul 25, 2024 03:00:20.341548920 CEST | 49730 | 50500 | 192.168.2.4 | 193.233.132.190 |
Jul 25, 2024 03:00:20.371408939 CEST | 49730 | 50500 | 192.168.2.4 | 193.233.132.190 |
Jul 25, 2024 03:00:20.376594067 CEST | 50500 | 49730 | 193.233.132.190 | 192.168.2.4 |
Jul 25, 2024 03:00:23.355181932 CEST | 49730 | 50500 | 192.168.2.4 | 193.233.132.190 |
Jul 25, 2024 03:00:23.362112999 CEST | 50500 | 49730 | 193.233.132.190 | 192.168.2.4 |
Jul 25, 2024 03:00:41.776778936 CEST | 50500 | 49730 | 193.233.132.190 | 192.168.2.4 |
Jul 25, 2024 03:00:41.776973009 CEST | 49730 | 50500 | 192.168.2.4 | 193.233.132.190 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 21:00:18 |
Start date: | 24/07/2024 |
Path: | C:\Users\user\Desktop\LisectAVT_2403002A_262.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 2'956'293 bytes |
MD5 hash: | 6EFB242EE7F7A8FAC1E25DEC0AC7F516 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 0.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 10.5% |
Total number of Nodes: | 76 |
Total number of Limit Nodes: | 20 |
Graph
Function 00312530 Relevance: 7.7, APIs: 5, Instructions: 156sleepCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002CE0A0 Relevance: .1, Instructions: 97COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002BB865 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 194registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002CF1D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63networkCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002BA6A9 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0031F050 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002F3160 Relevance: 483.9, APIs: 40, Strings: 235, Instructions: 2616fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002BE150 Relevance: 442.8, APIs: 46, Strings: 206, Instructions: 1778COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002FA900 Relevance: 426.6, APIs: 1, Strings: 241, Instructions: 3117COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002E58A0 Relevance: 157.7, APIs: 3, Strings: 86, Instructions: 1947COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002D88A0 Relevance: 107.5, APIs: 2, Strings: 58, Instructions: 2469COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00370A90 Relevance: 54.4, Strings: 41, Instructions: 3100COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00306270 Relevance: 52.8, Strings: 41, Instructions: 1548COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002E11D0 Relevance: 37.9, Strings: 30, Instructions: 443COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00332A70 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 263libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00366630 Relevance: 27.4, Strings: 21, Instructions: 1184COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003340A0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0036C770 Relevance: 11.8, Strings: 8, Instructions: 1845COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0038B900 Relevance: 9.2, Strings: 7, Instructions: 461COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002BA480 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00385470 Relevance: 7.0, Strings: 5, Instructions: 751COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037C580 Relevance: 7.0, Strings: 4, Instructions: 2001COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00396F90 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002FF280 Relevance: 5.7, Strings: 4, Instructions: 658COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0049885E Relevance: 3.9, Strings: 3, Instructions: 157COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037E300 Relevance: 3.7, Strings: 2, Instructions: 1167COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00341110 Relevance: 3.5, APIs: 2, Instructions: 456COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00324450 Relevance: 3.4, APIs: 2, Instructions: 374COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002B24F0 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0046B450 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003356F0 Relevance: 2.3, Strings: 1, Instructions: 1073COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00334610 Relevance: 2.0, Strings: 1, Instructions: 759COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00338370 Relevance: 2.0, Strings: 1, Instructions: 748COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003453D0 Relevance: 1.7, APIs: 1, Instructions: 234COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00344EE0 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0039A99F Relevance: 1.6, Strings: 1, Instructions: 333COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0039A65D Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033CC30 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0034B000 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0038E3B4 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00381450 Relevance: .6, Instructions: 612COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00337100 Relevance: .4, Instructions: 415COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033A840 Relevance: .4, Instructions: 381COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003AE264 Relevance: .3, Instructions: 327COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033CF80 Relevance: .3, Instructions: 313COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033E300 Relevance: .3, Instructions: 300COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A8314 Relevance: .3, Instructions: 270COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033E0F0 Relevance: .2, Instructions: 190COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00335040 Relevance: .2, Instructions: 189COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002C4100 Relevance: .2, Instructions: 168COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00394F58 Relevance: .2, Instructions: 156COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003417F0 Relevance: .1, Instructions: 85COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0033D400 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004EA790 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002C4490 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 209registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002B8BF0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 90libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002BE2B7 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 366fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003A63EF Relevance: 10.8, APIs: 7, Instructions: 329COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00342EB0 Relevance: 7.6, APIs: 5, Instructions: 89sleepCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003AB63D Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002CE1E0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 364libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002CF690 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|