Windows Analysis Report
LisectAVT_2403002A_479.exe

Overview

General Information

Sample name: LisectAVT_2403002A_479.exe
Analysis ID: 1481056
MD5: 910182267ab297ced9fa6cac86f93c3e
SHA1: ba9d0f067c51fa7ab9e2c3af128d4e3a9f2c28b9
SHA256: 9e2a3d673b97bbb4b879907a6de4217907800192401dc404af51953e59765838
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected RisePro Stealer
AI detected suspicious sample
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_479.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: LisectAVT_2403002A_479.exe ReversingLabs: Detection: 47%
Source: LisectAVT_2403002A_479.exe Virustotal: Detection: 56% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: LisectAVT_2403002A_479.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_479.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: LisectAVT_2403002A_479.exe, 00000000.00000002.3857894357.00000000005DF000.00000040.00000001.01000000.00000003.sdmp
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49704 -> 5.42.65.117:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 5.42.65.117 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: LisectAVT_2403002A_479.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: LisectAVT_2403002A_479.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: LisectAVT_2403002A_479.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: LisectAVT_2403002A_479.exe, 00000000.00000003.1407231196.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_479.exe, 00000000.00000002.3857412181.000000000047F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_479.exe, 00000000.00000003.1407231196.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_479.exe, 00000000.00000002.3857412181.000000000047F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_479.exe String found in binary or memory: https://sectigo.com/CPS0
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT#

System Summary
barindex
PE file contains section with special chars
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Process Stats: CPU usage > 49%
Uses 32bit PE files
Source: LisectAVT_2403002A_479.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_479.exe Static PE information: Section: ZLIB complexity 0.9999294582392777
Source: LisectAVT_2403002A_479.exe Static PE information: Section: ZLIB complexity 0.9995163690476191
Source: LisectAVT_2403002A_479.exe Static PE information: Section: ZLIB complexity 1.0003507829822615
Source: LisectAVT_2403002A_479.exe Static PE information: Section: ZLIB complexity 1.0009469696969697
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe File created: C:\Users\user\AppData\Local\Temp\adobe9w_PptQiwNFf Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_479.exe, 00000000.00000003.1407231196.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_479.exe, 00000000.00000002.3857412181.000000000047F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_479.exe, 00000000.00000003.1407231196.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_479.exe, 00000000.00000002.3857412181.000000000047F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LisectAVT_2403002A_479.exe ReversingLabs: Detection: 47%
Source: LisectAVT_2403002A_479.exe Virustotal: Detection: 56%
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_479.exe Static file information: File size 3554604 > 1048576
Source: LisectAVT_2403002A_479.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x280200
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: LisectAVT_2403002A_479.exe, 00000000.00000002.3857894357.00000000005DF000.00000040.00000001.01000000.00000003.sdmp
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains an invalid checksum
Source: LisectAVT_2403002A_479.exe Static PE information: real checksum: 0x373bc0 should be: 0x373bc4
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name:
Source: LisectAVT_2403002A_479.exe Static PE information: section name: .themida
Source: LisectAVT_2403002A_479.exe Static PE information: section name: .boot
Source: LisectAVT_2403002A_479.exe Static PE information: section name: entropy: 7.999574265479796

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Window searched: window name: RegmonClass Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Window / User API: threadDelayed 2705 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Window / User API: threadDelayed 5680 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe TID: 608 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe TID: 608 Thread sleep count: 2705 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe TID: 608 Thread sleep time: -273205s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe TID: 1152 Thread sleep count: 326 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe TID: 608 Thread sleep count: 5680 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe TID: 608 Thread sleep time: -573680s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Last function: Thread delayed
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_821047A6
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}%%
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: LisectAVT_2403002A_479.exe, 00000000.00000002.3859430143.00000000011E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Process Stats: CPU usage > 42% for more than 60s
Hides threads from debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_479.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_479.exe PID: 1992, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_479.exe PID: 1992, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1481056 Sample: LisectAVT_2403002A_479.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 11 Antivirus / Scanner detection for submitted sample 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected RisePro Stealer 2->15 17 3 other signatures 2->17 5 LisectAVT_2403002A_479.exe 2 2->5         started        process3 dnsIp4 9 5.42.65.117, 49704, 50500 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 5->9 19 Query firmware table information (likely to detect VMs) 5->19 21 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->21 23 Found potential dummy code loops (likely to delay analysis) 5->23 25 3 other signatures 5->25 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.42.65.117
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU false