Windows Analysis Report
LisectAVT_2403002A_464.exe

Overview

General Information

Sample name: LisectAVT_2403002A_464.exe
Analysis ID: 1482235
MD5: 87c9aecd5886c99434358b6a7f42fde0
SHA1: a1424fb0f5bb9fb49a8797c4c43a7b8a4511b2cc
SHA256: 6c0274f44ac55e0619f215604d918e9764ab221e08f2432cd08e65ac69d65652
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected RisePro Stealer
AI detected suspicious sample
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential thread-based time evasion detected
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_464.exe Avira: detected
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: LisectAVT_2403002A_464.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_464.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 193.233.132.109:50500
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: LisectAVT_2403002A_464.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: LisectAVT_2403002A_464.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: LisectAVT_2403002A_464.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_464.exe String found in binary or memory: https://sectigo.com/CPS0
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Process Stats: CPU usage > 49%
Uses 32bit PE files
Source: LisectAVT_2403002A_464.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe File created: C:\Users\user\AppData\Local\Temp\adobeLrRccmkMEOIP Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_464.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: LisectAVT_2403002A_464.exe Static file information: File size 5668408 > 1048576
Source: LisectAVT_2403002A_464.exe Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x562e00
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp
PE file contains an invalid checksum
Source: LisectAVT_2403002A_464.exe Static PE information: real checksum: 0x573781 should be: 0x573789
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_464.exe Static PE information: section name: .vmp
Source: LisectAVT_2403002A_464.exe Static PE information: section name: .vmp
Source: LisectAVT_2403002A_464.exe Static PE information: section name: .vmp

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 2D20005 value: E9 8B 2F 1E 74 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 76F02F90 value: E9 7A D0 E1 8B Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 2D30005 value: E9 2B BA 19 74 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 76ECBA30 value: E9 DA 45 E6 8B Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 2D40008 value: E9 8B 8E 1D 74 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 76F18E90 value: E9 80 71 E2 8B Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 2D70005 value: E9 8B 4D E8 72 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 75BF4D90 value: E9 7A B2 17 8D Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 2D80005 value: E9 EB EB E8 72 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 75C0EBF0 value: E9 1A 14 17 8D Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 2D90005 value: E9 8B 8A 24 72 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 74FD8A90 value: E9 7A 75 DB 8D Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 2DA0005 value: E9 2B 02 26 72 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Memory written: PID: 6308 base: 75000230 value: E9 DA FD D9 8D Jump to behavior

Malware Analysis System Evasion
barindex
Potential thread-based time evasion detected
Source: Initial file Signature Results: Thread-based counter
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 133A9D1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 1340A74
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 142619C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: F11939
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: F09639
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 144863C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 1412270
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: FA7D2E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 137A1EC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 144ABE6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 136EE7F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: FD3809
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe API/Special instruction interceptor: Address: 13B5472
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe RDTSC instruction interceptor: First address: CE0FCB second address: CE0FD6 instructions: 0x00000000 rdtsc 0x00000002 not eax 0x00000004 cdq 0x00000005 push ecx 0x00000006 mov ecx, dword ptr [ebp+18h] 0x00000009 cdq 0x0000000a cwde 0x0000000b rdtsc
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Window / User API: threadDelayed 1616 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Window / User API: threadDelayed 6759 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336 Thread sleep count: 1616 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336 Thread sleep time: -163216s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6548 Thread sleep count: 316 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336 Thread sleep count: 6759 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336 Thread sleep time: -682659s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Last function: Thread delayed
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.000000000080E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_6AE97C9A
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115085592.00000000006FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.000000000080E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.000000000080E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_6AE97C9A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Process Stats: CPU usage > 42% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_464.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_464.exe PID: 6308, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_464.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_464.exe PID: 6308, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.109
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false