Windows Analysis Report
LisectAVT_2403002A_419.exe

Overview

General Information

Sample name: LisectAVT_2403002A_419.exe
Analysis ID: 1482269
MD5: 42b90e270ab9cc4d1f6354045048b538
SHA1: 080d0df0d03f707096cb974da2d683037e9cc63a
SHA256: e4883bfe1480181df3d2eb0e0a587be359260ee11a32176aab234eb707fe6f76
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RisePro Stealer
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Drops PE files to the user root directory
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: LisectAVT_2403002A_419.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0051E150 FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock, 2_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0054E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock, 2_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0051A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock, 2_2_0051A750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005ED997 FindClose,FindFirstFileExW,GetLastError, 2_2_005ED997
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005EDA1D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 2_2_005EDA1D
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49705 -> 193.233.132.67:5000
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.67 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0052E0A0 recv,setsockopt,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo, 2_2_0052E0A0
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr String found in binary or memory: http://www.winimage.com/zLibDll
Source: Au3Check.exe String found in binary or memory: https://ipinfo.io/
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Au3Check.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Contains functionality to record screenshots
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0051AF30 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 2_2_0051AF30
Abnormal high CPU Usage
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0051B360 2_2_0051B360
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005670F0 2_2_005670F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005990E0 2_2_005990E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0051E150 2_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0059E140 2_2_0059E140
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00553160 2_2_00553160
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005E5100 2_2_005E5100
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005411D0 2_2_005411D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005191A0 2_2_005191A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005AD1A0 2_2_005AD1A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00595240 2_2_00595240
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005B1270 2_2_005B1270
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00556230 2_2_00556230
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00551220 2_2_00551220
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0054E2D0 2_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0055F280 2_2_0055F280
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0059F360 2_2_0059F360
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00533330 2_2_00533330
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A63D0 2_2_005A63D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00569440 2_2_00569440
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0053C470 2_2_0053C470
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005F646A 2_2_005F646A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005124F0 2_2_005124F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005AC4F0 2_2_005AC4F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0059E490 2_2_0059E490
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0054B480 2_2_0054B480
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005F84A0 2_2_005F84A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00596550 2_2_00596550
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005955B0 2_2_005955B0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00598610 2_2_00598610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A0610 2_2_005A0610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A2610 2_2_005A2610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0059F600 2_2_0059F600
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0060F771 2_2_0060F771
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00567770 2_2_00567770
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005477E0 2_2_005477E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00609824 2_2_00609824
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0059F810 2_2_0059F810
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005DF800 2_2_005DF800
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A68C0 2_2_005A68C0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00599880 2_2_00599880
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005388A0 2_2_005388A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005458A0 2_2_005458A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005E2950 2_2_005E2950
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005E6970 2_2_005E6970
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0059E910 2_2_0059E910
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0055A900 2_2_0055A900
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005719E0 2_2_005719E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0053EA60 2_2_0053EA60
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00525A10 2_2_00525A10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00548A00 2_2_00548A00
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00534AD0 2_2_00534AD0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0054CA80 2_2_0054CA80
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005DDA80 2_2_005DDA80
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0059EB70 2_2_0059EB70
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005FBB6D 2_2_005FBB6D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005C7B30 2_2_005C7B30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00595B20 2_2_00595B20
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005CDC70 2_2_005CDC70
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00596C00 2_2_00596C00
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A2CF0 2_2_005A2CF0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005F2CE0 2_2_005F2CE0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0059BD50 2_2_0059BD50
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00527DC0 2_2_00527DC0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005ECE10 2_2_005ECE10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0053AE30 2_2_0053AE30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00535E30 2_2_00535E30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005FBEAF 2_2_005FBEAF
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00529F50 2_2_00529F50
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005D1F90 2_2_005D1F90
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00593F80 2_2_00593F80
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: String function: 0057E530 appears 41 times
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: String function: 005A2450 appears 101 times
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: String function: 005EFED0 appears 50 times
PE file contains more sections than normal
Source: LisectAVT_2403002A_419.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1511786300.00007FF642639000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename" vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000003.1507566796.000002BCE8B87000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAu3Check.exeN vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAu3Check.exeN vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE89D8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAu3Check.exeN vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAu3Check.exeN vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe Binary or memory string: OriginalFilename" vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe Binary or memory string: main.SLNxPDSjg
Source: classification engine Classification label: mal84.troj.evad.winEXE@3/2@0/1
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A47F0 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 2_2_005A47F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 2_2_005A4110
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005191A0 CopyFileA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 2_2_005191A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00556230 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 2_2_00556230
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\jQRMFClswtrBVwy.pdf Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe File created: C:\Users\user\AppData\Local\Temp\adobezReUMOGlGfit Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File opened: C:\Windows\system32\0db7f57e1c2f78ea24726f4ea368749bdd86de5fb8e853dffdfb2de10d733165AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: LisectAVT_2403002A_419.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Au3Check.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe "C:\Users\user\Desktop\LisectAVT_2403002A_419.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_419.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: LisectAVT_2403002A_419.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: LisectAVT_2403002A_419.exe Static file information: File size 5050885 > 1048576
Source: LisectAVT_2403002A_419.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x142c00
Source: LisectAVT_2403002A_419.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x356000
Source: LisectAVT_2403002A_419.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Contains functionality to check for running processes (XOR)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: CopyFileA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 2_2_005191A0
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0054B480 SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlenA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 2_2_0054B480
PE file contains an invalid checksum
Source: ROxcmXIWiwnYKwA.pdf.0.dr Static PE information: real checksum: 0x465e9 should be: 0x4eff9
Source: jQRMFClswtrBVwy.pdf.0.dr Static PE information: real checksum: 0x0 should be: 0x1557f3
Source: LisectAVT_2403002A_419.exe Static PE information: real checksum: 0x4d8c61 should be: 0x4d8c66
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_419.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005EFA97 push ecx; ret 2_2_005EFAAA
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\ROxcmXIWiwnYKwA.pdf Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\jQRMFClswtrBVwy.pdf Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\ROxcmXIWiwnYKwA.pdf Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\jQRMFClswtrBVwy.pdf Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\jQRMFClswtrBVwy.pdf Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\ROxcmXIWiwnYKwA.pdf Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\ROxcmXIWiwnYKwA.pdf Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe File created: C:\Users\user\jQRMFClswtrBVwy.pdf Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005955B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_005955B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 2_2_00573A40
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Window / User API: threadDelayed 1654 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Window / User API: threadDelayed 6841 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Dropped PE file which has not been started: C:\Users\user\ROxcmXIWiwnYKwA.pdf Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Dropped PE file which has not been started: C:\Users\user\jQRMFClswtrBVwy.pdf Jump to dropped file
Found evasive API chain (date check)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe API coverage: 4.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7420 Thread sleep count: 1654 > 30 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7420 Thread sleep time: -167054s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7432 Thread sleep count: 315 > 30 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7420 Thread sleep count: 6841 > 30 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7420 Thread sleep time: -690941s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Last function: Thread delayed
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00579610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 0057962Ah 2_2_00579610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00577750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00577760h country: Hungarian (hu) 2_2_00577750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00577780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00577790h country: Indonesian (id) 2_2_00577780
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00577D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00577D50h country: Upper Sorbian (hsb) 2_2_00577D40
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A4670 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005A46C1h 2_2_005A4670
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0051E150 FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock, 2_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0054E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock, 2_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0051A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock, 2_2_0051A750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005ED997 FindClose,FindFirstFileExW,GetLastError, 2_2_005ED997
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005EDA1D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 2_2_005EDA1D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0051C430 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_0051C430
Source: LisectAVT_2403002A_419.exe Binary or memory string: oTGTaprHP6Aj.(*k79haqX)._vmCie
Source: Au3Check.exe, 00000002.00000002.3876523073.00000000007A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:#\lH
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1510858966.000002BCA3418000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhk
Source: Au3Check.exe, 00000002.00000003.1520539735.00000000007A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:#\lJ
Source: LisectAVT_2403002A_419.exe Binary or memory string: _vmCie
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -t-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B6FF812C
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000079F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Au3Check.exe, 00000002.00000002.3876343971.000000000019D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x<us <u
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B6FF812C
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000="]k
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?tx<u#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t
Source: Au3Check.exe, 00000002.00000002.3876523073.00000000007A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-9
Source: Au3Check.exe, 00000002.00000002.3876523073.0000000000792000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%%
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00524100 IsDebuggerPresent, 2_2_00524100
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0054B480 SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlenA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 2_2_0054B480
Contains functionality to read the PEB
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00573A40 mov eax, dword ptr fs:[00000030h] 2_2_00573A40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00573A40 mov eax, dword ptr fs:[00000030h] 2_2_00573A40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0052C0A0 mov eax, dword ptr fs:[00000030h] 2_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00524100 mov eax, dword ptr fs:[00000030h] 2_2_00524100
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h] 2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00525A10 mov ecx, dword ptr fs:[00000030h] 2_2_00525A10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_0054CA80 mov eax, dword ptr fs:[00000030h] 2_2_0054CA80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00595240 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,CharNextA,CharNextA,CharNextA,CharNextA, 2_2_00595240
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005F006D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_005F006D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005F45A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_005F45A4
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005EFCC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_005EFCC4

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Memory allocated: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 protect: page execute and read and write Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00529F50 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 2_2_00529F50
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 3B2008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00524400 cpuid 2_2_00524400
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: EnumSystemLocalesW, 2_2_0061004D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_006100D8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW, 2_2_0061032B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00610454
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_0051C430
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW, 2_2_006074CE
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW, 2_2_0061055A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00610630
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoEx,FormatMessageA, 2_2_005ED793
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_0060FCBB
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW, 2_2_0060FEC0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: EnumSystemLocalesW, 2_2_0060FF67
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: EnumSystemLocalesW, 2_2_00606F4A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: EnumSystemLocalesW, 2_2_0060FFB2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Queries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe Queries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005EF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 2_2_005EF26A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00556230 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 2_2_00556230
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_00609160 GetTimeZoneInformation, 2_2_00609160
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 2_2_005A4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 2_2_005A4110
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000600000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Au3Check.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Au3Check.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000888000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000600000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000572000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c0004f2000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000888000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c00052c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Au3Check.exe PID: 7416, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\jQRMFClswtrBVwy.pdf, type: DROPPED

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000600000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Au3Check.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Au3Check.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000888000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000600000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000572000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c0004f2000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c000888000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_419.exe.c00052c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Au3Check.exe PID: 7416, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\jQRMFClswtrBVwy.pdf, type: DROPPED
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482269 Sample: LisectAVT_2403002A_419.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 84 19 Yara detected RisePro Stealer 2->19 21 Contains functionality to check for running processes (XOR) 2->21 23 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 2->23 25 3 other signatures 2->25 6 LisectAVT_2403002A_419.exe 2 2->6         started        process3 file4 13 C:\Users\user\jQRMFClswtrBVwy.pdf, PE32 6->13 dropped 15 C:\Users\user\ROxcmXIWiwnYKwA.pdf, PE32 6->15 dropped 27 Drops PE files to the user root directory 6->27 29 Writes to foreign memory regions 6->29 31 Allocates memory in foreign processes 6->31 33 Injects a PE file into a foreign processes 6->33 10 Au3Check.exe 2 6->10         started        signatures5 process6 dnsIp7 17 193.233.132.67, 49705, 5000 FREE-NET-ASFREEnetEU Russian Federation 10->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.67
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false