Edit tour

Windows Analysis Report
LisectAVT_2403002A_240.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_240.exe
Analysis ID:	1482386
MD5:	df07b5a212f479d219e1c4d06d414cf7
SHA1:	d99f01c6dad27d6509c698088262a5cc4879a8ac
SHA256:	bba2ef9d02005d036678e558bc535d89cd348ee3eeefb19f145f497f6a03f482
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected RisePro Stealer

AI detected suspicious sample

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Potential thread-based time evasion detected

Switches to a custom stack to bypass stack traces

Abnormal high CPU Usage

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_240.exe (PID: 5364 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_240.exe" MD5: DF07B5A212F479D219E1C4D06D414CF7)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: LisectAVT_2403002A_240.exe PID: 5364	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LisectAVT_2403002A_240.exe.620000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T22:10:54.292591+0200
SID:	2022930
Source Port:	443
Destination Port:	64280
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.7 - Destination IP: 5.42.65.117

Timestamp:	2024-07-25T22:10:10.789047+0200
SID:	2049060
Source Port:	49699
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T22:10:23.530028+0200
SID:	2022930
Source Port:	443
Destination Port:	49700
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.7 - Destination IP: 5.42.65.117

Timestamp:	2024-07-25T22:10:13.780884+0200
SID:	2046269
Source Port:	49699
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_240.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_240.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_240.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 5.42.65.117:50500

Source: Joe Sandbox View

IP Address: 5.42.65.117 5.42.65.117

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.117

Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676191336.0000000000F2B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.altools.co.kr
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000145E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

Process Stats: CPU usage > 49%

Source: LisectAVT_2403002A_240.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

File created: C:\Users\user~1\AppData\Local\Temp\adobeHhiKVI_uqi9d

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Section loaded: devobj.dll	Jump to behavior

Source: LisectAVT_2403002A_240.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_240.exe

Static file information: File size 5402117 > 1048576

Source: LisectAVT_2403002A_240.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x522800

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

Source: LisectAVT_2403002A_240.exe

Static PE information: real checksum: 0x535ec5 should be: 0x535eca

Source: LisectAVT_2403002A_240.exe	Static PE information: section name: .vmp
Source: LisectAVT_2403002A_240.exe	Static PE information: section name: .vmp
Source: LisectAVT_2403002A_240.exe	Static PE information: section name: .vmp

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Memory written: PID: 5364 base: 13F0005 value: E9 8B 2F 37 76			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Memory written: PID: 5364 base: 77762F90 value: E9 7A D0 C8 89			Jump to behavior

Malware Analysis System Evasion

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: EAF113
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: EA6CC5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: A37A3A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: D512F1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: D1F69D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: E65E4C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: EBBF54
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: DD9BDB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: CF2D3D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: E83EE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: EA8E20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: A2CCE5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: EA89A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	API/Special instruction interceptor: Address: A3382B

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Window / User API: threadDelayed 3192			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Window / User API: threadDelayed 5297			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000	Thread sleep count: 3192 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000	Thread sleep time: -322392s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 648	Thread sleep count: 323 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000	Thread sleep count: 5297 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000	Thread sleep time: -534997s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe	Last function: Thread delayed

Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.0000000001450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_DA6DB76E
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll"
Source: LisectAVT_2403002A_240.exe, 00000000.00000003.1298019347.0000000001487000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676226503.00000000012FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}xCF
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.0000000001450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_DA6DB76Ele,,I
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000148F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000145E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

Process Stats: CPU usage > 42% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_240.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_240.exe PID: 5364, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_240.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_240.exe PID: 5364, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	111 Virtualization/Sandbox Evasion	1 Credential API Hooking	31 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	111 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	213 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_240.exe	100%	Avira	TR/Redcap.czylj
LisectAVT_2403002A_240.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
http://www.altools.co.kr	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000145E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.altools.co.kr	LisectAVT_2403002A_240.exe, 00000000.00000002.3676191336.0000000000F2B000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.42.65.117	unknown	Russian Federation		39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482386
Start date and time:	2024-07-25 22:09:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_240.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002A_240.exe

Simulations

Behavior and APIs

Time	Type	Description
17:21:10	API Interceptor	1163014x Sleep call for process: LisectAVT_2403002A_240.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.42.65.117	LisectAVT_2403002A_479.exe	Get hash	malicious	RisePro Stealer	Browse
	ws7tj0VzXA.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	R7piqpsoTx.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	MJ2Ltjq5mk.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	file.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	LisectAVT_2403002A_422.exe	Get hash	malicious	RedLine	Browse	5.42.65.68
	LisectAVT_2403002B_301.exe	Get hash	malicious	Bdaejec, GCleaner	Browse	5.42.65.115
	LisectAVT_2403002B_98.exe	Get hash	malicious	Bdaejec, GCleaner, Nymaim	Browse	5.42.64.3
	LisectAVT_2403002C_44.exe	Get hash	malicious	EICAR	Browse	5.42.96.78
	LisectAVT_2403002C_45.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	5.42.65.68
	LisectAVT_2403002A_479.exe	Get hash	malicious	RisePro Stealer	Browse	5.42.65.117
	7d69f17f.exe	Get hash	malicious	RedLine	Browse	45.15.156.186
	25C1.exe	Get hash	malicious	Glupteba, Xmrig	Browse	5.42.64.33
	#Ud83c#Udf0dimpactfulbrands.co.uk__________________________________________.html.bat	Get hash	malicious	RedLine	Browse	45.15.157.131
	https://45.15.156.174/index.php/s/24Sr2FjZQm8gXFA/download/ketamine.exe	Get hash	malicious	Unknown	Browse	45.15.156.174

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.990633946927915
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_240.exe
File size:	5'402'117 bytes
MD5:	df07b5a212f479d219e1c4d06d414cf7
SHA1:	d99f01c6dad27d6509c698088262a5cc4879a8ac
SHA256:	bba2ef9d02005d036678e558bc535d89cd348ee3eeefb19f145f497f6a03f482
SHA512:	761a53981b64e47d6a9f8a2bcf54d2dc8ca5c45c4acc7ac969d24b6a9964a6416bc5f52029a2efd4322c6c43e6bd0ebd5038bad221324074845410c66ba5b882
SSDEEP:	98304:2QTLK3OmctIY4tTNEsxwyNJqSVCS+Nfl4gvqvU7dYblDQdKw7:I3AIYxvyrzVCVNN4bcJYbidKw
TLSH:	2946331E3BC23A60E8AA227C03A5FEFE35FE0945A0564D5AD8087CD7DCF36492137956
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eM.f...............'.....D........r...........@..........................P.......^S...@.........................."m.J..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xb2867f
Entrypoint Section:	.vmp
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66004D65 [Sun Mar 24 15:57:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	84d3942a6283bd1fa0ecc5bc71ddea94

Entrypoint Preview

Instruction
push edx
call 00007F1CB89CEBA3h
mov eax, dword ptr [esi+04h]
mul ebp
jmp 00007F1CB8CBE706h
mov dword ptr [esp+00h], 1B1216B9h
mov word ptr [edi], cx
call 00007F1CB8A03ED1h
je 00007F1CB8CFF43Fh
movsb
fst dword ptr [esp+edx-77h]
xchg eax, ebp
salc
dec edx
push es
mov esp, edx
pop ss
int3
add eax, ecx
sub eax, 5BCC38B8h
lea ebx, dword ptr [ebx+000C8A70h]
jmp ebx
lea esp, dword ptr [esp+04h]
jmp 00007F1CB8DD77D6h
xor bp, bx
sar byte ptr [esp+01h], 00000063h
push E102A733h
ror bp, 1
sal dword ptr [esp+04h], FFFFFF9Fh
neg bp
inc bp
rol bp, 1
jmp 00007F1CB8CAAAD7h
mov byte ptr [ecx], dl
call 00007F1CB8E64E7Ah
xor word ptr [esp+05h], EBA8h
shr dword ptr [esp+01h], FFFFFFAAh
inc cx
not dword ptr [esp+04h]
rol cx, 1
rol dword ptr [esp+01h], 4Dh
inc dword ptr [esp+03h]
jns 00007F1CB8E625A8h
dec edx
test bp, 1EA7h
cmc
cmp ecx, edx
jmp 00007F1CB8DF7AF1h
xor al, bl
inc al
rol word ptr [esp+02h], FFEFh
neg al
push 652F38B0h
neg word ptr [esp+06h]
not al
dec word ptr [esp+03h]
push 0099C215h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6d22bc	0x4a	.vmp
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8fb688	0x140	.vmp
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x90d000	0x7850	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90b000	0x1a34	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x90a140	0x40	.vmp
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3e7000	0x8c	.vmp
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10b0f8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10d000	0x20390	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12e000	0x48a8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x133000	0x2b3391	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp	0x3e7000	0x700	0x800	55655dfb2afd1e389d94e5bc628dbd24	False	0.05419921875	data	0.3412941021913871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x3e8000	0x522650	0x522800	1a26a490bba777ff3398b2bed49d7342	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x90b000	0x1a34	0x1c00	e538b5cef3a5c3906e39af2390197d52	False	0.36453683035714285	data	5.7331395016607285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x90d000	0x7850	0x1e00	79b58129290351bb6870399b9a90ebad	False	0.32903645833333334	data	4.600287247157791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x90ec48	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec48	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec4c	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec4c	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec50	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec50	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec54	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec54	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec58	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec58	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec5c	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec5c	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec60	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ec64	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec64	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec68	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ec6c	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec6c	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec70	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ec74	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec74	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec78	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ec7c	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec7c	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec80	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ec84	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec84	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec88	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ec8c	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec8c	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec90	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ec94	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec94	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec98	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ec9c	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ec9c	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90eca0	0x7a	data			0.09836065573770492
AFX_DIALOG_LAYOUT	0x90ed1c	0x7a	data	Korean	North Korea	0.09836065573770492
AFX_DIALOG_LAYOUT	0x90ed1c	0x7a	data	Korean	South Korea	0.09836065573770492
AFX_DIALOG_LAYOUT	0x90ed98	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90ed9c	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90ed9c	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90eda0	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90eda4	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90eda4	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90eda8	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90edac	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90edac	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90edb0	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x90edb4	0x2	data	Korean	North Korea	5.0
AFX_DIALOG_LAYOUT	0x90edb4	0x2	data	Korean	South Korea	5.0
AFX_DIALOG_LAYOUT	0x90edb8	0x5a	data			0.16666666666666666
AFX_DIALOG_LAYOUT	0x90ee14	0x5a	empty	Korean	North Korea	0
AFX_DIALOG_LAYOUT	0x90ee14	0x5a	empty	Korean	South Korea	0
AFX_DIALOG_LAYOUT	0x90ee70	0x2	empty			0
AFX_DIALOG_LAYOUT	0x90ee74	0x2	empty	Korean	North Korea	0
AFX_DIALOG_LAYOUT	0x90ee74	0x2	empty	Korean	South Korea	0
RT_BITMAP	0x90ee78	0x608	empty	Korean	North Korea	0
RT_BITMAP	0x90ee78	0x608	empty	Korean	South Korea	0
RT_BITMAP	0x90f480	0x1028	empty	Korean	North Korea	0
RT_BITMAP	0x90f480	0x1028	empty	Korean	South Korea	0
RT_BITMAP	0x9104a8	0xb8	empty	Korean	North Korea	0
RT_BITMAP	0x9104a8	0xb8	empty	Korean	South Korea	0
RT_BITMAP	0x910560	0x144	empty	Korean	North Korea	0
RT_BITMAP	0x910560	0x144	empty	Korean	South Korea	0
RT_MENU	0x9106a4	0x2f4	empty			0
RT_MENU	0x910998	0x308	empty	Korean	North Korea	0
RT_MENU	0x910998	0x308	empty	Korean	South Korea	0
RT_DIALOG	0x910ca0	0x1ac	empty			0
RT_DIALOG	0x910e4c	0x168	empty	Korean	North Korea	0
RT_DIALOG	0x910e4c	0x168	empty	Korean	South Korea	0
RT_DIALOG	0x910fb4	0x2ae	empty			0
RT_DIALOG	0x911264	0x28e	empty	Korean	North Korea	0
RT_DIALOG	0x911264	0x28e	empty	Korean	South Korea	0
RT_DIALOG	0x9114f4	0x10c	empty			0
RT_DIALOG	0x911600	0xf4	empty	Korean	North Korea	0
RT_DIALOG	0x911600	0xf4	empty	Korean	South Korea	0
RT_DIALOG	0x9116f4	0x60	empty			0
RT_DIALOG	0x911754	0x60	empty	Korean	North Korea	0
RT_DIALOG	0x911754	0x60	empty	Korean	South Korea	0
RT_DIALOG	0x9117b4	0x60	empty			0
RT_DIALOG	0x911814	0x60	empty	Korean	North Korea	0
RT_DIALOG	0x911814	0x60	empty	Korean	South Korea	0
RT_DIALOG	0x911874	0x134	empty			0
RT_DIALOG	0x9119a8	0x120	empty	Korean	North Korea	0
RT_DIALOG	0x9119a8	0x120	empty	Korean	South Korea	0
RT_DIALOG	0x911ac8	0xb8	empty			0
RT_DIALOG	0x911b80	0xb8	empty	Korean	North Korea	0
RT_DIALOG	0x911b80	0xb8	empty	Korean	South Korea	0
RT_DIALOG	0x911c38	0x1e0	empty			0
RT_DIALOG	0x911e18	0x1c4	empty	Korean	North Korea	0
RT_DIALOG	0x911e18	0x1c4	empty	Korean	South Korea	0
RT_DIALOG	0x911fdc	0x3d4	empty			0
RT_DIALOG	0x9123b0	0x32c	empty	Korean	North Korea	0
RT_DIALOG	0x9123b0	0x32c	empty	Korean	South Korea	0
RT_DIALOG	0x9126dc	0x474	empty			0
RT_DIALOG	0x912b50	0x3e8	empty	Korean	North Korea	0
RT_DIALOG	0x912b50	0x3e8	empty	Korean	South Korea	0
RT_DIALOG	0x912f38	0x426	empty			0
RT_DIALOG	0x913360	0x322	empty	Korean	North Korea	0
RT_DIALOG	0x913360	0x322	empty	Korean	South Korea	0
RT_DIALOG	0x913684	0x162	empty			0
RT_DIALOG	0x9137e8	0x152	empty	Korean	North Korea	0
RT_DIALOG	0x9137e8	0x152	empty	Korean	South Korea	0
RT_DIALOG	0x91393c	0x1a4	empty			0
RT_DIALOG	0x913ae0	0x15c	empty	Korean	North Korea	0
RT_DIALOG	0x913ae0	0x15c	empty	Korean	South Korea	0
RT_DIALOG	0x913c3c	0x30c	empty			0
RT_DIALOG	0x913f48	0x284	empty	Korean	North Korea	0
RT_DIALOG	0x913f48	0x284	empty	Korean	South Korea	0
RT_DIALOG	0x9141cc	0x160	empty			0
RT_DIALOG	0x91432c	0x184	empty	Korean	North Korea	0
RT_DIALOG	0x91432c	0x184	empty	Korean	South Korea	0
RT_DIALOG	0x9144b0	0xf4	empty	Korean	North Korea	0
RT_DIALOG	0x9144b0	0xf4	empty	Korean	South Korea	0
RT_DIALOG	0x9145a4	0x34	empty	Korean	North Korea	0
RT_DIALOG	0x9145a4	0x34	empty	Korean	South Korea	0
RT_ACCELERATOR	0x9145d8	0xb0	empty	Korean	North Korea	0
RT_ACCELERATOR	0x9145d8	0xb0	empty	Korean	South Korea	0
RT_MANIFEST	0x90de0c	0xe3b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.38594564919022784
None	0x914688	0x62	empty			0
None	0x9146ec	0x62	empty	Korean	North Korea	0
None	0x9146ec	0x62	empty	Korean	South Korea	0
None	0x914750	0x74	empty			0
None	0x9147c4	0x65	empty	Korean	North Korea	0
None	0x9147c4	0x65	empty	Korean	South Korea	0
None	0x91482c	0x24	empty	Korean	North Korea	0
None	0x91482c	0x24	empty	Korean	South Korea	0

Imports

DLL	Import
KERNEL32.dll	GetVersionExA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegCreateKeyExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Exports

Name	Ordinal	Address
Start	1	0x466a40

Possible Origin

Language of compilation system	Country where language is spoken	Map
Korean	North Korea
Korean	South Korea

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T22:10:54.292591+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	64280	20.114.59.183	192.168.2.7
2024-07-25T22:10:10.789047+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49699	50500	192.168.2.7	5.42.65.117
2024-07-25T22:10:23.530028+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49700	20.114.59.183	192.168.2.7
2024-07-25T22:10:13.780884+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49699	50500	192.168.2.7	5.42.65.117

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 22:10:10.764864922 CEST	49699	50500	192.168.2.7	5.42.65.117
Jul 25, 2024 22:10:10.769958973 CEST	50500	49699	5.42.65.117	192.168.2.7
Jul 25, 2024 22:10:10.770035982 CEST	49699	50500	192.168.2.7	5.42.65.117
Jul 25, 2024 22:10:10.789047003 CEST	49699	50500	192.168.2.7	5.42.65.117
Jul 25, 2024 22:10:10.794231892 CEST	50500	49699	5.42.65.117	192.168.2.7
Jul 25, 2024 22:10:13.780884027 CEST	49699	50500	192.168.2.7	5.42.65.117
Jul 25, 2024 22:10:13.785798073 CEST	50500	49699	5.42.65.117	192.168.2.7
Jul 25, 2024 22:10:32.210791111 CEST	50500	49699	5.42.65.117	192.168.2.7
Jul 25, 2024 22:10:32.211093903 CEST	49699	50500	192.168.2.7	5.42.65.117

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 22:10:52.554016113 CEST	53	60533	162.159.36.2	192.168.2.7
Jul 25, 2024 22:10:53.106288910 CEST	53	56423	1.1.1.1	192.168.2.7

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: LisectAVT_2403002A_240.exePID: 5364, Parent PID: 4056

General

Target ID:	0
Start time:	16:10:03
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_240.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_240.exe"
Imagebase:	0x620000
File size:	5'402'117 bytes
MD5 hash:	DF07B5A212F479D219E1C4D06D414CF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_240.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
LisectAVT_2403002A_240.exe