Windows
Analysis Report
LisectAVT_2403002A_479.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- LisectAVT_2403002A_479.exe (PID: 1992 cmdline:
"C:\Users\ user\Deskt op\LisectA VT_2403002 A_479.exe" MD5: 910182267AB297CED9FA6CAC86F93C3E)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security |
Timestamp: | 2024-07-25T03:41:06.983629+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49705 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-25T03:40:54.209208+0200 |
SID: | 2046269 |
Source Port: | 49704 |
Destination Port: | 50500 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-25T03:40:51.217940+0200 |
SID: | 2049060 |
Source Port: | 49704 |
Destination Port: | 50500 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-25T03:41:44.914483+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49710 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process Stats: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Boot Survival |
---|
Source: | Window searched: | Jump to behavior | ||
Source: | Window searched: | Jump to behavior | ||
Source: | Window searched: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Registry key queried: | Jump to behavior | ||
Source: | Registry key queried: | Jump to behavior | ||
Source: | Registry key queried: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | System information queried: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Anti Debugging |
---|
Source: | Process Stats: |
Source: | Thread information set: | Jump to behavior |
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 431 Virtualization/Sandbox Evasion | OS Credential Dumping | 621 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 2 Software Packing | LSASS Memory | 431 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 14 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
47% | ReversingLabs | Win32.Trojan.RisePro | ||
57% | Virustotal | Browse | ||
100% | Avira | TR/Kryptik.emawy | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.42.65.117 | unknown | Russian Federation | 39493 | RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1481056 |
Start date and time: | 2024-07-25 03:39:51 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 22s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | LisectAVT_2403002A_479.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@1/0@0/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
Time | Type | Description |
---|---|---|
21:41:23 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
5.42.65.117 | Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer | Browse | ||
Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer | Browse | |||
Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer | Browse | |||
Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer | Browse | |||
Get hash | malicious | Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse | |||
Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer | Browse | |||
Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer | Browse | |||
Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer | Browse | |||
Get hash | malicious | LummaC, RisePro Stealer | Browse | |||
Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | Get hash | malicious | RedLine | Browse |
| |
Get hash | malicious | Glupteba, Xmrig | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | PureLog Stealer, RedLine, zgRAT | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | LummaC, Mars Stealer, PureLog Stealer, RedLine, Stealc, Stealerium, Vidar | Browse |
| ||
Get hash | malicious | DCRat | Browse |
| ||
Get hash | malicious | LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig | Browse |
|
File type: | |
Entropy (8bit): | 7.946262039056646 |
TrID: |
|
File name: | LisectAVT_2403002A_479.exe |
File size: | 3'554'604 bytes |
MD5: | 910182267ab297ced9fa6cac86f93c3e |
SHA1: | ba9d0f067c51fa7ab9e2c3af128d4e3a9f2c28b9 |
SHA256: | 9e2a3d673b97bbb4b879907a6de4217907800192401dc404af51953e59765838 |
SHA512: | 92c313640fddf3ddf0dd6491de8182597df5848240f8791543459240bcf2ceeb8f76e98add171831aaa9fea1001625bbc68f7c5a2f6aebb232f536c1acca0d2a |
SSDEEP: | 49152:J1UHC6vWZtnxJB9qBBmAAcuXshmk2sP4gNi1KEj39tpz7vDZvtNUZRMYDiTYwEqe:J1+WZtzDqBScuXKmk2RXKi17NteXW6S0 |
TLSH: | F4F5116336DBDA0ADBF23071D614B1541FC41A3FDE015232B5BE1961BAB806D7FA3A81 |
File Content Preview: | MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{ |
Icon Hash: | 0767f35b5b190877 |
Entrypoint: | 0xb83420 |
Entrypoint Section: | .boot |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65FD62AE [Fri Mar 22 10:51:26 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | a21d450c6ebc519c43c3140940327537 |
Signature Valid: | |
Signature Issuer: | |
Signature Validation Error: | |
Error Number: | |
Not Before, Not After | |
Subject Chain | |
Version: | |
Thumbprint MD5: | |
Thumbprint SHA-1: | |
Thumbprint SHA-256: | |
Serial: |
Instruction |
---|
call 00007F99F0EB0A90h |
push ebx |
mov ebx, esp |
push ebx |
mov esi, dword ptr [ebx+08h] |
mov edi, dword ptr [ebx+10h] |
cld |
mov dl, 80h |
mov al, byte ptr [esi] |
inc esi |
mov byte ptr [edi], al |
inc edi |
mov ebx, 00000002h |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jnc 00007F99F0EB092Ch |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jnc 00007F99F0EB0993h |
xor eax, eax |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jnc 00007F99F0EB0A27h |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
je 00007F99F0EB094Ah |
push edi |
mov eax, eax |
sub edi, eax |
mov al, byte ptr [edi] |
pop edi |
mov byte ptr [edi], al |
inc edi |
mov ebx, 00000002h |
jmp 00007F99F0EB08DBh |
mov eax, 00000001h |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jc 00007F99F0EB092Ch |
sub eax, ebx |
mov ebx, 00000001h |
jne 00007F99F0EB096Ah |
mov ecx, 00000001h |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
adc ecx, ecx |
add dl, dl |
jne 00007F99F0EB0947h |
mov dl, byte ptr [esi] |
inc esi |
adc dl, dl |
jc 00007F99F0EB092Ch |
push esi |
mov esi, edi |
sub esi, ebp |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x24d000 | 0x4a | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x24e186 | 0x184 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x24f000 | 0x1f0fc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x358c00 | 0xb128 | .themida |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
0x1000 | 0x10d258 | 0x6ec00 | 42b75a934e60af05762db9349278fbd5 | False | 0.9999294582392777 | data | 7.999574265479796 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | |
0x10f000 | 0x23cd8 | 0xd200 | 5d6f217582e2b5601961c5bac74ed1c3 | False | 0.9995163690476191 | DOS executable (COM) | 7.996635211250757 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
0x133000 | 0x48c0 | 0x800 | 5f08560d32032a4cc8b9979a668ac1b3 | False | 0.98828125 | data | 7.7311140633497475 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
0x138000 | 0x10ccda | 0x38600 | 19673fc0bc0116cfce1791701a6d7437 | False | 1.0003507829822615 | data | 7.999069106813043 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
0x245000 | 0x7abc | 0x4200 | 617f24bb41fa218319f7d7940f4b5df5 | False | 1.0009469696969697 | data | 7.988893594056409 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | |
.edata | 0x24d000 | 0x1000 | 0x200 | f10540b5c8ca418218c2a8d71a21b012 | False | 0.1328125 | data | 0.8242398042708359 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0x24e000 | 0x1000 | 0x400 | 14c095e0f39d36de1452c68662e483d3 | False | 0.396484375 | data | 3.3950569900948193 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x24f000 | 0x1f200 | 0x1f200 | d9e80c2605f69efe9f06be32a245d2df | False | 0.5392429091365462 | data | 6.115776630952482 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.themida | 0x26f000 | 0x514000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.boot | 0x783000 | 0x280200 | 0x280200 | a6567c6bf5e90bfbee995e0924dbcbfc | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x24f140 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | English | United States | 0.4089513462446859 |
RT_ICON | 0x253378 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | English | United States | 0.29615225363776176 |
RT_ICON | 0x263bb0 | 0x9c5e | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9991506370222333 |
RT_STRING | 0x26d820 | 0x226 | data | English | United States | 0.5 |
RT_GROUP_ICON | 0x26da58 | 0x30 | data | English | United States | 0.8541666666666666 |
RT_MANIFEST | 0x26da98 | 0x664 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3643031784841076 |
DLL | Import |
---|---|
kernel32.dll | GetModuleHandleA |
USER32.dll | wsprintfA |
GDI32.dll | CreateCompatibleBitmap |
ADVAPI32.dll | RegCloseKey |
SHELL32.dll | ShellExecuteA |
ole32.dll | CoInitialize |
WS2_32.dll | WSAStartup |
CRYPT32.dll | CryptUnprotectData |
SHLWAPI.dll | PathFindExtensionA |
gdiplus.dll | GdipGetImageEncoders |
SETUPAPI.dll | SetupDiEnumDeviceInfo |
ntdll.dll | RtlUnicodeStringToAnsiString |
RstrtMgr.DLL | RmStartSession |
Name | Ordinal | Address |
---|---|---|
Start | 1 | 0x466e80 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Signature | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
2024-07-25T03:41:06.983629+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49705 | 52.165.165.26 | 192.168.2.8 |
2024-07-25T03:40:54.209208+0200 | TCP | 2046269 | ET MALWARE [ANY.RUN] RisePro TCP (Activity) | 49704 | 50500 | 192.168.2.8 | 5.42.65.117 |
2024-07-25T03:40:51.217940+0200 | TCP | 2049060 | ET MALWARE RisePro TCP Heartbeat Packet | 49704 | 50500 | 192.168.2.8 | 5.42.65.117 |
2024-07-25T03:41:44.914483+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49710 | 52.165.165.26 | 192.168.2.8 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 25, 2024 03:40:51.192308903 CEST | 49704 | 50500 | 192.168.2.8 | 5.42.65.117 |
Jul 25, 2024 03:40:51.197596073 CEST | 50500 | 49704 | 5.42.65.117 | 192.168.2.8 |
Jul 25, 2024 03:40:51.197711945 CEST | 49704 | 50500 | 192.168.2.8 | 5.42.65.117 |
Jul 25, 2024 03:40:51.217940092 CEST | 49704 | 50500 | 192.168.2.8 | 5.42.65.117 |
Jul 25, 2024 03:40:51.222759008 CEST | 50500 | 49704 | 5.42.65.117 | 192.168.2.8 |
Jul 25, 2024 03:40:54.209208012 CEST | 49704 | 50500 | 192.168.2.8 | 5.42.65.117 |
Jul 25, 2024 03:40:54.214102030 CEST | 50500 | 49704 | 5.42.65.117 | 192.168.2.8 |
Jul 25, 2024 03:41:12.589904070 CEST | 50500 | 49704 | 5.42.65.117 | 192.168.2.8 |
Jul 25, 2024 03:41:12.590034962 CEST | 49704 | 50500 | 192.168.2.8 | 5.42.65.117 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 21:40:46 |
Start date: | 24/07/2024 |
Path: | C:\Users\user\Desktop\LisectAVT_2403002A_479.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x370000 |
File size: | 3'554'604 bytes |
MD5 hash: | 910182267AB297CED9FA6CAC86F93C3E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |