Edit tour

Windows Analysis Report
LisectAVT_2403002A_464.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_464.exe
Analysis ID:	1482235
MD5:	87c9aecd5886c99434358b6a7f42fde0
SHA1:	a1424fb0f5bb9fb49a8797c4c43a7b8a4511b2cc
SHA256:	6c0274f44ac55e0619f215604d918e9764ab221e08f2432cd08e65ac69d65652
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected RisePro Stealer

AI detected suspicious sample

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Potential thread-based time evasion detected

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_464.exe (PID: 6308 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_464.exe" MD5: 87C9AECD5886C99434358B6A7F42FDE0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: LisectAVT_2403002A_464.exe PID: 6308	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LisectAVT_2403002A_464.exe.ae0000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T19:50:26.187022+0200
SID:	2022930
Source Port:	443
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T19:51:04.888134+0200
SID:	2022930
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.109

Timestamp:	2024-07-25T19:50:13.255582+0200
SID:	2049060
Source Port:	49730
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.109

Timestamp:	2024-07-25T19:50:16.240810+0200
SID:	2046269
Source Port:	49730
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_464.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_464.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_464.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.233.132.109:50500

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.109
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.109

Source: LisectAVT_2403002A_464.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: LisectAVT_2403002A_464.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: LisectAVT_2403002A_464.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_464.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

Process Stats: CPU usage > 49%

Source: LisectAVT_2403002A_464.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

File created: C:\Users\user\AppData\Local\Temp\adobeLrRccmkMEOIP

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Section loaded: devobj.dll	Jump to behavior

Source: LisectAVT_2403002A_464.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_464.exe

Static file information: File size 5668408 > 1048576

Source: LisectAVT_2403002A_464.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x562e00

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

Source: LisectAVT_2403002A_464.exe

Static PE information: real checksum: 0x573781 should be: 0x573789

Source: LisectAVT_2403002A_464.exe	Static PE information: section name: .vmp
Source: LisectAVT_2403002A_464.exe	Static PE information: section name: .vmp
Source: LisectAVT_2403002A_464.exe	Static PE information: section name: .vmp

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 2D20005 value: E9 8B 2F 1E 74	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 76F02F90 value: E9 7A D0 E1 8B	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 2D30005 value: E9 2B BA 19 74	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 76ECBA30 value: E9 DA 45 E6 8B	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 2D40008 value: E9 8B 8E 1D 74	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 76F18E90 value: E9 80 71 E2 8B	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 2D70005 value: E9 8B 4D E8 72	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 75BF4D90 value: E9 7A B2 17 8D	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 2D80005 value: E9 EB EB E8 72	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 75C0EBF0 value: E9 1A 14 17 8D	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 2D90005 value: E9 8B 8A 24 72	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 74FD8A90 value: E9 7A 75 DB 8D	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 2DA0005 value: E9 2B 02 26 72	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Memory written: PID: 6308 base: 75000230 value: E9 DA FD D9 8D	Jump to behavior

Malware Analysis System Evasion

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 133A9D1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 1340A74
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 142619C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: F11939
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: F09639
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 144863C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 1412270
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: FA7D2E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 137A1EC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 144ABE6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 136EE7F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: FD3809
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	API/Special instruction interceptor: Address: 13B5472

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

RDTSC instruction interceptor: First address: CE0FCB second address: CE0FD6 instructions: 0x00000000 rdtsc 0x00000002 not eax 0x00000004 cdq 0x00000005 push ecx 0x00000006 mov ecx, dword ptr [ebp+18h] 0x00000009 cdq 0x0000000a cwde 0x0000000b rdtsc

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Window / User API: threadDelayed 1616			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Window / User API: threadDelayed 6759			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336	Thread sleep count: 1616 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336	Thread sleep time: -163216s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6548	Thread sleep count: 316 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336	Thread sleep count: 6759 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe TID: 6336	Thread sleep time: -682659s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe	Last function: Thread delayed

Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_6AE97C9A
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115085592.00000000006FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ~-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_6AE97C9A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

Process Stats: CPU usage > 42% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_464.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_464.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_464.exe PID: 6308, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_464.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_464.exe PID: 6308, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	111 Virtualization/Sandbox Evasion	1 Credential API Hooking	41 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	111 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	313 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_464.exe	100%	Avira	TR/Crypt.XPACK.Gen
LisectAVT_2403002A_464.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	LisectAVT_2403002A_464.exe	false	URL Reputation: safe	unknown
http://www.winimage.com/zLibDll	LisectAVT_2403002A_464.exe, 00000000.00000002.4115458295.0000000000BED000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	LisectAVT_2403002A_464.exe, 00000000.00000002.4115173281.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	LisectAVT_2403002A_464.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	LisectAVT_2403002A_464.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	LisectAVT_2403002A_464.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.109	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482235
Start date and time:	2024-07-25 19:49:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_464.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002A_464.exe

Simulations

Behavior and APIs

Time	Type	Description
13:50:46	API Interceptor	1017453x Sleep call for process: LisectAVT_2403002A_464.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.233.132.109	d2Qy58urPx.exe	Get hash	malicious	RisePro Stealer	Browse
193.233.132.109	d2Qy58urPx.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	LisectAVT_2403002A_79.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	LisectAVT_2403002B_242.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	LisectAVT_2403002B_433.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	Lisect_AVT_24003_G1B_108.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.62
	Lisect_AVT_24003_G1A_89.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	LisectAVT_2403002A_262.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.190
	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	hunta[1].exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	External Own 4.20.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.991535674205282
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_464.exe
File size:	5'668'408 bytes
MD5:	87c9aecd5886c99434358b6a7f42fde0
SHA1:	a1424fb0f5bb9fb49a8797c4c43a7b8a4511b2cc
SHA256:	6c0274f44ac55e0619f215604d918e9764ab221e08f2432cd08e65ac69d65652
SHA512:	10086695bd697a181f694949846178ea195ba3e0b44eed39aa054110448bcdfddd8bce6cfaf1e7d9476d017425e9b6c3ba7c8d6b76bb0597cee2b0294dc9c2c9
SSDEEP:	98304:B9jwL5kme5BYsmXZp9i/OcQItBftG3w+CdnFs/djCfnqg3mePCCFE:B1aime8L0mI7fpjnFsfahPv
TLSH:	C746334DD1D50694E4E6A6B00B12F8FDB3FF2AAD02A4CD6E809C6EC599F31B56332047
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eM.f...............'.....D........M...........@..................................7W...@..........................MB.J..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8dcbe2
Entrypoint Section:	.vmp
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66004D65 [Sun Mar 24 15:57:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	84d3942a6283bd1fa0ecc5bc71ddea94

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push DA0101A8h
call 00007F7F14CD75C0h
or dx, ax
not dx
mov word ptr [ebp+00h], dx
push E69FFE8Ah
push 813E8EAEh
push 3403E280h
lea esp, dword ptr [esp+0Ch]
jmp 00007F7F14C2DAF2h
mov eax, 69A0649Ah
mov ecx, eax
mov ecx, dword ptr [edi+ecx-69A0649Ah]
jmp 00007F7F14CD773Dh
stc
sbb ecx, dword ptr [ecx-214C6741h]
xor byte ptr [ecx+04D112C0h], ch
mov bh, 0Ch
xchg bl, cl
mov dl, 81h
xlatb
add dword ptr [eax], eax
add byte ptr [eax], al
call 00007F7F14C19866h
call 00007F7F1482F27Ch
lea esp, dword ptr [esp+04h]
jmp 00007F7F14812551h
or eax, 0A06A506h
leave
xchg eax, edi
inc esp
pop ebx
pushad
mov al, byte ptr [81A64553h]
sbb ch, byte ptr [edx]
popad
mov bl, FFh
imul esp, dword ptr [esi+eax*2], 04h
add al, B5h
retn 3DC7h
cld
in al, dx
in al, 16h
fdiv dword ptr [eax+34h]
cmpsb
not dword ptr [esi]
xchg eax, esp
call dword ptr [edx]
fcomp qword ptr [ecx]
cmp ebp, ecx
lahf
inc ebp
loop 00007F7F14859155h
inc edx
test eax, 84F08622h
inc ecx
aam 88h
inc ecx
or ah, byte ptr fs:[esi+37h]
or eax, 823852DFh
add byte ptr [ebx+56h], ch
mov ebp, 1F0D59C3h
leave
jnp 00007F7F1485916Eh
or al, al
aaa
aad C5h
xchg dword ptr [ecx], ebp
imul esi, esp, 00h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x424de8	0x4a	.vmp
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8fe378	0x140	.vmp
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x988000	0xe93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x566600	0x1830	.vmp
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x986000	0x1a98	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9857e0	0x40	.vmp
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x422000	0x8c	.vmp
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10b0f8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10d000	0x20390	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12e000	0x48a8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x133000	0x2eec11	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp	0x422000	0x700	0x800	f36abdb4ad7e16b133d5827f133ae594	False	0.05419921875	data	0.3480864167488688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x423000	0x562cf0	0x562e00	f28215bad4588669c5dbfe7d99128426	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x986000	0x1a98	0x1c00	64157f39c4b8aa8f5979a0fb59a16b74	False	0.38657924107142855	data	5.8131576082052465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x988000	0xe93	0x1000	7b97c7abf28a679b0a4090ae34d08bbe	False	0.355224609375	data	4.992629817806596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x988058	0xe3b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.38594564919022784

Imports

DLL	Import
KERNEL32.dll	GetVersionExA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegCreateKeyExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Exports

Name	Ordinal	Address
Start	1	0x466a40

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T19:50:26.187022+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49731	40.127.169.103	192.168.2.4
2024-07-25T19:51:04.888134+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49737	40.127.169.103	192.168.2.4
2024-07-25T19:50:13.255582+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49730	50500	192.168.2.4	193.233.132.109
2024-07-25T19:50:16.240810+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49730	50500	192.168.2.4	193.233.132.109

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 19:50:13.083185911 CEST	49730	50500	192.168.2.4	193.233.132.109
Jul 25, 2024 19:50:13.239038944 CEST	50500	49730	193.233.132.109	192.168.2.4
Jul 25, 2024 19:50:13.239362001 CEST	49730	50500	192.168.2.4	193.233.132.109
Jul 25, 2024 19:50:13.255582094 CEST	49730	50500	192.168.2.4	193.233.132.109
Jul 25, 2024 19:50:13.265921116 CEST	50500	49730	193.233.132.109	192.168.2.4
Jul 25, 2024 19:50:16.240809917 CEST	49730	50500	192.168.2.4	193.233.132.109
Jul 25, 2024 19:50:16.248016119 CEST	50500	49730	193.233.132.109	192.168.2.4
Jul 25, 2024 19:50:34.630662918 CEST	50500	49730	193.233.132.109	192.168.2.4
Jul 25, 2024 19:50:34.630851984 CEST	49730	50500	192.168.2.4	193.233.132.109

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: LisectAVT_2403002A_464.exePID: 6308, Parent PID: 2580

General

Target ID:	0
Start time:	13:50:05
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_464.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_464.exe"
Imagebase:	0xae0000
File size:	5'668'408 bytes
MD5 hash:	87C9AECD5886C99434358B6A7F42FDE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_464.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
LisectAVT_2403002A_464.exe