Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LisectAVT_2403002A_419.exe

PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy:	7.02180932844593
Filename:	LisectAVT_2403002A_419.exe
Filesize:	5050885
MD5:	42b90e270ab9cc4d1f6354045048b538
SHA1:	080d0df0d03f707096cb974da2d683037e9cc63a
SHA256:	e4883bfe1480181df3d2eb0e0a587be359260ee11a32176aab234eb707fe6f76
SHA512:	fac869f426d33a58edf8af7b39b3615d774c951174f87ad9e61aee8e06457a95b81c8264db5e2632e7a4f0071cb509392dde14f0fbf212a5bb636852d249ca04
SSDEEP:	49152:vQsLHy/+BFCdShmG/RcxajYhJ5J8tEdTZaEjkulvWKw9pE6UumTS58M3g3hQjDVj:5O/+bzE3BjkV99C64u5o4JHpV
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.,....M................@..............................S.....a.M...`... ............................

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Drops PE files to the user root directory	Boot Survival
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Screen Capture
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Binary contains paths to development resources	System Summary	Security Software Discovery Screen Capture
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Executable is probably coded in Go lang	System Summary	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\ROxcmXIWiwnYKwA.pdf

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\ROxcmXIWiwnYKwA.pdf
Category:	dropped
Dump:	ROxcmXIWiwnYKwA.pdf.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_419.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.5839751375706195
Encrypted:	false
Ssdeep:	3072:4wOvOIXbP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0l/rUT+:nCb4VQjVsxyItKQNhigibiKwDU
Size:	284088
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\jQRMFClswtrBVwy.pdf

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\jQRMFClswtrBVwy.pdf
Category:	dropped
Dump:	jQRMFClswtrBVwy.pdf.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_419.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.739855442755242
Encrypted:	false
Ssdeep:	24576:9jhWSkCh5jR4pkIhn1Fg7YqPCxYL+ID4ntel4LbKbmNTwEBzpKPSa72gn/:Ob6jCkIhn1PGyuFbmNTrzAPSaP
Size:	1357136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002A_419.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_419.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7272
Target ID:	0
Parent PID:	4084
Name:	LisectAVT_2403002A_419.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_419.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_419.exe"
Size:	5050885
MD5:	42B90E270AB9CC4D1F6354045048B538
Time:	14:24:17
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff642110000
Modulesize:	5443584
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
PE file contains an invalid checksum	Data Obfuscation
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary contains paths to development resources	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Program Files (x86)\AutoIt3\Au3Check.exe

"C:\Program Files (x86)\autoit3\Au3Check.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7416
Target ID:	2
Parent PID:	7272
Name:	Au3Check.exe
Path:	C:\Program Files (x86)\AutoIt3\Au3Check.exe
Commandline:	"C:\Program Files (x86)\autoit3\Au3Check.exe"
Size:	234088
MD5:	3BE697D1A92115D5CA76A633A527DFB7
Time:	14:24:28
Date:	25/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1081344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

URLs

Name

Malicious

https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll

unknown

Details

Name:	https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
TargetID:	-1
From Memory:	true
Source:	LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.winimage.com/zLibDll

unknown

Details

Name:	http://www.winimage.com/zLibDll
TargetID:	-1
From Memory:	true
Source:	LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://t.me/RiseProSUPPORT

unknown

https://ipinfo.io/

unknown

https://www.autoitscript.com/autoit3/

unknown

Details

Name:	https://www.autoitscript.com/autoit3/
TargetID:	-1
From Memory:	true
Source:	LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.maxmind.com/en/locate-my-ip-address

unknown

Details

Name:	https://www.maxmind.com/en/locate-my-ip-address
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files (x86)\AutoIt3\Au3Check.exe
Source:	Au3Check.exe

Signature Hits	Behavior Group	Mitre Attack
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

193.233.132.67

unknown

Russian Federation

Details

IP:	193.233.132.67
TargetID:	2
Current Path:	C:\Program Files (x86)\AutoIt3\Au3Check.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

510000

remote allocation

page execute and read and write

C0004F2000

direct allocation

page read and write

C000800000

direct allocation

page read and write

2BCE88A0000

direct allocation

page read and write

2BCE89F0000

direct allocation

page read and write

C000069000

direct allocation

page read and write

C00008E000

direct allocation

page read and write

9C000

stack

page read and write

C000154000

direct allocation

page read and write

C00004E000

direct allocation

page read and write

7FF64227A000

unkown

page read and write

C0000A2000

direct allocation

page read and write

C8CB1FF000

stack

page read and write

7FF64227C000

unkown

page readonly

C8CA9FC000

stack

page read and write

7FF6424D4000

unkown

page readonly

C000084000

direct allocation

page read and write

C00014E000

direct allocation

page read and write

670000

heap

page read and write

7FF6424EE000

unkown

page readonly

C0000D0000

direct allocation

page read and write

C0000B8000

direct allocation

page read and write

C000140000

direct allocation

page read and write

C0000B4000

direct allocation

page read and write

C000152000

direct allocation

page read and write

C000098000

direct allocation

page read and write

C00009A000

direct allocation

page read and write

7FF642635000

unkown

page write copy

C000027000

direct allocation

page read and write

C8CADFE000

stack

page read and write

7FF64263B000

unkown

page readonly

C0000DE000

direct allocation

page read and write

7FF642639000

unkown

page write copy

C0000EA000

direct allocation

page read and write

7FF6424EE000

unkown

page readonly

19D000

stack

page read and write

C000012000

direct allocation

page read and write

C0000F2000

direct allocation

page read and write

C000018000

direct allocation

page read and write

7FF6424F3000

unkown

page readonly

7FF642636000

unkown

page write copy

7FF6425DB000

unkown

page read and write

246E000

stack

page read and write

C000029000

direct allocation

page read and write

7FF6424D4000

unkown

page readonly

6E5000

heap

page read and write

C000014000

direct allocation

page read and write

2BCE8B87000

direct allocation

page read and write

7FF642258000

unkown

page read and write

C0000C6000

direct allocation

page read and write

7FF6424D7000

unkown

page readonly

C8CB3FE000

stack

page read and write

7FF642111000

unkown

page execute read

C00013E000

direct allocation

page read and write

C0000E6000

direct allocation

page read and write

22DE000

stack

page read and write

2BCA36B0000

direct allocation

page read and write

C00000E000

direct allocation

page read and write

7FF642278000

unkown

page read and write

C0000A4000

direct allocation

page read and write

C000041000

direct allocation

page read and write

6E0000

heap

page read and write

73E000

heap

page read and write

C000086000

direct allocation

page read and write

2BCE89D8000

direct allocation

page read and write

C0000D6000

direct allocation

page read and write

C0000A0000

direct allocation

page read and write

C8CB5FE000

stack

page read and write

C000064000

direct allocation

page read and write

2BCA3390000

direct allocation

page read and write

7FF642254000

unkown

page write copy

2BCA3360000

heap

page read and write

C000002000

direct allocation

page read and write

7FF642279000

unkown

page write copy

C0000C0000

direct allocation

page read and write

C000780000

direct allocation

page read and write

2BCA33F2000

direct allocation

page read and write

C000020000

direct allocation

page read and write

7FF642110000

unkown

page readonly

2BCE8840000

direct allocation

page read and write

C000750000

direct allocation

page read and write

2BCE8850000

direct allocation

page read and write

C000400000

direct allocation

page read and write

C00009C000

direct allocation

page read and write

2BCA3610000

direct allocation

page read and write

2BCA36C5000

heap

page read and write

730000

heap

page read and write

2BCA3630000

direct allocation

page read and write

7FF642275000

unkown

page write copy

7FF642600000

unkown

page read and write

C0000C8000

direct allocation

page read and write

2BCE8A40000

direct allocation

page read and write

C000136000

direct allocation

page read and write

C0000E0000

direct allocation

page read and write

2BCA33F0000

direct allocation

page read and write

C0000D2000

direct allocation

page read and write

C0000F4000

direct allocation

page read and write

C000150000

direct allocation

page read and write

C00000A000

direct allocation

page read and write

C8CAFFE000

stack

page read and write

C000092000

direct allocation

page read and write

C000094000

direct allocation

page read and write

C000006000

direct allocation

page read and write

C8CB7FE000

stack

page read and write

7FF64225A000

unkown

page write copy

C000010000

direct allocation

page read and write

2BCA3340000

heap

page read and write

C0000CA000

direct allocation

page read and write

C8CABFF000

stack

page read and write

C000240000

direct allocation

page read and write

C000030000

direct allocation

page read and write

C0000C2000

direct allocation

page read and write

22E0000

heap

page read and write

C00014C000

direct allocation

page read and write

7A7000

heap

page read and write

2BCA3399000

direct allocation

page read and write

C000748000

direct allocation

page read and write

7FF642111000

unkown

page execute read

660000

heap

page read and write

C000016000

direct allocation

page read and write

2BCA3400000

direct allocation

page read and write

C000025000

direct allocation

page read and write

7FF6424F3000

unkown

page readonly

7FF642635000

unkown

page read and write

7A7000

heap

page read and write

7FF642254000

unkown

page read and write

C000080000

direct allocation

page read and write

792000

heap

page read and write

2BCA3670000

direct allocation

page read and write

7FF642639000

unkown

page write copy

7FF6424D7000

unkown

page readonly

C00009E000

direct allocation

page read and write

C000047000

direct allocation

page read and write

2BCA3260000

heap

page read and write

C000004000

direct allocation

page read and write

C000745000

direct allocation

page read and write

C0000BC000

direct allocation

page read and write

7FF642269000

unkown

page read and write

C000045000

direct allocation

page read and write

C00000C000

direct allocation

page read and write

C00006B000

direct allocation

page read and write

7FF64263B000

unkown

page readonly

2BCA3418000

heap

page read and write

C000043000

direct allocation

page read and write

7FF64262E000

unkown

page read and write

2360000

heap

page read and write

7FF6424F1000

unkown

page readonly

C000770000

direct allocation

page read and write

C000760000

direct allocation

page read and write

C00003C000

direct allocation

page read and write

7FF642110000

unkown

page readonly

C0000A6000

direct allocation

page read and write

79F000

heap

page read and write

C000035000

direct allocation

page read and write

7FF642256000

unkown

page write copy

2BCA339C000

direct allocation

page read and write

2BCA3394000

direct allocation

page read and write

C00003A000

direct allocation

page read and write

C0000CE000

direct allocation

page read and write

7FF642607000

unkown

page read and write

2BCE87E0000

direct allocation

page read and write

C000037000

direct allocation

page read and write

73A000

heap

page read and write

C00008A000

direct allocation

page read and write

C000022000

direct allocation

page read and write

C000000000

direct allocation

page read and write

7FF6424F1000

unkown

page readonly

7FF64227C000

unkown

page readonly

2BCA36C0000

heap

page read and write

2BCA3410000

heap

page read and write

2BCE8A80000

direct allocation

page read and write

There are 161 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002A_419.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002A_419.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
LisectAVT_2403002A_419.exe