Windows Analysis Report
LisectAVT_2403002A_240.exe

Overview

General Information

Sample name: LisectAVT_2403002A_240.exe
Analysis ID: 1482386
MD5: df07b5a212f479d219e1c4d06d414cf7
SHA1: d99f01c6dad27d6509c698088262a5cc4879a8ac
SHA256: bba2ef9d02005d036678e558bc535d89cd348ee3eeefb19f145f497f6a03f482
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected RisePro Stealer
AI detected suspicious sample
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential thread-based time evasion detected
Switches to a custom stack to bypass stack traces
Abnormal high CPU Usage
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_240.exe Avira: detected
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: LisectAVT_2403002A_240.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_240.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49699 -> 5.42.65.117:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 5.42.65.117 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.117
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676191336.0000000000F2B000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.altools.co.kr
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000145E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Process Stats: CPU usage > 49%
Uses 32bit PE files
Source: LisectAVT_2403002A_240.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHhiKVI_uqi9d Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe File read: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Section loaded: devobj.dll Jump to behavior
Source: LisectAVT_2403002A_240.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: LisectAVT_2403002A_240.exe Static file information: File size 5402117 > 1048576
Source: LisectAVT_2403002A_240.exe Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x522800
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp
PE file contains an invalid checksum
Source: LisectAVT_2403002A_240.exe Static PE information: real checksum: 0x535ec5 should be: 0x535eca
PE file contains sections with non-standard names
Source: LisectAVT_2403002A_240.exe Static PE information: section name: .vmp
Source: LisectAVT_2403002A_240.exe Static PE information: section name: .vmp
Source: LisectAVT_2403002A_240.exe Static PE information: section name: .vmp

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Memory written: PID: 5364 base: 13F0005 value: E9 8B 2F 37 76 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Memory written: PID: 5364 base: 77762F90 value: E9 7A D0 C8 89 Jump to behavior

Malware Analysis System Evasion
barindex
Potential thread-based time evasion detected
Source: Initial file Signature Results: Thread-based counter
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: EAF113
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: EA6CC5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: A37A3A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: D512F1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: D1F69D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: E65E4C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: EBBF54
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: DD9BDB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: CF2D3D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: E83EE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: EA8E20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: A2CCE5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: EA89A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe API/Special instruction interceptor: Address: A3382B
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Window / User API: threadDelayed 3192 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Window / User API: threadDelayed 5297 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000 Thread sleep count: 3192 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000 Thread sleep time: -322392s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 648 Thread sleep count: 323 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000 Thread sleep count: 5297 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000 Thread sleep time: -534997s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Last function: Thread delayed
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.0000000001450000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_DA6DB76E
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000147B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000147B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll"
Source: LisectAVT_2403002A_240.exe, 00000000.00000003.1298019347.0000000001487000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676226503.00000000012FC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}xCF
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.0000000001450000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_DA6DB76Ele,,I
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000148F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000145E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Process Stats: CPU usage > 42% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_240.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_240.exe PID: 5364, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.LisectAVT_2403002A_240.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_240.exe PID: 5364, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482386 Sample: LisectAVT_2403002A_240.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 80 11 Antivirus / Scanner detection for submitted sample 2->11 13 Yara detected RisePro Stealer 2->13 15 Machine Learning detection for sample 2->15 17 2 other signatures 2->17 5 LisectAVT_2403002A_240.exe 2 2->5         started        process3 dnsIp4 9 5.42.65.117, 49699, 50500 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 5->9 19 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 5->19 21 Found potential dummy code loops (likely to delay analysis) 5->21 23 Switches to a custom stack to bypass stack traces 5->23 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.42.65.117
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU false