Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_240.exe

Overview

General Information

Sample name:LisectAVT_2403002A_240.exe
Analysis ID:1482386
MD5:df07b5a212f479d219e1c4d06d414cf7
SHA1:d99f01c6dad27d6509c698088262a5cc4879a8ac
SHA256:bba2ef9d02005d036678e558bc535d89cd348ee3eeefb19f145f497f6a03f482
Tags:exe
Infos:

Detection

RisePro Stealer
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected RisePro Stealer
AI detected suspicious sample
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential thread-based time evasion detected
Switches to a custom stack to bypass stack traces
Abnormal high CPU Usage
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

  • System is w10x64
  • LisectAVT_2403002A_240.exe (PID: 5364 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_240.exe" MD5: DF07B5A212F479D219E1C4D06D414CF7)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: LisectAVT_2403002A_240.exe PID: 5364JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    0.2.LisectAVT_2403002A_240.exe.620000.0.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      No Sigma rule has matched
      No Snort rule has matched
      Timestamp:2024-07-25T22:10:54.292591+0200
      SID:2022930
      Source Port:443
      Destination Port:64280
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:2024-07-25T22:10:10.789047+0200
      SID:2049060
      Source Port:49699
      Destination Port:50500
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:2024-07-25T22:10:23.530028+0200
      SID:2022930
      Source Port:443
      Destination Port:49700
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:2024-07-25T22:10:13.780884+0200
      SID:2046269
      Source Port:49699
      Destination Port:50500
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: LisectAVT_2403002A_240.exeAvira: detected
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: LisectAVT_2403002A_240.exeJoe Sandbox ML: detected
      Source: LisectAVT_2403002A_240.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: global trafficTCP traffic: 192.168.2.7:49699 -> 5.42.65.117:50500
      Source: Joe Sandbox ViewIP Address: 5.42.65.117 5.42.65.117
      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.117
      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.117
      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.117
      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.117
      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.117
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676191336.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.altools.co.kr
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000145E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeProcess Stats: CPU usage > 49%
      Source: LisectAVT_2403002A_240.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/1
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeFile created: C:\Users\user~1\AppData\Local\Temp\adobeHhiKVI_uqi9dJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeSection loaded: devobj.dllJump to behavior
      Source: LisectAVT_2403002A_240.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: LisectAVT_2403002A_240.exeStatic file information: File size 5402117 > 1048576
      Source: LisectAVT_2403002A_240.exeStatic PE information: Raw size of .vmp is bigger than: 0x100000 < 0x522800
      Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp
      Source: LisectAVT_2403002A_240.exeStatic PE information: real checksum: 0x535ec5 should be: 0x535eca
      Source: LisectAVT_2403002A_240.exeStatic PE information: section name: .vmp
      Source: LisectAVT_2403002A_240.exeStatic PE information: section name: .vmp
      Source: LisectAVT_2403002A_240.exeStatic PE information: section name: .vmp

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeMemory written: PID: 5364 base: 13F0005 value: E9 8B 2F 37 76 Jump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeMemory written: PID: 5364 base: 77762F90 value: E9 7A D0 C8 89 Jump to behavior

      Malware Analysis System Evasion

      barindex
      Source: Initial fileSignature Results: Thread-based counter
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: EAF113
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: EA6CC5
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: A37A3A
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: D512F1
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: D1F69D
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: E65E4C
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: EBBF54
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: DD9BDB
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: CF2D3D
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: E83EE0
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: EA8E20
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: A2CCE5
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: EA89A2
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeAPI/Special instruction interceptor: Address: A3382B
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeWindow / User API: threadDelayed 3192Jump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeWindow / User API: threadDelayed 5297Jump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000Thread sleep count: 3192 > 30Jump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000Thread sleep time: -322392s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 648Thread sleep count: 323 > 30Jump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000Thread sleep count: 5297 > 30Jump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exe TID: 7000Thread sleep time: -534997s >= -30000sJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeLast function: Thread delayed
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.0000000001450000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_DA6DB76E
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000147B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000147B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll"
      Source: LisectAVT_2403002A_240.exe, 00000000.00000003.1298019347.0000000001487000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676226503.00000000012FC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}xCF
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.0000000001450000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_DA6DB76Ele,,I
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000148F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: LisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000145E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeProcess Stats: CPU usage > 42% for more than 60s
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\LisectAVT_2403002A_240.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 0.2.LisectAVT_2403002A_240.exe.620000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_240.exe PID: 5364, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 0.2.LisectAVT_2403002A_240.exe.620000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_240.exe PID: 5364, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      1
      DLL Side-Loading
      111
      Virtualization/Sandbox Evasion
      1
      Credential API Hooking
      31
      Security Software Discovery
      Remote Services1
      Credential API Hooking
      1
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      DLL Side-Loading
      LSASS Memory111
      Virtualization/Sandbox Evasion
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
      Process Discovery
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets213
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      LisectAVT_2403002A_240.exe100%AviraTR/Redcap.czylj
      LisectAVT_2403002A_240.exe100%Joe Sandbox ML
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://www.winimage.com/zLibDll0%URL Reputationsafe
      http://www.altools.co.kr0%Avira URL Cloudsafe
      https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
      https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllLisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.winimage.com/zLibDllLisectAVT_2403002A_240.exe, 00000000.00000002.3673911110.000000000072D000.00000002.00000001.01000000.00000003.sdmpfalse
      • URL Reputation: safe
      unknown
      https://t.me/RiseProSUPPORTLisectAVT_2403002A_240.exe, 00000000.00000002.3676294936.000000000145E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.altools.co.krLisectAVT_2403002A_240.exe, 00000000.00000002.3676191336.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      5.42.65.117
      unknownRussian Federation
      39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfalse
      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1482386
      Start date and time:2024-07-25 22:09:11 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 7m 2s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:17
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:LisectAVT_2403002A_240.exe
      Detection:MAL
      Classification:mal80.troj.evad.winEXE@1/0@0/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240000 for current running targets taking high CPU consumption
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: LisectAVT_2403002A_240.exe
      TimeTypeDescription
      17:21:10API Interceptor1163014x Sleep call for process: LisectAVT_2403002A_240.exe modified
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      5.42.65.117LisectAVT_2403002A_479.exeGet hashmaliciousRisePro StealerBrowse
        ws7tj0VzXA.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
          file.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
            file.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
              file.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                i1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                  file.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                    R7piqpsoTx.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                      MJ2Ltjq5mk.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                        file.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRULisectAVT_2403002A_422.exeGet hashmaliciousRedLineBrowse
                          • 5.42.65.68
                          LisectAVT_2403002B_301.exeGet hashmaliciousBdaejec, GCleanerBrowse
                          • 5.42.65.115
                          LisectAVT_2403002B_98.exeGet hashmaliciousBdaejec, GCleaner, NymaimBrowse
                          • 5.42.64.3
                          LisectAVT_2403002C_44.exeGet hashmaliciousEICARBrowse
                          • 5.42.96.78
                          LisectAVT_2403002C_45.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                          • 5.42.65.68
                          LisectAVT_2403002A_479.exeGet hashmaliciousRisePro StealerBrowse
                          • 5.42.65.117
                          7d69f17f.exeGet hashmaliciousRedLineBrowse
                          • 45.15.156.186
                          25C1.exeGet hashmaliciousGlupteba, XmrigBrowse
                          • 5.42.64.33
                          #Ud83c#Udf0dimpactfulbrands.co.uk__________________________________________.html.batGet hashmaliciousRedLineBrowse
                          • 45.15.157.131
                          https://45.15.156.174/index.php/s/24Sr2FjZQm8gXFA/download/ketamine.exeGet hashmaliciousUnknownBrowse
                          • 45.15.156.174
                          No context
                          No context
                          No created / dropped files found
                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.990633946927915
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:LisectAVT_2403002A_240.exe
                          File size:5'402'117 bytes
                          MD5:df07b5a212f479d219e1c4d06d414cf7
                          SHA1:d99f01c6dad27d6509c698088262a5cc4879a8ac
                          SHA256:bba2ef9d02005d036678e558bc535d89cd348ee3eeefb19f145f497f6a03f482
                          SHA512:761a53981b64e47d6a9f8a2bcf54d2dc8ca5c45c4acc7ac969d24b6a9964a6416bc5f52029a2efd4322c6c43e6bd0ebd5038bad221324074845410c66ba5b882
                          SSDEEP:98304:2QTLK3OmctIY4tTNEsxwyNJqSVCS+Nfl4gvqvU7dYblDQdKw7:I3AIYxvyrzVCVNN4bcJYbidKw
                          TLSH:2946331E3BC23A60E8AA227C03A5FEFE35FE0945A0564D5AD8087CD7DCF36492137956
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eM.f...............'.....D........r...........@..........................P.......^S...@.........................."m.J..
                          Icon Hash:00928e8e8686b000
                          Entrypoint:0xb2867f
                          Entrypoint Section:.vmp
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66004D65 [Sun Mar 24 15:57:25 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:84d3942a6283bd1fa0ecc5bc71ddea94
                          Instruction
                          push edx
                          call 00007F1CB89CEBA3h
                          mov eax, dword ptr [esi+04h]
                          mul ebp
                          jmp 00007F1CB8CBE706h
                          mov dword ptr [esp+00h], 1B1216B9h
                          mov word ptr [edi], cx
                          call 00007F1CB8A03ED1h
                          je 00007F1CB8CFF43Fh
                          movsb
                          fst dword ptr [esp+edx-77h]
                          xchg eax, ebp
                          salc
                          dec edx
                          push es
                          mov esp, edx
                          pop ss
                          int3
                          add eax, ecx
                          sub eax, 5BCC38B8h
                          lea ebx, dword ptr [ebx+000C8A70h]
                          jmp ebx
                          lea esp, dword ptr [esp+04h]
                          jmp 00007F1CB8DD77D6h
                          xor bp, bx
                          sar byte ptr [esp+01h], 00000063h
                          push E102A733h
                          ror bp, 1
                          sal dword ptr [esp+04h], FFFFFF9Fh
                          neg bp
                          inc bp
                          rol bp, 1
                          jmp 00007F1CB8CAAAD7h
                          mov byte ptr [ecx], dl
                          call 00007F1CB8E64E7Ah
                          xor word ptr [esp+05h], EBA8h
                          shr dword ptr [esp+01h], FFFFFFAAh
                          inc cx
                          not dword ptr [esp+04h]
                          rol cx, 1
                          rol dword ptr [esp+01h], 4Dh
                          inc dword ptr [esp+03h]
                          jns 00007F1CB8E625A8h
                          dec edx
                          test bp, 1EA7h
                          cmc
                          cmp ecx, edx
                          jmp 00007F1CB8DF7AF1h
                          xor al, bl
                          inc al
                          rol word ptr [esp+02h], FFEFh
                          neg al
                          push 652F38B0h
                          neg word ptr [esp+06h]
                          not al
                          dec word ptr [esp+03h]
                          push 0099C215h
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x6d22bc0x4a.vmp
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8fb6880x140.vmp
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x90d0000x7850.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x90b0000x1a34.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90a1400x40.vmp
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x3e70000x8c.vmp
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x10b0f80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x10d0000x203900x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x12e0000x48a80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .vmp0x1330000x2b33910x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .vmp0x3e70000x7000x80055655dfb2afd1e389d94e5bc628dbd24False0.05419921875data0.3412941021913871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .vmp0x3e80000x5226500x5228001a26a490bba777ff3398b2bed49d7342unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .reloc0x90b0000x1a340x1c00e538b5cef3a5c3906e39af2390197d52False0.36453683035714285data5.7331395016607285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0x90d0000x78500x1e0079b58129290351bb6870399b9a90ebadFalse0.32903645833333334data4.600287247157791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          AFX_DIALOG_LAYOUT0x90ec480x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec480x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec4c0x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec4c0x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec500x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec500x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec540x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec540x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec580x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec580x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec5c0x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec5c0x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec600x2data5.0
                          AFX_DIALOG_LAYOUT0x90ec640x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec640x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec680x2data5.0
                          AFX_DIALOG_LAYOUT0x90ec6c0x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec6c0x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec700x2data5.0
                          AFX_DIALOG_LAYOUT0x90ec740x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec740x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec780x2data5.0
                          AFX_DIALOG_LAYOUT0x90ec7c0x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec7c0x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec800x2data5.0
                          AFX_DIALOG_LAYOUT0x90ec840x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec840x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec880x2data5.0
                          AFX_DIALOG_LAYOUT0x90ec8c0x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec8c0x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec900x2data5.0
                          AFX_DIALOG_LAYOUT0x90ec940x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec940x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec980x2data5.0
                          AFX_DIALOG_LAYOUT0x90ec9c0x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ec9c0x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90eca00x7adata0.09836065573770492
                          AFX_DIALOG_LAYOUT0x90ed1c0x7adataKoreanNorth Korea0.09836065573770492
                          AFX_DIALOG_LAYOUT0x90ed1c0x7adataKoreanSouth Korea0.09836065573770492
                          AFX_DIALOG_LAYOUT0x90ed980x2data5.0
                          AFX_DIALOG_LAYOUT0x90ed9c0x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90ed9c0x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90eda00x2data5.0
                          AFX_DIALOG_LAYOUT0x90eda40x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90eda40x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90eda80x2data5.0
                          AFX_DIALOG_LAYOUT0x90edac0x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90edac0x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90edb00x2data5.0
                          AFX_DIALOG_LAYOUT0x90edb40x2dataKoreanNorth Korea5.0
                          AFX_DIALOG_LAYOUT0x90edb40x2dataKoreanSouth Korea5.0
                          AFX_DIALOG_LAYOUT0x90edb80x5adata0.16666666666666666
                          AFX_DIALOG_LAYOUT0x90ee140x5aemptyKoreanNorth Korea0
                          AFX_DIALOG_LAYOUT0x90ee140x5aemptyKoreanSouth Korea0
                          AFX_DIALOG_LAYOUT0x90ee700x2empty0
                          AFX_DIALOG_LAYOUT0x90ee740x2emptyKoreanNorth Korea0
                          AFX_DIALOG_LAYOUT0x90ee740x2emptyKoreanSouth Korea0
                          RT_BITMAP0x90ee780x608emptyKoreanNorth Korea0
                          RT_BITMAP0x90ee780x608emptyKoreanSouth Korea0
                          RT_BITMAP0x90f4800x1028emptyKoreanNorth Korea0
                          RT_BITMAP0x90f4800x1028emptyKoreanSouth Korea0
                          RT_BITMAP0x9104a80xb8emptyKoreanNorth Korea0
                          RT_BITMAP0x9104a80xb8emptyKoreanSouth Korea0
                          RT_BITMAP0x9105600x144emptyKoreanNorth Korea0
                          RT_BITMAP0x9105600x144emptyKoreanSouth Korea0
                          RT_MENU0x9106a40x2f4empty0
                          RT_MENU0x9109980x308emptyKoreanNorth Korea0
                          RT_MENU0x9109980x308emptyKoreanSouth Korea0
                          RT_DIALOG0x910ca00x1acempty0
                          RT_DIALOG0x910e4c0x168emptyKoreanNorth Korea0
                          RT_DIALOG0x910e4c0x168emptyKoreanSouth Korea0
                          RT_DIALOG0x910fb40x2aeempty0
                          RT_DIALOG0x9112640x28eemptyKoreanNorth Korea0
                          RT_DIALOG0x9112640x28eemptyKoreanSouth Korea0
                          RT_DIALOG0x9114f40x10cempty0
                          RT_DIALOG0x9116000xf4emptyKoreanNorth Korea0
                          RT_DIALOG0x9116000xf4emptyKoreanSouth Korea0
                          RT_DIALOG0x9116f40x60empty0
                          RT_DIALOG0x9117540x60emptyKoreanNorth Korea0
                          RT_DIALOG0x9117540x60emptyKoreanSouth Korea0
                          RT_DIALOG0x9117b40x60empty0
                          RT_DIALOG0x9118140x60emptyKoreanNorth Korea0
                          RT_DIALOG0x9118140x60emptyKoreanSouth Korea0
                          RT_DIALOG0x9118740x134empty0
                          RT_DIALOG0x9119a80x120emptyKoreanNorth Korea0
                          RT_DIALOG0x9119a80x120emptyKoreanSouth Korea0
                          RT_DIALOG0x911ac80xb8empty0
                          RT_DIALOG0x911b800xb8emptyKoreanNorth Korea0
                          RT_DIALOG0x911b800xb8emptyKoreanSouth Korea0
                          RT_DIALOG0x911c380x1e0empty0
                          RT_DIALOG0x911e180x1c4emptyKoreanNorth Korea0
                          RT_DIALOG0x911e180x1c4emptyKoreanSouth Korea0
                          RT_DIALOG0x911fdc0x3d4empty0
                          RT_DIALOG0x9123b00x32cemptyKoreanNorth Korea0
                          RT_DIALOG0x9123b00x32cemptyKoreanSouth Korea0
                          RT_DIALOG0x9126dc0x474empty0
                          RT_DIALOG0x912b500x3e8emptyKoreanNorth Korea0
                          RT_DIALOG0x912b500x3e8emptyKoreanSouth Korea0
                          RT_DIALOG0x912f380x426empty0
                          RT_DIALOG0x9133600x322emptyKoreanNorth Korea0
                          RT_DIALOG0x9133600x322emptyKoreanSouth Korea0
                          RT_DIALOG0x9136840x162empty0
                          RT_DIALOG0x9137e80x152emptyKoreanNorth Korea0
                          RT_DIALOG0x9137e80x152emptyKoreanSouth Korea0
                          RT_DIALOG0x91393c0x1a4empty0
                          RT_DIALOG0x913ae00x15cemptyKoreanNorth Korea0
                          RT_DIALOG0x913ae00x15cemptyKoreanSouth Korea0
                          RT_DIALOG0x913c3c0x30cempty0
                          RT_DIALOG0x913f480x284emptyKoreanNorth Korea0
                          RT_DIALOG0x913f480x284emptyKoreanSouth Korea0
                          RT_DIALOG0x9141cc0x160empty0
                          RT_DIALOG0x91432c0x184emptyKoreanNorth Korea0
                          RT_DIALOG0x91432c0x184emptyKoreanSouth Korea0
                          RT_DIALOG0x9144b00xf4emptyKoreanNorth Korea0
                          RT_DIALOG0x9144b00xf4emptyKoreanSouth Korea0
                          RT_DIALOG0x9145a40x34emptyKoreanNorth Korea0
                          RT_DIALOG0x9145a40x34emptyKoreanSouth Korea0
                          RT_ACCELERATOR0x9145d80xb0emptyKoreanNorth Korea0
                          RT_ACCELERATOR0x9145d80xb0emptyKoreanSouth Korea0
                          RT_MANIFEST0x90de0c0xe3bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.38594564919022784
                          None0x9146880x62empty0
                          None0x9146ec0x62emptyKoreanNorth Korea0
                          None0x9146ec0x62emptyKoreanSouth Korea0
                          None0x9147500x74empty0
                          None0x9147c40x65emptyKoreanNorth Korea0
                          None0x9147c40x65emptyKoreanSouth Korea0
                          None0x91482c0x24emptyKoreanNorth Korea0
                          None0x91482c0x24emptyKoreanSouth Korea0
                          DLLImport
                          KERNEL32.dllGetVersionExA
                          USER32.dllwsprintfA
                          GDI32.dllCreateCompatibleBitmap
                          ADVAPI32.dllRegCreateKeyExA
                          SHELL32.dllShellExecuteA
                          ole32.dllCoInitialize
                          WS2_32.dllWSAStartup
                          CRYPT32.dllCryptUnprotectData
                          SHLWAPI.dllPathFindExtensionA
                          gdiplus.dllGdipGetImageEncoders
                          SETUPAPI.dllSetupDiEnumDeviceInfo
                          ntdll.dllRtlUnicodeStringToAnsiString
                          RstrtMgr.DLLRmStartSession
                          KERNEL32.dllGetSystemTimeAsFileTime
                          KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress
                          NameOrdinalAddress
                          Start10x466a40
                          Language of compilation systemCountry where language is spokenMap
                          KoreanNorth Korea
                          KoreanSouth Korea
                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                          2024-07-25T22:10:54.292591+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436428020.114.59.183192.168.2.7
                          2024-07-25T22:10:10.789047+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4969950500192.168.2.75.42.65.117
                          2024-07-25T22:10:23.530028+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970020.114.59.183192.168.2.7
                          2024-07-25T22:10:13.780884+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4969950500192.168.2.75.42.65.117
                          TimestampSource PortDest PortSource IPDest IP
                          Jul 25, 2024 22:10:10.764864922 CEST4969950500192.168.2.75.42.65.117
                          Jul 25, 2024 22:10:10.769958973 CEST50500496995.42.65.117192.168.2.7
                          Jul 25, 2024 22:10:10.770035982 CEST4969950500192.168.2.75.42.65.117
                          Jul 25, 2024 22:10:10.789047003 CEST4969950500192.168.2.75.42.65.117
                          Jul 25, 2024 22:10:10.794231892 CEST50500496995.42.65.117192.168.2.7
                          Jul 25, 2024 22:10:13.780884027 CEST4969950500192.168.2.75.42.65.117
                          Jul 25, 2024 22:10:13.785798073 CEST50500496995.42.65.117192.168.2.7
                          Jul 25, 2024 22:10:32.210791111 CEST50500496995.42.65.117192.168.2.7
                          Jul 25, 2024 22:10:32.211093903 CEST4969950500192.168.2.75.42.65.117
                          TimestampSource PortDest PortSource IPDest IP
                          Jul 25, 2024 22:10:52.554016113 CEST5360533162.159.36.2192.168.2.7
                          Jul 25, 2024 22:10:53.106288910 CEST53564231.1.1.1192.168.2.7

                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Target ID:0
                          Start time:16:10:03
                          Start date:25/07/2024
                          Path:C:\Users\user\Desktop\LisectAVT_2403002A_240.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_240.exe"
                          Imagebase:0x620000
                          File size:5'402'117 bytes
                          MD5 hash:DF07B5A212F479D219E1C4D06D414CF7
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          No disassembly