Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Rr6TGP9rEq.exe

PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy:	7.020958484955603
Filename:	Rr6TGP9rEq.exe
Filesize:	5046784
MD5:	297270c13474cdcd006acc261c98050a
SHA1:	40fd185b12939822e4cc02da09ae3d38aea83306
SHA256:	ddc4a98828ac3afea03294fd57189778ce57e305d075f08f0ace443352d5447b
SHA512:	cb1a42bf6c34f3042809f29a6cb2e11f4699c4d1718e5da340fac205a6875145cae2a690736206d8c19ad68916efc5c835d3488a1aa272f0d0e00cddeb150d00
SSDEEP:	49152:/s+CpclD5n5jx/cOOXjdyfpPaG02dj6cwH4n1Yzb5UBAyXjYeBhZ8jGdn7h:XxlDnZpPx024cw47
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.&....L................@..............................S.......M...`... ............................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Drops PE files to the user root directory	Boot Survival
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Screen Capture
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Binary contains paths to development resources	System Summary	Security Software Discovery Screen Capture
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Executable is probably coded in Go lang	System Summary	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\XPCwyNRACAjFfEg.pdf

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\XPCwyNRACAjFfEg.pdf
Category:	dropped
Dump:	XPCwyNRACAjFfEg.pdf.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Rr6TGP9rEq.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.583673771403912
Encrypted:	false
Ssdeep:	3072:4wOvOIXbP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0nVyiGe:nCb4VQjVsxyItKQNhigibouMBPwPCs
Size:	284088
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\bgEoRLupllWTRAp.pdf

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\bgEoRLupllWTRAp.pdf
Category:	dropped
Dump:	bgEoRLupllWTRAp.pdf.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Rr6TGP9rEq.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.739954842849538
Encrypted:	false
Ssdeep:	24576:9jhWSkCh5jR4pkIhn1Fg7YqPCxYL+ID4ntel4LbKbmNTwExzpKPSaYQ1:Ob6jCkIhn1PGyuFbmNTXzAPSaX
Size:	1357136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Rr6TGP9rEq.exe

"C:\Users\user\Desktop\Rr6TGP9rEq.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7124
Target ID:	0
Parent PID:	2580
Name:	Rr6TGP9rEq.exe
Path:	C:\Users\user\Desktop\Rr6TGP9rEq.exe
Commandline:	"C:\Users\user\Desktop\Rr6TGP9rEq.exe"
Size:	5046784
MD5:	297270C13474CDCD006ACC261C98050A
Time:	05:29:02
Date:	12/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff682120000
Modulesize:	5439488
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary contains paths to development resources	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Program Files (x86)\AutoIt3\Au3Check.exe

"C:\Program Files (x86)\autoit3\Au3Check.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7164
Target ID:	1
Parent PID:	7124
Name:	Au3Check.exe
Path:	C:\Program Files (x86)\AutoIt3\Au3Check.exe
Commandline:	"C:\Program Files (x86)\autoit3\Au3Check.exe"
Size:	234088
MD5:	3BE697D1A92115D5CA76A633A527DFB7
Time:	05:29:12
Date:	12/08/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1081344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

URLs

Name

Malicious

https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll

unknown

Details

Name:	https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
TargetID:	-1
From Memory:	true
Source:	Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.winimage.com/zLibDll

unknown

Details

Name:	http://www.winimage.com/zLibDll
TargetID:	-1
From Memory:	true
Source:	Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://t.me/RiseProSUPPORT

unknown

https://ipinfo.io/

unknown

https://www.autoitscript.com/autoit3/

unknown

Details

Name:	https://www.autoitscript.com/autoit3/
TargetID:	-1
From Memory:	true
Source:	Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.maxmind.com/en/locate-my-ip-address

unknown

Details

Name:	https://www.maxmind.com/en/locate-my-ip-address
TargetID:	1
From Memory:	true
Current Path:	C:\Program Files (x86)\AutoIt3\Au3Check.exe
Source:	Au3Check.exe

Signature Hits	Behavior Group	Mitre Attack
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

193.233.132.67

unknown

Russian Federation

Details

IP:	193.233.132.67
TargetID:	1
Current Path:	C:\Program Files (x86)\AutoIt3\Au3Check.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

C0004F2000

direct allocation

page read and write

510000

remote allocation

page execute and read and write

C000800000

direct allocation

page read and write

22DEE0C0000

direct allocation

page read and write

22DEDF70000

direct allocation

page read and write

7FF68228C000

unkown

page readonly

C000743000

direct allocation

page read and write

22DE89D0000

heap

page read and write

C000106000

direct allocation

page read and write

C00011A000

direct allocation

page read and write

C00004C000

direct allocation

page read and write

22DE8AF0000

heap

page read and write

22DEE257000

direct allocation

page read and write

C000010000

direct allocation

page read and write

94E000

stack

page read and write

22DE8B35000

heap

page read and write

7FF682121000

unkown

page execute read

7FF68228C000

unkown

page readonly

7FF68264A000

unkown

page readonly

9E8000

heap

page read and write

22DE88F0000

heap

page read and write

7FF68263D000

unkown

page read and write

C000166000

direct allocation

page read and write

C00016B000

direct allocation

page read and write

7FF68228A000

unkown

page read and write

C00003C000

direct allocation

page read and write

C000041000

direct allocation

page read and write

C000025000

direct allocation

page read and write

C000164000

direct allocation

page read and write

7FF6824FD000

unkown

page readonly

C000029000

direct allocation

page read and write

C00074A000

direct allocation

page read and write

7E0000

heap

page read and write

C00001A000

direct allocation

page read and write

C000030000

direct allocation

page read and write

C000796000

direct allocation

page read and write

C00078A000

direct allocation

page read and write

C000108000

direct allocation

page read and write

4F4F5FC000

stack

page read and write

C000076000

direct allocation

page read and write

7FF6825EA000

unkown

page read and write

C0000BA000

direct allocation

page read and write

C000012000

direct allocation

page read and write

805000

heap

page read and write

22DEDE1B000

direct allocation

page read and write

C000054000

direct allocation

page read and write

24F0000

heap

page read and write

7FF6824E3000

unkown

page readonly

C00016D000

direct allocation

page read and write

C000110000

direct allocation

page read and write

C000016000

direct allocation

page read and write

22DEDCA0000

direct allocation

page read and write

C000002000

direct allocation

page read and write

C00000A000

direct allocation

page read and write

7FF682288000

unkown

page read and write

C000116000

direct allocation

page read and write

22DEE0A8000

direct allocation

page read and write

22DEDCB0000

direct allocation

page read and write

22DEDF50000

direct allocation

page read and write

C000793000

direct allocation

page read and write

C00001C000

direct allocation

page read and write

C000058000

direct allocation

page read and write

7FF682264000

unkown

page read and write

C000787000

direct allocation

page read and write

C000000000

direct allocation

page read and write

C000020000

direct allocation

page read and write

9E8000

heap

page read and write

7FF68264A000

unkown

page readonly

7FF682645000

unkown

page write copy

22DE8AD0000

heap

page read and write

9E0000

heap

page read and write

22DE8B30000

heap

page read and write

22DE89D8000

heap

page read and write

22DEDE1E000

direct allocation

page read and write

4F4F7FE000

stack

page read and write

9D3000

heap

page read and write

740000

heap

page read and write

C000747000

direct allocation

page read and write

C00005A000

direct allocation

page read and write

22DEDE60000

direct allocation

page read and write

C000047000

direct allocation

page read and write

970000

heap

page read and write

22DE8B20000

direct allocation

page read and write

C000035000

direct allocation

page read and write

7FF682120000

unkown

page readonly

C00078C000

direct allocation

page read and write

22DE8B49000

direct allocation

page read and write

C00004E000

direct allocation

page read and write

7FF682264000

unkown

page write copy

C000027000

direct allocation

page read and write

C000084000

direct allocation

page read and write

7FF682616000

unkown

page read and write

C000088000

direct allocation

page read and write

22DEDE10000

direct allocation

page read and write

C000240000

direct allocation

page read and write

C000004000

direct allocation

page read and write

22DEE150000

direct allocation

page read and write

22DE8B40000

direct allocation

page read and write

C000162000

direct allocation

page read and write

7FF682268000

unkown

page read and write

7FF6824E3000

unkown

page readonly

C000006000

direct allocation

page read and write

7FF682120000

unkown

page readonly

7FF682285000

unkown

page write copy

C000074000

direct allocation

page read and write

C00000C000

direct allocation

page read and write

979000

heap

page read and write

4F4FFFE000

stack

page read and write

C00007C000

direct allocation

page read and write

7FF68260F000

unkown

page read and write

7FF682289000

unkown

page write copy

22DEDE71000

direct allocation

page read and write

7FF6824FD000

unkown

page readonly

4F4FBFE000

stack

page read and write

7FF68226A000

unkown

page write copy

C000100000

direct allocation

page read and write

97E000

heap

page read and write

C000014000

direct allocation

page read and write

C000045000

direct allocation

page read and write

4F4F9FE000

stack

page read and write

C000160000

direct allocation

page read and write

22DEDCA4000

direct allocation

page read and write

240E000

stack

page read and write

7FF682644000

unkown

page write copy

C000022000

direct allocation

page read and write

660000

heap

page read and write

7FF682644000

unkown

page read and write

22DEE110000

direct allocation

page read and write

9DD000

heap

page read and write

C000008000

direct allocation

page read and write

C000037000

direct allocation

page read and write

7FF682279000

unkown

page read and write

9C000

stack

page read and write

7FF682648000

unkown

page write copy

C00006E000

direct allocation

page read and write

22DEDF60000

direct allocation

page read and write

19D000

stack

page read and write

4F4FDFE000

stack

page read and write

22DEDDD1000

direct allocation

page read and write

C00006A000

direct allocation

page read and write

C000068000

direct allocation

page read and write

C000400000

direct allocation

page read and write

22DEDEB0000

direct allocation

page read and write

7FF682266000

unkown

page write copy

C00011C000

direct allocation

page read and write

C00001E000

direct allocation

page read and write

4F501FF000

stack

page read and write

22DE8B44000

direct allocation

page read and write

4F503FF000

stack

page read and write

7FF682648000

unkown

page write copy

800000

heap

page read and write

7FF682121000

unkown

page execute read

There are 142 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Rr6TGP9rEq.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportRr6TGP9rEq.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
Rr6TGP9rEq.exe