a8f56c9ee72b1e136e9fba2e0641dee5651cf6eb30af74cc840e23aa24951c74

Analysis

max time kernel
18s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rise_selfbot.exe
Size

63.7MB
MD5

e52fd5fb999d92ff0e1113551d7d64f5
SHA1

5c2c8d3ee2bb6db37bf1af2ed26a200aa1ba24c7
SHA256

a8f56c9ee72b1e136e9fba2e0641dee5651cf6eb30af74cc840e23aa24951c74
SHA512

410885a11d534e22e7e7f576819389d7bec71d372a92e88d857c2af393720638c009a16c2648e96b078f614a73f7027778d81d8b058904415a56fb7244723b5d
SSDEEP

786432:fMguj8Q4VfvjqFTrYYRWspoQ/ogKEFDAXEk9cqmDAtYht32VrW2/2T:fiAQIHjkHd4sSdgKkFkS8tYve62/2T

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Rise_selfbot.exe

Loads dropped DLL 3 IoCs

pid	Process
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ipinfo.io
25	ipinfo.io

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3640	tasklist.exe
1492	tasklist.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
1868	Rise_selfbot.exe
812	powershell.exe
812	powershell.exe
3592	powershell.exe
3592	powershell.exe
4856	powershell.exe
4856	powershell.exe
4656	powershell.exe
4656	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	tasklist.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 32	1868	Rise_selfbot.exe	85
PID 1868 wrote to memory of 32	1868	Rise_selfbot.exe	85
PID 32 wrote to memory of 4832	32	cmd.exe	87
PID 32 wrote to memory of 4832	32	cmd.exe	87
PID 1868 wrote to memory of 3832	1868	Rise_selfbot.exe	91
PID 1868 wrote to memory of 3832	1868	Rise_selfbot.exe	91
PID 3832 wrote to memory of 3640	3832	cmd.exe	93
PID 3832 wrote to memory of 3640	3832	cmd.exe	93
PID 1868 wrote to memory of 2260	1868	Rise_selfbot.exe	95
PID 1868 wrote to memory of 2260	1868	Rise_selfbot.exe	95
PID 2260 wrote to memory of 812	2260	cmd.exe	96
PID 2260 wrote to memory of 812	2260	cmd.exe	96
PID 1868 wrote to memory of 636	1868	Rise_selfbot.exe	97
PID 1868 wrote to memory of 636	1868	Rise_selfbot.exe	97
PID 1868 wrote to memory of 1724	1868	Rise_selfbot.exe	98
PID 1868 wrote to memory of 1724	1868	Rise_selfbot.exe	98
PID 636 wrote to memory of 1492	636	cmd.exe	99
PID 636 wrote to memory of 1492	636	cmd.exe	99
PID 1724 wrote to memory of 3592	1724	cmd.exe	100
PID 1724 wrote to memory of 3592	1724	cmd.exe	100
PID 1868 wrote to memory of 4820	1868	Rise_selfbot.exe	103
PID 1868 wrote to memory of 4820	1868	Rise_selfbot.exe	103
PID 4820 wrote to memory of 4856	4820	cmd.exe	104
PID 4820 wrote to memory of 4856	4820	cmd.exe	104
PID 1868 wrote to memory of 1928	1868	Rise_selfbot.exe	105
PID 1868 wrote to memory of 1928	1868	Rise_selfbot.exe	105
PID 1928 wrote to memory of 4656	1928	cmd.exe	106
PID 1928 wrote to memory of 4656	1928	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Rise_selfbot.exe
"C:\Users\Admin\AppData\Local\Temp\Rise_selfbot.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1opfflg.elb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-16lRT8\2bb71de94ab4675a193854c658b173187bfadb795d8910fda6311af0f3674826

Filesize
489KB

MD5
035d5df8d2c724878071d9dc1155c6aa

SHA1
3f23f2664cd5a173d98aaf09f0f7142b1c2c9b15

SHA256
a763486d99daf0c7b52cc24337703cfdf6099520f47b183b7658694f767c79ba

SHA512
6cffd4d7e549bba069113839d3f6d7ec89799bcacb60342d65bfcea9539e830b8113bc60d0c2d63ba16d42a00205b262fafabe836ad2a301a28c5d8036cf141c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-16lRT8\3cb442a7039ddcad2aac3f8bd5bfd6a4f9ff253ce47c1616b3a4495f11a5d0b9

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-16lRT8\4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b

Filesize
765B

MD5
82703a69f6d7411dde679954c2fd9dca

SHA1
bb408e929caeb1731945b2ba54bc337edb87cc66

SHA256
4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b

SHA512
3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-16lRT8\514fd21e92969a2843f54fefcb9c4e6858cfd6835e5afe0d4b04ae24cf19e3b9

Filesize
15KB

MD5
a24014220263b4870b167fd47efbf627

SHA1
2ebdbae83ed19212f1be6957eb90a0b1ff765b29

SHA256
514fd21e92969a2843f54fefcb9c4e6858cfd6835e5afe0d4b04ae24cf19e3b9

SHA512
c4b2ff79b48dd326e0affbb4dc93cabe636ae4b07dedba7c23f812643d7a838fa9c7bba6deec5dc15e69c489d3b052e4c0c837f59eeba73ddaab3b497c8d623e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-16lRT8\720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d

Filesize
755B

MD5
5324d196a847002a5d476185a59cf238

SHA1
dfe418dc288edb0a4bb66af2ad88bd838c55e136

SHA256
720836c9bdad386485a492ab41fe08007ecf85ca278ddd8f9333494dcac4949d

SHA512
1b4187c58bebb6378f8a04300da6f4d1f12f6fbe9a1ab7ceda8a4752e263f282daebcac1379fa0675dd78ec86fffb127dba6469f303570b9f21860454df2203f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-16lRT8\aeab70587b92545a0aae2878dd8a29cefdd6f18f1f56bbc1fb1a1db01092956d

Filesize
5B

MD5
3bab25a3e651a9e4a00473d2257b99f9

SHA1
1419458f2696be8daeade77ddad380cd0c871fdb

SHA256
f01a374e9c81e3db89b3a42940c4d6a5447684986a1296e42bf13f196eed6295

SHA512
ae8dc1129b7a81ba70c9512a94a3e9ccd8c159f1817e309198c2babaf5bcb3f7e97f43b54ea4937cbea468bb5a62328fc0c01982aa1b883d8fd6d2e2c58090ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\4a9d3ae4dbb2722bc1b0ecde438fc9d3e51d764ab3707e4a6541edd5ae59159b\boukiapi\build\Release\node-dpapi.node

Filesize
150KB

MD5
b475183f23dd8432da591596a06e15fb

SHA1
b23b6f4968d377ff6d55c9838fe60f5e07b35dc7

SHA256
4a9d3ae4dbb2722bc1b0ecde438fc9d3e51d764ab3707e4a6541edd5ae59159b

SHA512
46222758fc88e1dce0c78c22a57c98ff72b03686190d9b4b110441106aee63b3b07df64bbfff82630f615827c08e7cbdd6a0de84198d8e0110cec8436507c83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\4a9d3ae4dbb2722bc1b0ecde438fc9d3e51d764ab3707e4a6541edd5ae59159b\boukiapi\build\Release\node-dpapi.node

Filesize
150KB

MD5
b475183f23dd8432da591596a06e15fb

SHA1
b23b6f4968d377ff6d55c9838fe60f5e07b35dc7

SHA256
4a9d3ae4dbb2722bc1b0ecde438fc9d3e51d764ab3707e4a6541edd5ae59159b

SHA512
46222758fc88e1dce0c78c22a57c98ff72b03686190d9b4b110441106aee63b3b07df64bbfff82630f615827c08e7cbdd6a0de84198d8e0110cec8436507c83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\d4c9ef36266bc4472c964a89bc0491f0a4bb225be2351587aa33bf398cdf85a3\node-hide-console-window\build\Release\node-hide-console-window.node

Filesize
109KB

MD5
cd85490dcff8bf103605ff844b73bdc6

SHA1
09b576387d66b1f90b25a65b99ad62c757696491

SHA256
d4c9ef36266bc4472c964a89bc0491f0a4bb225be2351587aa33bf398cdf85a3

SHA512
a15a586722d857a503f136629c8765817413305672ec0de5f2e37a1f6ef931449ba169b0d2a244cd4d0136596356b7c5ae86f4274b95406ba46fc4c8e436b313

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\d4c9ef36266bc4472c964a89bc0491f0a4bb225be2351587aa33bf398cdf85a3\node-hide-console-window\build\Release\node-hide-console-window.node

Filesize
109KB

MD5
cd85490dcff8bf103605ff844b73bdc6

SHA1
09b576387d66b1f90b25a65b99ad62c757696491

SHA256
d4c9ef36266bc4472c964a89bc0491f0a4bb225be2351587aa33bf398cdf85a3

SHA512
a15a586722d857a503f136629c8765817413305672ec0de5f2e37a1f6ef931449ba169b0d2a244cd4d0136596356b7c5ae86f4274b95406ba46fc4c8e436b313

Download Submit
memory/812-1236-0x000001FDFE580000-0x000001FDFE5A2000-memory.dmp

Filesize
136KB

Download
memory/4856-1272-0x000001B0E4520000-0x000001B0E4530000-memory.dmp

Filesize
64KB

Download
memory/4856-1273-0x000001B0E4520000-0x000001B0E4530000-memory.dmp

Filesize
64KB

Download
memory/4856-1274-0x000001B0E4520000-0x000001B0E4530000-memory.dmp

Filesize
64KB

Download