General

  • Target

    0495b6339de5929693cc384fd051f67b4b9340db4f1abda299a2398cad18f09e

  • Size

    6.8MB

  • Sample

    231213-1tzmdshfbp

  • MD5

    e0cd79639eacfb269765c77667db0679

  • SHA1

    6786c805b31bd371ee62452dcf14e5240fcf0bc7

  • SHA256

    0495b6339de5929693cc384fd051f67b4b9340db4f1abda299a2398cad18f09e

  • SHA512

    03ea148bea676bf3ea7ebf2866ea005f3df534c93e8c361f902ed8b49897462bde1a80046d5facb42531e3228812609878e111b010f0e298b5ff4cfe424c6074

  • SSDEEP

    49152:oCugmzH1gvdVr2S16vEK6Zpkn1suJcNJJfLmd8PMNVEjAysmoEi0TUU0ppMLb:oNh8UUZwOTUnML

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Targets

    • Target

      0495b6339de5929693cc384fd051f67b4b9340db4f1abda299a2398cad18f09e

    • Size

      6.8MB

    • MD5

      e0cd79639eacfb269765c77667db0679

    • SHA1

      6786c805b31bd371ee62452dcf14e5240fcf0bc7

    • SHA256

      0495b6339de5929693cc384fd051f67b4b9340db4f1abda299a2398cad18f09e

    • SHA512

      03ea148bea676bf3ea7ebf2866ea005f3df534c93e8c361f902ed8b49897462bde1a80046d5facb42531e3228812609878e111b010f0e298b5ff4cfe424c6074

    • SSDEEP

      49152:oCugmzH1gvdVr2S16vEK6Zpkn1suJcNJJfLmd8PMNVEjAysmoEi0TUU0ppMLb:oNh8UUZwOTUnML

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Downloads MZ/PE file

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks