risepro | d919ba50634cefa3f08751b95957c4d861c41928da5dde71964a36dafb74dc5a

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 07:44

Target

file.exe
Size

2.4MB
MD5

29545ab1f03d615eb13b5525b1b51eab
SHA1

453938500602028628c694e548b06b1ebfbed8fd
SHA256

d919ba50634cefa3f08751b95957c4d861c41928da5dde71964a36dafb74dc5a
SHA512

8ae953f0c9b8034148aa50042d726efe8d8b9e9e80ad098a37e26242f6834b62a5d32e8d49d24d0a925430e8d4ee986ea1cbf1c5ab943ec05f12f21a706a0e4f
SSDEEP

49152:RkQTAn0qVJ4FSAchDkwEMNzKtnRRFImveKzIInse+dQjmpjrx:Ranw4bhDZEMNzWnRzKUImmpjrx

Score

10^/10

risepro stealer

Family

risepro

193.233.132.67:50500

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/980-2-0x00000000055E0000-0x0000000005830000-memory.dmp	net_reactor
behavioral2/memory/980-5-0x0000000005380000-0x00000000055CE000-memory.dmp	net_reactor
behavioral2/memory/980-9-0x0000000002D90000-0x0000000004D90000-memory.dmp	net_reactor

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 980 set thread context of 1096	980	file.exe	89

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89
PID 980 wrote to memory of 1096	980	file.exe	89

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1096

memory/980-6-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/980-1-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/980-2-0x00000000055E0000-0x0000000005830000-memory.dmp

Filesize
2.3MB

Download
memory/980-3-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/980-4-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/980-5-0x0000000005380000-0x00000000055CE000-memory.dmp

Filesize
2.3MB

Download
memory/980-0-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/980-9-0x0000000002D90000-0x0000000004D90000-memory.dmp

Filesize
32.0MB

Download
memory/980-15-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/1096-10-0x0000000000400000-0x0000000000830000-memory.dmp

Filesize
4.2MB

Download
memory/1096-14-0x0000000000400000-0x0000000000830000-memory.dmp

Filesize
4.2MB

Download
memory/1096-18-0x0000000000400000-0x0000000000830000-memory.dmp

Filesize
4.2MB

Download
memory/1096-21-0x0000000000400000-0x0000000000830000-memory.dmp

Filesize
4.2MB

Download