risepro | c99b8820a1c79f85af87bb753224f2cb62815a211666e36a336841f738184e2d | Triage

Sharing

General

Target

by RyosXpl0its [Goddys].zip
Size

9.0MB
Sample

240405-mdjz4saa39
MD5

5ea29c176dab93a64eef19cc9df2819b
SHA1

4c508d88b1e3cc6f30df5d8c6b60175295b2cb17
SHA256

c99b8820a1c79f85af87bb753224f2cb62815a211666e36a336841f738184e2d
SHA512

431ad834e7ef22787a3616e3f53158e0a83ccc6fcbc8a85c4bdf9d0a7d0827cf58c6d3662b5a62c307a0096d1a5313d59d3ae5da50600626d4320152ed04fe18
SSDEEP

196608:BvEKPFCZPaQhk0n5+ubB9joAExRMIFpHHSbw+fX:qKPcZa4k05BB9jopPjFpnUX

Score

10^/10

risepro collection cryptone discovery packer spyware stealer

Malware Config

Targets

- Target
  
  Aur0raV1/AUR0RA.exe
- Size
  
  1.6MB
- MD5
  
  6836af5b9e36906f4505e246e2b299c3
- SHA1
  
  5bff2b67cdd417c0c678e1437dc6887654ccf766
- SHA256
  
  7acdbf629d2f584be945417534dac0d0f4f3d75ae3f0c6d29df5031dffb8692e
- SHA512
  
  e77806f171a87e79c4760d13b91ba5b1a7da700ab3e58859e710c986f1eab070abfabf31e709ec696219609528f0d713c820f1927b7693be9340dc358d512ab8
- SSDEEP
  
  49152:/8hEcYjZEcQO8uGZY/r8h17D/eCTHziY32:/KEv1/WJGCjz8
Score

10^/10

risepro stealer
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $INTERNET_CACHE/Divisions
- Size
  
  205KB
- MD5
  
  6587ab2d1dcd29d04dfd96da914a7daa
- SHA1
  
  56542caebbc1f2c54e93ac61b09e2aed10d33602
- SHA256
  
  31af7aa98bf94ba8557d9df52514cac419e7caff3754686d00bf325dea5c1c67
- SHA512
  
  58bac4c92b41a6435962557b2e619dbaecac26f022a652b4eeeff59733adbe88fe13d62207c2dc69821da4c8490bf042a7a212b7e5d4f266ed9081118fd39f21
- SSDEEP
  
  3072:Mb1aCYbFP4ktmS2ZhUWWOPstQrBPstpPstRCdgRzIgir9RODO7svFbHmmZTLv+cJ:/hrbODO7DxTkBH
Score

1^/10
behavioral3 behavioral4
- Target
  
  Aur0raV1/scripts/scripts.dll
- Size
  
  18.7MB
- MD5
  
  88fd7dbf04bcf75123d02009aea3f7f7
- SHA1
  
  cecf16bdad71e54afc941179ea2b7438a04efa1d
- SHA256
  
  01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4
- SHA512
  
  2c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917
- SSDEEP
  
  393216:hqA/D2IIyzg8DolBo6i0KoI6Di42sC1/syU3DXNs6hq8:hqcaZyV0fC1JOpjhq8
Score

10^/10

collection discovery spyware stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

collectiondiscoveryspywarestealer