risepro | e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda

Analysis

max time kernel
142s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 06:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda.exe
Size

3.0MB
MD5

3b434bfaed4ca1166a44d6df34c2fd55
SHA1

b9c3a5a7ef6439491ac7a5dd05068632b1fdcd5a
SHA256

e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda
SHA512

c15a5bc78d1efb7ece4e4f150fe6704211d562c44ffa844b2eb11034bd339fa6ba776c29d0941b9ed646f8191a7b3c802e26c889bc4e88b19e7e3e6a387e8d6c
SSDEEP

49152:5eorKyXvlx0tFQrH1ltPDWT6tL/TwCa1BEYsBUYmJGB81zkliCfTMaHxd4KOK:3rKyXvlx0tFQrLJyTyAlBjUhYGB81zkH

Score

10^/10

risepro evasion stealer themida trojan

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4220-0-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-1-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-2-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-3-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-4-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-5-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-6-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-8-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-7-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida
behavioral1/memory/4220-9-0x0000000000C50000-0x00000000013ED000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda.exe

C:\Users\Admin\AppData\Local\Temp\e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda.exe
"C:\Users\Admin\AppData\Local\Temp\e75385f7e9f6dff395b56324c83ce21d4fca3dff3b0d19c501c3bae9d1cbccda.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4220

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4220-0-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-1-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-2-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-3-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-4-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-5-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-6-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-8-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-7-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download
memory/4220-9-0x0000000000C50000-0x00000000013ED000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.