risepro | 68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535

General

Target

68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe
Size

2.2MB
MD5

f42787513371bf367cfec80f0bb82a53
SHA1

f16015367afb95fcb98740c7e54271730b97159e
SHA256

68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535
SHA512

ff9569600a54d81e38fb22c00d9057ef46e2940b92a19ab7e5cc5a0a0318731d84388b80212d53a1e46168d4c42885459228b49c3260f617284da9e55bc932d5
SSDEEP

49152:1s9NRR5MmyC8+CplTBBw1BYuqWC+YGHGPEuJ01pP0OV60h+8XLqaj/:1QNRG37dBieuqWmGHGPB0KK+8bqaj

Score

10^/10

risepro evasion stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1680	68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1680	68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe
1680	68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe

C:\Users\Admin\AppData\Local\Temp\68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe
"C:\Users\Admin\AppData\Local\Temp\68d06d36f2ba9741d30bad79cbb5044fc0e906736b9fdda42f4f83f2165fd535.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-0-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-1-0x0000000077D96000-0x0000000077D98000-memory.dmp

Filesize
8KB

Download
memory/1680-2-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1680-3-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/1680-4-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1680-5-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1680-7-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1680-6-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1680-8-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1680-9-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1680-10-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/1680-11-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1680-12-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1680-13-0x0000000005440000-0x0000000005442000-memory.dmp

Filesize
8KB

Download
memory/1680-14-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-15-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-16-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-17-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-18-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-19-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-20-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-21-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-22-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-23-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-24-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-25-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-26-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-27-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download
memory/1680-28-0x0000000000CA0000-0x0000000001239000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads