Overview

overview

10

Static

static

3

pengisv/Fix.exe

windows7-x64

10

pengisv/Fix.exe

windows10-2004-x64

10

pengisv/FixV2.exe

windows7-x64

7

pengisv/FixV2.exe

windows10-2004-x64

7

pengisv/Injector.exe

windows7-x64

10

pengisv/Injector.exe

windows10-2004-x64

10

pengisv/bocchisr.dll

windows7-x64

1

pengisv/bocchisr.dll

windows10-2004-x64

1

pengisv/ce...64.dll

windows7-x64

1

pengisv/ce...64.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pengisv.rar

  • Size

    12.4MB

  • Sample

    240423-tp5vaahg3v

  • MD5

    91a10fd29a37a533b53bd251514b88b2

  • SHA1

    c1ae76d63ce8b8821aae8d7d07789e66f8852d4a

  • SHA256

    1acb77a48fd420725c250b00ba9ed65ede6220c52db07f0226a23071eea0970c

  • SHA512

    ab6ecedfb876fca2b0167a6d9c317474325fc029980ebb688eabd14fbd3d672ea51ae03c9f60fea5c2910e3a519d588319213ba712e52134714c92890c58706c

  • SSDEEP

    98304:ChmFLATcWWsar1ZyZDUP9Itc0/MMBIXdXs2jLReShgd5:GFWswyZAP/bmIXdXpZV+d

Score
10/10
redlineriseprozgratcollectiondiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

risepro

C2

45.15.156.142:50500

Targets

    • Target

      pengisv/Fix.exe

    • Size

      287.0MB

    • MD5

      9111a2dded9df51f1be35d474706a4b2

    • SHA1

      9169e3ccb3b4ba877bf92f8b36b6050e6e917490

    • SHA256

      db77f3c8fdca18d5472f96d18ccbe8060c6b6bb99592d93e00cc1cccd7b0465f

    • SHA512

      f0a6916dda81d2bba3e75ed9aa7c54c5aa65454eef0ec3a7a7dfed5676dd9d99c40628db92e142fd0d9c1ac0825287df1c54c3b361a66e5e5f7f305a4b6323c2

    • SSDEEP

      24576:cbRcT1az97B/WMLUcmnpsqxAcQviqv2FRRhuerH0RRwzoV6E8XcU+axHD0WGbmp:GGT1azdBuLLx/WVAnfrIRwz9jRRYmp

    Score
    10/10
    riseprocollectiondiscoveryspywarestealer

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      pengisv/FixV2.exe

    • Size

      243.2MB

    • MD5

      77a3813c5dd6e27ab6eb0cbd66c8047d

    • SHA1

      c00ef301e56702eb1a55009b592212e3fdedf35e

    • SHA256

      50734475af1f89e27485ef0c008b07f8b2c4293d792ee59d17b73b42c2587d4a

    • SHA512

      e800f75748d85839a1511474ad5c44cf0df1eb614c189e8ad54f1e4c8ca9937c3e4779b6e98571164fbf36b7a95128a51504084cb485a0e6e17aa0474846b0c6

    • SSDEEP

      49152:SBnoL6aMQbJ4pjVli0MyJr02dnN0rKOWN8O3b0/3GhiIAzP:SBE6NQF4p5IpAb

    Score
    7/10

    • Loads dropped DLL

    behavioral3behavioral4

    • Target

      pengisv/Injector.exe

    • Size

      300.0MB

    • MD5

      d21c2d4f372af938109fd2345ac1938b

    • SHA1

      f76729490360354f30548f49a8ca3ddeb638758c

    • SHA256

      1d61735d5000942390505f6962882af0c9bbd8d52b6e2e179ac47781edc9f281

    • SHA512

      f7c7f0962325b3c0d19be00096b618b2bb576b06eda78dc396d9ab6325031d9e8ff86fff33f1189954f32e6300d427029942400a621854848a2930947aa64ae0

    • SSDEEP

      24576:bNpd12nDhPgnRcmIoWMsH4YcxGg8Zfq7NtmIxEAzLDV7YTGTbX:BdiDeRQbMsH/JRZfq7NtmDwLDZX

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5behavioral6

    • Target

      pengisv/bocchisr.dll

    • Size

      463KB

    • MD5

      834e859f320d4ee0b0ab1726093eea4a

    • SHA1

      fbfbebd91fe3277a068c94dba53586aae91267dc

    • SHA256

      6521d2c34a637f6563241d3784dae6f63480dbd64757063e02a741649837b680

    • SHA512

      8ca6146513d5627117565894c39fe56abf0c744b299096b6aa0c64b563e8c6437bf08480a50baaaa46eb4c0d646b59477feab15c32364fb35ca6c18714c6aae7

    • SSDEEP

      12288:AlcP+hdhOfATj9F7aKH+QLA4smLiRF0xn2g0AT:AymZOfAtF7aKYDqE0xn2Ji

    Score
    1/10
    behavioral7behavioral8

    • Target

      pengisv/ced3d9hook64.dll

    • Size

      50.1MB

    • MD5

      b525bf3b4a748b5ab834ab0f6d394d75

    • SHA1

      d1cedc0326929379e253ebab35296ecd4100c0db

    • SHA256

      42a8aff82777d003b7a2a438bfd506367e1a3de6ee591f1c3935d3e32d5c4e0c

    • SHA512

      cbe70517ea00e278df0f6378d2844df52b513c9d5164409cab166f73ba29d7722a63856b8d318b1f5d690d52e1df9156e00c151dd1011886df70e50da13a2817

    • SSDEEP

      3072:6UoPePVhoZB34/UWFdQomnRepTPFn35eoONSO2:j8ZBvWrnmnR2Un+

    Score
    1/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Process Discovery

2
T1057

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks