General

  • Target

    file_x86x64_release.zip

  • Size

    10.7MB

  • Sample

    240517-zbvp2shf9z

  • MD5

    73ab5075c62b5627cf6e646275bc32f0

  • SHA1

    648eb3ba87cd5cd2ba66627beef3ac0255e6d3b8

  • SHA256

    57e35a9db07b372120acd222627eba20e03d4baa88d5fc098e681ddd98b31e87

  • SHA512

    a2fba085fb84d1bdcb39cb2f2d35b8058d8e6a55776904d729312f92d2d8860fcab88de15e4e1e400f99e4c530a06e2793a14520257d71a81a6fb179bcba3f44

  • SSDEEP

    196608:Em86l40MzBbR9vBiaVwRFeUWaybY+WiXW/UwHnzEsV1nrAQITSQMDy2bDj:h8I40s95wjeVkiXWskzEsnJIGQMDb

Malware Config

Extracted

Family

risepro

C2

147.45.47.126:58709

Targets

    • Target

      file_x86x64_release/concrt140.dll

    • Size

      309KB

    • MD5

      31f210ed5c6f2d8faa1d896cda18584b

    • SHA1

      5444d919f5014fb6bf58cefc6f01088c32a24a00

    • SHA256

      5393f592cded7bd8ae07b2afc3efdcc4a0b05f7e8e74380a267398266fc02d41

    • SHA512

      d39aa7acfd982759825b537a9ca5b04e6cdd9c0a28089e0f666ae4b75e84e2e2e58180103da38bea79efe3252cb9f1932efa69b64461cb76173645e8b6ddf3f6

    • SSDEEP

      6144:Ylm+bq4hSdOec4xWMXdtvo4KbrniIzb7wQjnWzgCE33g:pmP/eJXzvSCzW3g

    Score
    1/10
    • Target

      file_x86x64_release/file.exe

    • Size

      712.0MB

    • MD5

      1b46efea69196395a3c449b51f34db34

    • SHA1

      48f324b80cd0a99ae86b524ec87d0730b795829e

    • SHA256

      ff5ef2b18f72873d947d56ff4d5e9ad98af122cd7260d9b2ae931f81df1fc4a7

    • SHA512

      c92907ccd3ad05cd42ab34e71dfc4e45d5b4d6307411d880506197640210d82db726c467fb76bb773a96409a0d23484578c2825b1bc50103cc9b4636cbce2003

    • SSDEEP

      98304:zTW+uIGD8foJWXlj+F2gMFqA/sOVfeS5zc4UcwqyB4qNGDPXRDCOBc4S5BTjGv0e:3QIGD8UyxfrRRfngGDqefMOBcxTg0lI

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Modifies firewall policy service

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      file_x86x64_release/msvcp140.dll

    • Size

      576KB

    • MD5

      a11a1d761d757d367146f0f772632d8c

    • SHA1

      9fd3eee4c4111dc386510a930192d56a2e938dfe

    • SHA256

      2cc02c5e6654aa9175d5963f811cac222f4a2604dc28553139c675b1a78995a7

    • SHA512

      6fbbb77766ee9846d6d3bde2ced5eeaafe721de5524a410a4821dfa6c08edbd00905bec2b9237b8f7986d6d06dbe444c5845130193da537cadaf29ea784c48e1

    • SSDEEP

      12288:fFrCZUcfGI/O+bE9krdFFM5lle0dkM4X2n08ukSIAg6wQEKZm+jWodEEVrR+:9rCZUNYX2nSkGg6wQEKZm+jWodEE9R+

    Score
    1/10
    • Target

      file_x86x64_release/res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc

    • Size

      114KB

    • MD5

      a2f3ded45da8870e93e5d2186dab27e8

    • SHA1

      3f8e0cddecc3827b33ec02cd78d192c18f1ddf82

    • SHA256

      fc19237a4e9ae65829dbde384ce0de2c78b22d9577384dded9d4cde569a12742

    • SHA512

      438621491061c7f14f59c48d0d2fdd637a17c058df13417e21d660d81632dbb826a6144032f6f9192ab9bb0afb46b8f6cf3982879dc9942261c2538dbd17187c

    • SSDEEP

      3072:k6BVH7SBjeSCbupKVfG2yQJ23J+Svsy9k/TukuPMh:zrbKeWmDyQ+13kOPMh

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

6
T1112

Impair Defenses

4
T1562

Disable or Modify Tools

2
T1562.001

Disable or Modify System Firewall

1
T1562.004

Virtualization/Sandbox Evasion

1
T1497

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

8
T1082

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Tasks