risepro | 3a45d80180a157ec0aa70298d5eef0cbc13740fcf6323f705bfc10525cb217a8

Sharing

Copy URL Twitter E-mail

General

Target

3a45d80180a157ec0aa70298d5eef0cbc13740fcf6323f705bfc10525cb217a8
Size

5.6MB
MD5

270d667872a799258618c7009a6d7297
SHA1

56742ce6ba7e5dafed3aa2181e27a3616fe0167b
SHA256

3a45d80180a157ec0aa70298d5eef0cbc13740fcf6323f705bfc10525cb217a8
SHA512

422c15f7143fc1b93727c9bf353b7373563ab971988bd62617f6619cbf458ac58dd7f54af13b5b0dc178ad949a25a4cf291ca384e2bc20a3ca84f7ff686c0ed3
SSDEEP

98304:mBbQ2H/oEMjghbO76uAqrngBNXsH7zMdDwPgQcM3qn8V/cwduNJKf+tLNiqqcJ:URf/JTNXsH7z0DwPgdvwduGf6dqcJ

Score

10^/10

risepro

Malware Config

Signatures

Risepro family
risepro

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3a45d80180a157ec0aa70298d5eef0cbc13740fcf6323f705bfc10525cb217a8

Files

3a45d80180a157ec0aa70298d5eef0cbc13740fcf6323f705bfc10525cb217a8
.exe windows:6 windows x86 arch:x86

f01c8d93cc9496502abbc27ddcf50833

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\BuildServer\bna-2\work-git\agent-repository\build\bin\win32-i386-vc141-release\Agent.pdb

Imports

wintrust

WinVerifyTrust

bcrypt

BCryptGenRandom

advapi32

CryptSetHashParam
RegOpenKeyExA
CryptEncrypt
CryptImportKey
OpenProcessToken
AdjustTokenPrivileges
AllocateAndInitializeSid
CheckTokenMembership
DuplicateTokenEx
FreeSid
GetTokenInformation
SetTokenInformation
LookupPrivilegeValueW
CreateProcessWithTokenW
CloseServiceHandle
OpenSCManagerW
OpenServiceW
QueryServiceConfigW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ChangeServiceConfigW
ControlService
CreateServiceW
DeleteService
QueryServiceStatus
StartServiceW
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegDeleteTreeW
GetSecurityInfo
SetSecurityInfo
OpenThreadToken
AccessCheck
DuplicateToken
EqualSid
GetFileSecurityW
GetSecurityDescriptorDacl
InitializeSecurityDescriptor
MapGenericMask
SetSecurityDescriptorDacl
QueryServiceObjectSecurity
SetServiceObjectSecurity
SetEntriesInAclW
GetExplicitEntriesFromAclW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
BuildTrusteeWithSidW
ConvertStringSidToSidW
GetAce
InitializeAcl
RegDeleteKeyW
RegEnumValueW
RegQueryInfoKeyW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptHashData
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
CryptEnumProvidersW
RegGetValueW
CryptGetHashParam
CryptGenRandom

dxgi

CreateDXGIFactory1

iphlpapi

GetExtendedTcpTable

powrprof

CallNtPowerInformation

rpcrt4

RpcStringFreeA
UuidCreate
UuidToStringA

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

winhttp

WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen
WinHttpCloseHandle
WinHttpGetProxyForUrl

crypt32

CertCreateCertificateChainEngine
CertFindExtension
CertGetNameStringA
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryW
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertOpenSystemStoreA
CryptStringToBinaryA
CertFreeCertificateChainEngine
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateContext
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCreateCertificateContext
CertEnumCertificatesInStore
CertOpenStore
CryptQueryObject
CertGetNameStringW
CryptProtectData
CryptUnprotectData
CryptMsgClose
CryptMsgGetParam
CertCloseStore
CertFindCertificateInStore

kernel32

HeapSize
HeapFree
HeapAlloc
GetDateFormatW
GetTimeFormatW
ExitThread
GetUserDefaultLCID
EnumSystemLocalesW
HeapReAlloc
GetLocaleInfoA
OutputDebugStringA
IsValidLocale
ExitProcess
GetProcessHeap
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
ConvertFiberToThread
MultiByteToWideChar
WideCharToMultiByte
GetConsoleWindow
SetErrorMode
SetConsoleCtrlHandler
DecodePointer
CloseHandle
RaiseException
GetLastError
InitializeCriticalSectionEx
DeleteCriticalSection
WaitForSingleObject
GetCurrentProcess
GetCurrentProcessId
GetExitCodeProcess
GetProcessId
OpenProcess
GetWindowsDirectoryW
GetVersionExW
CreateJobObjectW
OpenJobObjectW
AssignProcessToJobObject
SetInformationJobObject
QueryInformationJobObject
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
LocalAlloc
LocalFree
QueryFullProcessImageNameW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
ExpandEnvironmentStringsW
CreateDirectoryW
CreateFileW
GetDiskFreeSpaceExW
GetDriveTypeW
GetFileAttributesExW
GetVolumePathNameW
ReadFile
SetFileAttributesW
SetFilePointer
WriteFile
CopyFileW
MoveFileExW
FileTimeToSystemTime
CreateFileMappingW
OpenFileMappingW
MapViewOfFile
FlushViewOfFile
UnmapViewOfFile
GlobalMemoryStatusEx
GetModuleHandleA
GlobalMemoryStatus
FormatMessageA
GetCurrentThread
GlobalFree
lstrlenW
IsWow64Process
FreeLibrary
LoadLibraryExW
SetUnhandledExceptionFilter
GetCurrentThreadId
RtlCaptureContext
IsDebuggerPresent
TerminateProcess
OpenThread
SuspendThread
ResumeThread
GetThreadContext
VirtualQuery
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
Thread32First
Thread32Next
SetEvent
CreateEventW
CreateThread
LoadLibraryW
FindClose
FindFirstFileW
GetFileAttributesW
GetTempPathW
SetLastError
CreateProcessW
Module32FirstW
Module32NextW
GetSystemTime
SystemTimeToFileTime
WriteConsoleW
GetModuleHandleExW
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStdHandle
GetFileType
DeleteFiber
FormatMessageW
QueryPerformanceCounter
GetSystemTimeAsFileTime
SetStdHandle
LoadLibraryA
FindNextFileW
GetEnvironmentVariableW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
CreateMutexW
OpenMutexW
Sleep
GetFullPathNameW
DeleteFileW
GetFileSizeEx
CreateIoCompletionPort
GetQueuedCompletionStatusEx
PostQueuedCompletionStatus
GetOverlappedResult
CancelIoEx
SetThreadPriority
GetThreadPriority
GetProcessAffinityMask
SetThreadAffinityMask
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
GetCurrentDirectoryW
RemoveDirectoryW
MoveFileW
FlushFileBuffers
SetEndOfFile
SetFilePointerEx
GetSystemInfo
GetLogicalProcessorInformationEx
GetNativeSystemInfo
QueryPerformanceFrequency
GetTimeZoneInformation
ReleaseSRWLockShared
AcquireSRWLockShared
TryEnterCriticalSection
ResetEvent
ReleaseSemaphore
CreateSemaphoreExW
CreateActCtxW
ActivateActCtx
DeactivateActCtx
DuplicateHandle
VirtualProtect
ReleaseMutex
SetEnvironmentVariableW
GetComputerNameW
OutputDebugStringW
SleepEx
VerSetConditionMask
GetSystemDirectoryW
VerifyVersionInfoW
GetTickCount
WaitForSingleObjectEx
GetEnvironmentVariableA
SwitchToThread
GetExitCodeThread
EncodePointer
GetCPInfo
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
UnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
GetStartupInfoW
CreateTimerQueue
SignalObjectAndWait
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
RegisterWaitForSingleObject
UnregisterWait
GetThreadTimes
FreeLibraryAndExitThread
VirtualAlloc
VirtualFree
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
RtlUnwind
GetCommandLineA
GetCommandLineW
FindFirstFileExW
SystemTimeToTzSpecificLocalTime
GetFileInformationByHandle
PeekNamedPipe
GetConsoleOutputCP
FreeEnvironmentStringsW

shell32

CommandLineToArgvW
SHChangeNotify
SHGetKnownFolderPath
ShellExecuteExW
ShellExecuteW

ole32

CoCreateInstance
CoInitializeEx
CoSetProxyBlanket
CoTaskMemFree
CoUninitialize
CoInitializeSecurity

ws2_32

inet_ntop
WSAIoctl
getpeername
WSASetLastError
__WSAFDIsSet
shutdown
getsockname
connect
freeaddrinfo
getaddrinfo
send
recv
ioctlsocket
inet_pton
socket
setsockopt
listen
htons
htonl
getsockopt
closesocket
bind
accept
WSCEnumProtocols
WSACleanup
WSAStartup
ntohs
ntohl
WSAGetLastError
select

user32

ShowWindow
TranslateMessage
DispatchMessageW
PeekMessageW
GetForegroundWindow
GetShellWindow
GetWindowThreadProcessId
DefWindowProcW
CreateWindowExW
GetWindow
EnumThreadWindows
GetDesktopWindow
IsWindowVisible
MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
LoadStringW
LoadIconW
LoadCursorW
UpdateWindow
RegisterClassExW

oleaut32

SysAllocString
SysFreeString
VariantInit
VariantClear
VariantChangeType
SysStringLen
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayAccessData
SafeArrayUnaccessData
VariantCopy

Sections

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 147KB - Virtual size: 428KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 626KB - Virtual size: 625KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f01c8d93cc9496502abbc27ddcf50833

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wintrust

bcrypt

advapi32

dxgi

iphlpapi

powrprof

rpcrt4

version

winhttp

crypt32

kernel32

shell32

ole32

ws2_32

user32

oleaut32

Sections

.text Size: 3.8MB - Virtual size: 3.8MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 147KB - Virtual size: 428KB

.rsrc Size: 626KB - Virtual size: 625KB

.text
Size: 3.8MB - Virtual size: 3.8MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 147KB - Virtual size: 428KB

.rsrc
Size: 626KB - Virtual size: 625KB