Malware Analysis Report

2024-11-13 13:24

Sample ID 240604-njb25afa63
Target 370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b
SHA256 370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b
Tags
risepro evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b

Threat Level: Known bad

The file 370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b was found to be: Known bad.

Malicious Activity Summary

risepro evasion stealer

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Checks BIOS information in registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 11:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 11:25

Reported

2024-06-04 11:27

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe"

Signatures

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe

"C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3564-0-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-1-0x00000000775D4000-0x00000000775D6000-memory.dmp

memory/3564-2-0x00000000053D0000-0x00000000053D1000-memory.dmp

memory/3564-5-0x0000000005390000-0x0000000005391000-memory.dmp

memory/3564-12-0x0000000005370000-0x0000000005371000-memory.dmp

memory/3564-11-0x0000000005420000-0x0000000005421000-memory.dmp

memory/3564-10-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/3564-9-0x0000000005430000-0x0000000005431000-memory.dmp

memory/3564-8-0x0000000005400000-0x0000000005401000-memory.dmp

memory/3564-7-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/3564-6-0x0000000005380000-0x0000000005381000-memory.dmp

memory/3564-4-0x0000000005410000-0x0000000005411000-memory.dmp

memory/3564-3-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/3564-13-0x0000000005450000-0x0000000005452000-memory.dmp

memory/3564-14-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-15-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-16-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-17-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-18-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-19-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-20-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-21-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-22-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-23-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-24-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-25-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-26-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-27-0x00000000009F0000-0x0000000000FBA000-memory.dmp

memory/3564-28-0x00000000009F0000-0x0000000000FBA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 11:25

Reported

2024-06-04 11:27

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe"

Signatures

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe

"C:\Users\Admin\AppData\Local\Temp\370d040626fd577ec0a4943c2a94c278fa9eb921e774d4ac9949e2eadd5cfa8b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2836-0-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-1-0x00000000774E6000-0x00000000774E8000-memory.dmp

memory/2836-11-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/2836-10-0x0000000005140000-0x0000000005141000-memory.dmp

memory/2836-9-0x0000000005150000-0x0000000005151000-memory.dmp

memory/2836-7-0x0000000005100000-0x0000000005101000-memory.dmp

memory/2836-6-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/2836-8-0x0000000005120000-0x0000000005121000-memory.dmp

memory/2836-5-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/2836-4-0x0000000005130000-0x0000000005131000-memory.dmp

memory/2836-3-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/2836-2-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/2836-12-0x0000000005170000-0x0000000005172000-memory.dmp

memory/2836-13-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-14-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-15-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-16-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-17-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-18-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-19-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-20-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-21-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-22-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-23-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-24-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-25-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-26-0x0000000000810000-0x0000000000DDA000-memory.dmp

memory/2836-27-0x0000000000810000-0x0000000000DDA000-memory.dmp