risepro | 02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613

Analysis

max time kernel
133s
max time network
246s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06/06/2024, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe
Size

421KB
MD5

277923785bb9e137228d51c5685ee0ab
SHA1

898bb333ca57a435547e17c75cddaf3db9aee116
SHA256

02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613
SHA512

5ca4716d39eca08e46e1a85a28b01c66810c189fd212585dbd8a37bd9ec94e659e45ce64108a855151561278a6abbb770b1b05922fda3d7d0755ba1c824ffff8
SSDEEP

6144:DanQ+kOsq4Dfvn3ai0+02l4CSOh+mF7OPm8vvcsIExBvqioI//3CC3bxwq/FKizC:D6f4DfvniMHF7YcsIWkA/yCVdKiW

Score

10^/10

risepro stealc vidar discovery spyware stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral2/memory/3012-1-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/3012-4-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/3012-6-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/3012-21-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/3012-22-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/3012-39-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/3012-40-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/1556-65-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/3012-79-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/3012-80-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/1556-88-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/1556-89-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/1556-101-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/1556-102-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4008	EHJJECBKKE.exe
4348	HIIIIEGHDG.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 4008 set thread context of 1556	4008	EHJJECBKKE.exe	78
PID 4348 set thread context of 4288	4348	HIIIIEGHDG.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4232	timeout.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
1556	RegAsm.exe
1556	RegAsm.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 1452 wrote to memory of 3012	1452	02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe	72
PID 3012 wrote to memory of 4008	3012	RegAsm.exe	74
PID 3012 wrote to memory of 4008	3012	RegAsm.exe	74
PID 3012 wrote to memory of 4008	3012	RegAsm.exe	74
PID 4008 wrote to memory of 1768	4008	EHJJECBKKE.exe	76
PID 4008 wrote to memory of 1768	4008	EHJJECBKKE.exe	76
PID 4008 wrote to memory of 1768	4008	EHJJECBKKE.exe	76
PID 4008 wrote to memory of 4696	4008	EHJJECBKKE.exe	77
PID 4008 wrote to memory of 4696	4008	EHJJECBKKE.exe	77
PID 4008 wrote to memory of 4696	4008	EHJJECBKKE.exe	77
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 4008 wrote to memory of 1556	4008	EHJJECBKKE.exe	78
PID 3012 wrote to memory of 4348	3012	RegAsm.exe	79
PID 3012 wrote to memory of 4348	3012	RegAsm.exe	79
PID 3012 wrote to memory of 4348	3012	RegAsm.exe	79
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 4348 wrote to memory of 4288	4348	HIIIIEGHDG.exe	80
PID 3012 wrote to memory of 968	3012	RegAsm.exe	81
PID 3012 wrote to memory of 968	3012	RegAsm.exe	81
PID 3012 wrote to memory of 968	3012	RegAsm.exe	81
PID 968 wrote to memory of 4232	968	cmd.exe	83
PID 968 wrote to memory of 4232	968	cmd.exe	83
PID 968 wrote to memory of 4232	968	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe
"C:\Users\Admin\AppData\Local\Temp\02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\ProgramData\EHJJECBKKE.exe
    "C:\ProgramData\EHJJECBKKE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1556
- - C:\ProgramData\HIIIIEGHDG.exe
    "C:\ProgramData\HIIIIEGHDG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFIJEBFCGDAA" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EHJJECBKKE.exe

Filesize
421KB

MD5
277923785bb9e137228d51c5685ee0ab

SHA1
898bb333ca57a435547e17c75cddaf3db9aee116

SHA256
02eac2d8c04bfbabf5285b5fb1badf755e16ae50899f6bd7b788654e85a20613

SHA512
5ca4716d39eca08e46e1a85a28b01c66810c189fd212585dbd8a37bd9ec94e659e45ce64108a855151561278a6abbb770b1b05922fda3d7d0755ba1c824ffff8

Download Submit
C:\ProgramData\HIIIIEGHDG.exe

Filesize
1.8MB

MD5
6d0d2fcb8746b9d52198df1a331ca8fc

SHA1
c23ae6e0ef74626b72b66f1561610329220183c2

SHA256
32ecff2fb5d1a1786f51632b4a4cfdd79b159e56127424bf851a3724c1b0525a

SHA512
6fc935b4bc418e9f5d37f0c86d3bf1d0bcf9c08a56cd61cfd6536a9c472ba817084ed931eaa4d1f01fd84ee9a9f5d107d8a55a445faf7b28123f2c98f8ab2dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
2KB

MD5
5bc72d2254221c782dba8e5d10bb5bbd

SHA1
50f92feb24ce778f447a56b52b94c880463cd287

SHA256
a2ec595036eab49fef2bcc799ed589bf2683b8843c7a4f158aa6ed7740f9ed2c

SHA512
6a053b4d67c9b633470753d2d29a9904690816a99c74d47813294f266c372e5475ba1b8ca60e470db63dc80c5a5f7721894224a8b3d9b268dd6d6839f76d77ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
f56e292d4b3ca46a5bfbfd6b8048cee5

SHA1
1970eb59d3a54e966603ce7143c7bb0eb13ddc09

SHA256
461e83e789394ee62bfd45308f8c515f90cadf8b838f1b65e12be2eea5432f8a

SHA512
eba75f7acaadad08c0f6717c53c850784fdcfe3e0bf285781cf238bcbb8d954ce02fde26f86defb1a292ff581021909ca57ff53b7d895af9a54c5d6ca5bff72b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
edb04cb2cd8be03076d615e1d2a95860

SHA1
ac39a682e778cd5d236653cb9f0b6d0e85bac18c

SHA256
1a527dfd0b597781852f7155eba8fc8f8a66cbd336f26c45a3891e227cd74732

SHA512
003c6daf94fc417be1ce541f789b607e64378bdf349feb1acce3642967cf5cad23e6ad2377f0dc621554821c17524882ff48b0c9b302130f60e2feaea0cffe98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
458B

MD5
6d8b2c542a19f2a3e5f9550d79df8fc3

SHA1
45455c4c28f20ae45490a08284370beec06af7ba

SHA256
e535ba4abc5c5a0c2645568c2f6883c002304142da20b559164a3213e12943fc

SHA512
27de654f15513f5add09265033723aa6662683837b80706e1f1846c90b431dd9cdd9883ddcd409e45387fdea6d464f587f70d487ddf3abafc92fb49c671facfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
64097421f47b3a7b50cd2555938e0a4d

SHA1
e70b8a06d8accb8e6960cee9c80bdf81e077b501

SHA256
cdb7e0f1c8612fa0732e51ace10a5b9039d480e703030d1dd736f404a37dc31c

SHA512
b2d7e85c098fd40092792cad6c32db3af1d1656e4b9d68513d9b113f19adda338a5d5661e6b2beee1c8415b5d38e9af9e255d78dbb13cb7c2a0414cd8097e031

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
6c015522ac0e585ae36db7d53f19bfdc

SHA1
8d00cf7214c44713590458d2f918e9636a71efd2

SHA256
4ddf578090e25ab7367eb60401db721762ceb207116efbcf0d3f0d426fd10f7a

SHA512
a8e0ad70ba325cf90c49e878a29db5d3b6ed8e7a9ed30a2063819fe10166b282f8c342aa692bdf772dc88f2c2d90dcb96325cbcaecb61858539f86c50fe1f2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T28YHK6H\sqls[1].dll

Filesize
2.3MB

MD5
90e744829865d57082a7f452edc90de5

SHA1
833b178775f39675fa4e55eab1032353514e1052

SHA256
036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550

SHA512
0a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CNMC6O6K.cookie

Filesize
101B

MD5
4906777a79554889f48c0f9fa016a8f0

SHA1
30476c83f95dfc5a1ab58f152bdcfbfd129fbc31

SHA256
ff89f304de7b2011cfce771ac41f0b362d70cd2cb4b211b0a7fbd370f152c29d

SHA512
84c301d3a0672b9682d08015ab52986a49fc0c08a2d2922b1b56cc2410ae99ff13770b34d3dfd779ea8e3baa92e439068681784de949a1c187317a082202b2c8

Download Submit
memory/1452-2-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1452-0-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1556-88-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1556-65-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1556-89-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1556-91-0x00000000192C0000-0x000000001951F000-memory.dmp

Filesize
2.4MB

Download
memory/1556-101-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1556-102-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-39-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-24-0x00000000190E0000-0x000000001933F000-memory.dmp

Filesize
2.4MB

Download
memory/3012-79-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-4-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-6-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-21-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-22-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-80-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-40-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3012-1-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4008-61-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4288-74-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4288-78-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4288-76-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4348-75-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download