Malware Analysis Report

2024-10-10 12:03

Sample ID 240610-svmp8a1eja
Target 9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944
SHA256 9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944
Tags
risepro evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944

Threat Level: Known bad

The file 9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944 was found to be: Known bad.

Malicious Activity Summary

risepro evasion stealer

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 15:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 15:26

Reported

2024-06-10 15:29

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe"

Signatures

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe

"C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe"

Network

Country Destination Domain Proto
IE 52.111.236.23:443 tcp

Files

memory/4932-0-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-1-0x00000000771D4000-0x00000000771D6000-memory.dmp

memory/4932-2-0x0000000000861000-0x000000000090D000-memory.dmp

memory/4932-3-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-4-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-5-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-6-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-7-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-8-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-9-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-10-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-11-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-12-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-13-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-14-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-15-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-16-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-17-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-18-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-19-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-20-0x0000000000860000-0x0000000000E57000-memory.dmp

memory/4932-21-0x0000000000860000-0x0000000000E57000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 15:26

Reported

2024-06-10 15:29

Platform

win11-20240426-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe"

Signatures

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe

"C:\Users\Admin\AppData\Local\Temp\9fa1088b693a2890f582822927c926307c94ab718b84a909dea0570835f2e944.exe"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/4676-0-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-1-0x00000000777E6000-0x00000000777E8000-memory.dmp

memory/4676-2-0x0000000000641000-0x00000000006ED000-memory.dmp

memory/4676-3-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-4-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-5-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-6-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-7-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-8-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-9-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-10-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-11-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-12-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-13-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-14-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-15-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-16-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-17-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-18-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-19-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-20-0x0000000000640000-0x0000000000C37000-memory.dmp

memory/4676-21-0x0000000000640000-0x0000000000C37000-memory.dmp