Malware Analysis Report

2024-11-15 05:22

Sample ID 240621-zbh19avfnp
Target 85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157
SHA256 85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157
Tags
risepro evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157

Threat Level: Known bad

The file 85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157 was found to be: Known bad.

Malicious Activity Summary

risepro evasion stealer

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Checks BIOS information in registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 20:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 20:32

Reported

2024-06-21 20:35

Platform

win11-20240611-en

Max time kernel

142s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe"

Signatures

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe

"C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe"

Network

Files

memory/3088-0-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-1-0x0000000077CE6000-0x0000000077CE8000-memory.dmp

memory/3088-2-0x0000000000231000-0x00000000002DD000-memory.dmp

memory/3088-3-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-4-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-5-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-6-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-7-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-8-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-9-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-10-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-11-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-12-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-13-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-14-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-15-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-16-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-17-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-18-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-19-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-20-0x0000000000230000-0x0000000000830000-memory.dmp

memory/3088-21-0x0000000000230000-0x0000000000830000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 20:32

Reported

2024-06-21 20:35

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe

"C:\Users\Admin\AppData\Local\Temp\85d469edbdb0a0888dcce0cc8c6236fe58a902c53a7fd8d25148762325c1c157.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/744-0-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-1-0x0000000077A04000-0x0000000077A06000-memory.dmp

memory/744-2-0x0000000000FF1000-0x000000000109D000-memory.dmp

memory/744-3-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-4-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-5-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-6-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-7-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-9-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-8-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-10-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-11-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-12-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-13-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-14-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-15-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-16-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-17-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-18-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-19-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-20-0x0000000000FF0000-0x00000000015F0000-memory.dmp

memory/744-21-0x0000000000FF0000-0x00000000015F0000-memory.dmp