risepro | 7a95ae3b370d318bff008a07fddf1b6deb1beb78fa9e021c5c9f106d1149b553

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb907b20ee4fb4389d25989d7de466e8.exe
Size

401KB
MD5

cb907b20ee4fb4389d25989d7de466e8
SHA1

4d63141c71e834e81c5f57f90f663c409edf3a41
SHA256

7a95ae3b370d318bff008a07fddf1b6deb1beb78fa9e021c5c9f106d1149b553
SHA512

81c3f8e3362a565a426710b54e4f2b64165b764635818b788f43824b3f0cdd2dc354cbdb6ff945bdfe42bd4ade7ed05b721f978faa5af3d6df71cf6b81f13fe2
SSDEEP

12288:jdI4y5LNCOuGcOq1H6Bvbw1tiNPUtIbsKRHo8:jq40NKaDiyPDI

Score

10^/10

risepro stealc vidar discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/g067n

https://steamcommunity.com/profiles/76561199707802586

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Extracted

Family

risepro

5.42.67.8:50500

Signatures

Detect Vidar Stealer 13 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4468-1-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-3-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-5-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-17-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-18-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-28-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-29-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-37-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-38-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-54-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-55-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-108-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-109-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation RegAsm.exe
Executes dropped EXE 3 IoCs

Processes:

IDHIDBAEGI.exeAAFBAKECAE.exeAAAAAAAAAA.exe

pid process

2332 IDHIDBAEGI.exe
1144 AAFBAKECAE.exe
1052 AAAAAAAAAA.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	RegAsm.exe

pid	process
2332	IDHIDBAEGI.exe
1144	AAFBAKECAE.exe
1052	AAAAAAAAAA.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

cb907b20ee4fb4389d25989d7de466e8.exeIDHIDBAEGI.exeAAFBAKECAE.exeAAAAAAAAAA.exe

description	pid	process	target process
PID 1052 set thread context of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 2332 set thread context of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 1144 set thread context of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1052 set thread context of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4608 1052 WerFault.exe cb907b20ee4fb4389d25989d7de466e8.exe
4268 2332 WerFault.exe IDHIDBAEGI.exe
1772 1144 WerFault.exe AAFBAKECAE.exe
3052 1052 WerFault.exe AAAAAAAAAA.exe

pid	pid_target	process	target process
4608	1052	WerFault.exe	cb907b20ee4fb4389d25989d7de466e8.exe
4268	2332	WerFault.exe	IDHIDBAEGI.exe
1772	1144	WerFault.exe	AAFBAKECAE.exe
3052	1052	WerFault.exe	AAAAAAAAAA.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4776 timeout.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

4468 RegAsm.exe
4468 RegAsm.exe
4468 RegAsm.exe
4468 RegAsm.exe
4468 RegAsm.exe
4468 RegAsm.exe
4468 RegAsm.exe
4468 RegAsm.exe
1496 RegAsm.exe
1496 RegAsm.exe

pid	process
4776	timeout.exe

pid	process
4468	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1496	RegAsm.exe
Token: SeBackupPrivilege	1496	RegAsm.exe
Token: SeSecurityPrivilege	1496	RegAsm.exe
Token: SeSecurityPrivilege	1496	RegAsm.exe
Token: SeSecurityPrivilege	1496	RegAsm.exe
Token: SeSecurityPrivilege	1496	RegAsm.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

cb907b20ee4fb4389d25989d7de466e8.exeRegAsm.exeIDHIDBAEGI.exeAAFBAKECAE.exeAAAAAAAAAA.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 1052 wrote to memory of 4468	1052	cb907b20ee4fb4389d25989d7de466e8.exe	RegAsm.exe
PID 4468 wrote to memory of 2332	4468	RegAsm.exe	IDHIDBAEGI.exe
PID 4468 wrote to memory of 2332	4468	RegAsm.exe	IDHIDBAEGI.exe
PID 4468 wrote to memory of 2332	4468	RegAsm.exe	IDHIDBAEGI.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 2332 wrote to memory of 2624	2332	IDHIDBAEGI.exe	RegAsm.exe
PID 4468 wrote to memory of 1144	4468	RegAsm.exe	AAFBAKECAE.exe
PID 4468 wrote to memory of 1144	4468	RegAsm.exe	AAFBAKECAE.exe
PID 4468 wrote to memory of 1144	4468	RegAsm.exe	AAFBAKECAE.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 1144 wrote to memory of 4688	1144	AAFBAKECAE.exe	RegAsm.exe
PID 4468 wrote to memory of 1052	4468	RegAsm.exe	AAAAAAAAAA.exe
PID 4468 wrote to memory of 1052	4468	RegAsm.exe	AAAAAAAAAA.exe
PID 4468 wrote to memory of 1052	4468	RegAsm.exe	AAAAAAAAAA.exe
PID 1052 wrote to memory of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe
PID 1052 wrote to memory of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe
PID 1052 wrote to memory of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe
PID 1052 wrote to memory of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe
PID 1052 wrote to memory of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe
PID 1052 wrote to memory of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe
PID 1052 wrote to memory of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe
PID 1052 wrote to memory of 1496	1052	AAAAAAAAAA.exe	RegAsm.exe
PID 4468 wrote to memory of 1968	4468	RegAsm.exe	cmd.exe
PID 4468 wrote to memory of 1968	4468	RegAsm.exe	cmd.exe
PID 4468 wrote to memory of 1968	4468	RegAsm.exe	cmd.exe
PID 1968 wrote to memory of 4776	1968	cmd.exe	timeout.exe
PID 1968 wrote to memory of 4776	1968	cmd.exe	timeout.exe
PID 1968 wrote to memory of 4776	1968	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\cb907b20ee4fb4389d25989d7de466e8.exe
"C:\Users\Admin\AppData\Local\Temp\cb907b20ee4fb4389d25989d7de466e8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468

C:\ProgramData\IDHIDBAEGI.exe
"C:\ProgramData\IDHIDBAEGI.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 296
4⤵
- Program crash
PID:4268

C:\ProgramData\AAFBAKECAE.exe
"C:\ProgramData\AAFBAKECAE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 276
4⤵
- Program crash
PID:1772

C:\ProgramData\AAAAAAAAAA.exe
"C:\ProgramData\AAAAAAAAAA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 276
4⤵
- Program crash
PID:3052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CBKJJEHCBAKF" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
4⤵
- Delays execution with timeout.exe
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 296
2⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1052 -ip 1052
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2332 -ip 2332
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1144 -ip 1144
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1052 -ip 1052
1⤵
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAAAAAAAAA.exe
Filesize
687KB

MD5
f3d3b5411e090124197b7b6297b1d8db

SHA1
90522c25164cb4b22242d95678547d86a68e52b7

SHA256
1d519af0b0b48faf1886065d31e5f27000228dad742e2f8f06504838d4bc02d5

SHA512
cee5f1c20cbe4067bafe1dedee8c4db870430b6e6f792accac95d3e05c20a64893ad3dd971182c8e7d001243e5bc933aa2532c93359b4af72ca691fd8fff8736

Download Submit
C:\ProgramData\AAFBAKECAE.exe
Filesize
1.8MB

MD5
c72e70f29d3dd8fa148df55e8e6dec43

SHA1
2f182d43528f78d6d847b37b77da9a09a2ed1f0a

SHA256
baff3039b9acf97084d1b853f495026c52a4c483d010901e226beb599d23df5b

SHA512
d1923e33057413d478daaaaa54bb157762172a58ae03fc36e0c1c6e4d64c0c33d08bff7aec8759f533331215960d739fec2ffea86d18d1d8a70105927a6a5f12

Download Submit
C:\ProgramData\IDHIDBAEGI.exe
Filesize
490KB

MD5
93299cd3bcb2a0a2b38eeca1cdb8ae23

SHA1
473d70d598475f0d2784389ff543470638597cb2

SHA256
16a7754de464e184de4de3a7ec93c93d80d340b41b6579744f876c839085e3ca

SHA512
47486788b9f89736c1f9e306a39bca20f606924beed568694b5eb093c8b5042b1486c72e59f0d3350cb35103648babfbf653c75da6ee9293ec78f69bbc9ee3a4

Download Submit
memory/1052-0-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/1144-90-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1496-110-0x00000000087D0000-0x0000000008DE8000-memory.dmp

Filesize
6.1MB

Download
memory/1496-118-0x000000000A390000-0x000000000A552000-memory.dmp

Filesize
1.8MB

Download
memory/1496-113-0x00000000082A0000-0x00000000082DC000-memory.dmp

Filesize
240KB

Download
memory/1496-112-0x0000000008240000-0x0000000008252000-memory.dmp

Filesize
72KB

Download
memory/1496-111-0x0000000008300000-0x000000000840A000-memory.dmp

Filesize
1.0MB

Download
memory/1496-115-0x0000000009060000-0x00000000090C6000-memory.dmp

Filesize
408KB

Download
memory/1496-116-0x0000000009390000-0x0000000009406000-memory.dmp

Filesize
472KB

Download
memory/1496-107-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/1496-117-0x0000000009340000-0x000000000935E000-memory.dmp

Filesize
120KB

Download
memory/1496-119-0x000000000AA90000-0x000000000AFBC000-memory.dmp

Filesize
5.2MB

Download
memory/1496-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1496-105-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/1496-106-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1496-114-0x0000000008410000-0x000000000845C000-memory.dmp

Filesize
304KB

Download
memory/2332-76-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2624-79-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2624-78-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2624-75-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4468-109-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-37-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-1-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-3-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-5-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-55-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-108-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-54-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-38-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-17-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-29-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-28-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4468-20-0x0000000022440000-0x000000002269F000-memory.dmp

Filesize
2.4MB

Download
memory/4468-18-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4688-94-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4688-89-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4688-92-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4688-91-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4688-121-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download