popup

Report - fsetrh.exe

Generic Malware Malicious Library PE32 PE File PNG Format ZIP Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.02.04 16:39 Machine s1_win7_x6401
Filename fsetrh.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
10.8
ZERO API file : mailcious
VT API (file) 28 detected (AIDetectMalware, RiseProStealer, malicious, high confidence, score, Artemis, Save, Attribute, HighConfidence, Kryptik, HWDX, PWSX, RisePro, 38wdrzrHEpD, high, Sabsik, ZexaF, tvY@a848Sul, Genetic, Static AI, Malicious PE, confidence)
md5 6543dfd527080cd599e8905c90903b33
sha256 a58bc51e98ea724efade706eac4e09fec449312f0ba08362560d551324d179e6
ssdeep 24576:psAJZBBmkTflH5Wj1krKPKY4I4oLrCyinXXXXkcp5ojSb1ovVudnzfxc8u:KEPckTflH5WCb1CVknzfxu
imphash bcaada7db1c3b7a0077de29a4546c424
impfuzzy 24:ujKFDo5HOovg/J3JKnKQFQ8RyvDklRT4nZmfWlzf:OuHEK3D+cnZmfW1f
  Network IP location

Signature (24cnts)

Level Description
danger Disables Windows Security features
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates hidden or system file
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (6cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info zip_file_format ZIP file format binaries (download)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.5.15 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
88.210.9.117
whois
RU CityLanCom LTD 88.210.9.117 clean

Suricata ids

ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40c000 VirtualProtect
 0x40c004 WaitForSingleObject
 0x40c008 Sleep
 0x40c00c CreateThread
 0x40c010 lstrlenW
 0x40c014 GetProcAddress
 0x40c018 LoadLibraryA
 0x40c01c VirtualAlloc
 0x40c020 FreeConsole
 0x40c024 RtlUnwind
 0x40c028 GetCommandLineA
 0x40c02c GetModuleHandleW
 0x40c030 TlsGetValue
 0x40c034 TlsAlloc
 0x40c038 TlsSetValue
 0x40c03c TlsFree
 0x40c040 InterlockedIncrement
 0x40c044 SetLastError
 0x40c048 GetCurrentThreadId
 0x40c04c GetLastError
 0x40c050 InterlockedDecrement
 0x40c054 SetUnhandledExceptionFilter
 0x40c058 ExitProcess
 0x40c05c WriteFile
 0x40c060 GetStdHandle
 0x40c064 GetModuleFileNameA
 0x40c068 FreeEnvironmentStringsA
 0x40c06c GetEnvironmentStrings
 0x40c070 FreeEnvironmentStringsW
 0x40c074 WideCharToMultiByte
 0x40c078 GetEnvironmentStringsW
 0x40c07c SetHandleCount
 0x40c080 GetFileType
 0x40c084 GetStartupInfoA
 0x40c088 DeleteCriticalSection
 0x40c08c HeapCreate
 0x40c090 VirtualFree
 0x40c094 HeapFree
 0x40c098 QueryPerformanceCounter
 0x40c09c GetTickCount
 0x40c0a0 GetCurrentProcessId
 0x40c0a4 GetSystemTimeAsFileTime
 0x40c0a8 RaiseException
 0x40c0ac TerminateProcess
 0x40c0b0 GetCurrentProcess
 0x40c0b4 UnhandledExceptionFilter
 0x40c0b8 IsDebuggerPresent
 0x40c0bc LeaveCriticalSection
 0x40c0c0 EnterCriticalSection
 0x40c0c4 GetCPInfo
 0x40c0c8 GetACP
 0x40c0cc GetOEMCP
 0x40c0d0 IsValidCodePage
 0x40c0d4 InitializeCriticalSectionAndSpinCount
 0x40c0d8 HeapAlloc
 0x40c0dc HeapReAlloc
 0x40c0e0 GetLocaleInfoA
 0x40c0e4 GetStringTypeA
 0x40c0e8 MultiByteToWideChar
 0x40c0ec GetStringTypeW
 0x40c0f0 LCMapStringA
 0x40c0f4 LCMapStringW
 0x40c0f8 HeapSize

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure