| File name: | 525fdd584d9eb2256aba1d88d36ad76a.exe |
| Full analysis: | https://app.any.run/tasks/b2efbc0b-061e-4a48-9386-a5e1f7f4601d |
| Verdict: | Malicious activity |
| Threats: | RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. |
| Analysis date: | April 25, 2025, 08:29:23 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
| MD5: | 525FDD584D9EB2256ABA1D88D36AD76A |
| SHA1: | DC9374F8E849EAAE9BA18082219E98DDD9AB4FD6 |
| SHA256: | 8542D40FBB873286565F5092F51FE29AB0EA8E890344B0A6A7AA6BD498DA7F07 |
| SSDEEP: | 98304:yOBMYM4GjxxKuBP5bbYpem0odqsqQhMi69z4Id4eNI51/VHmFCi28JdIXqy2s0mu:P0cl5Zb |
MALICIOUS
RISEPROSTEALER has been found (auto)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 7656)
Antivirus name has been found in the command line (generic signature)
- findstr.exe (PID: 7804)
- findstr.exe (PID: 7992)
- findstr.exe (PID: 4988)
- findstr.exe (PID: 1052)
Uses Task Scheduler to autorun other applications
- Origin.pif (PID: 5280)
AutoIt loader has been detected (YARA)
- Origin.pif (PID: 5280)
RISEPRO has been detected (YARA)
- Origin.pif (PID: 8032)
Changes the Windows auto-update feature
- Origin.pif (PID: 8032)
SUSPICIOUS
Reads security settings of Internet Explorer
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 7656)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 1348)
- Origin.pif (PID: 7224)
Executing commands from ".cmd" file
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 7656)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 1348)
Starts CMD.EXE for commands execution
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 7656)
- cmd.exe (PID: 7700)
- Origin.pif (PID: 7224)
- cmd.exe (PID: 780)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 1348)
Get information on the list of running processes
- cmd.exe (PID: 7700)
- cmd.exe (PID: 780)
Application launched itself
- cmd.exe (PID: 7700)
- cmd.exe (PID: 780)
- Origin.pif (PID: 5280)
Drops a file with a rarely used extension (PIF)
- cmd.exe (PID: 7700)
- Origin.pif (PID: 5280)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 7700)
- cmd.exe (PID: 780)
Executable content was dropped or overwritten
- cmd.exe (PID: 7700)
- Origin.pif (PID: 5280)
Suspicious file concatenation
- cmd.exe (PID: 7312)
- cmd.exe (PID: 6112)
The executable file from the user directory is run by the CMD process
- Origin.pif (PID: 7224)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 1348)
- Origin.pif (PID: 5280)
Starts the AutoIt3 executable file
- cmd.exe (PID: 7700)
- Origin.pif (PID: 5280)
- cmd.exe (PID: 780)
Starts application with an unusual extension
- cmd.exe (PID: 7700)
- Origin.pif (PID: 5280)
- cmd.exe (PID: 780)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 7700)
- cmd.exe (PID: 780)
There is functionality for taking screenshot (YARA)
- Origin.pif (PID: 5280)
- Origin.pif (PID: 8032)
Connects to unusual port
- Origin.pif (PID: 8032)
INFO
Checks supported languages
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 7656)
- Origin.pif (PID: 7224)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 1348)
- Origin.pif (PID: 5280)
- Origin.pif (PID: 8032)
Create files in a temporary directory
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 7656)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 1348)
Reads the computer name
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 7656)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 1348)
- Origin.pif (PID: 5280)
- Origin.pif (PID: 8032)
- Origin.pif (PID: 7224)
Process checks computer location settings
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 7656)
- Origin.pif (PID: 7224)
- 525fdd584d9eb2256aba1d88d36ad76a.exe (PID: 1348)
Creates a new folder
- cmd.exe (PID: 8160)
- cmd.exe (PID: 5728)
Reads mouse settings
- Origin.pif (PID: 7224)
- Origin.pif (PID: 5280)
The sample compiled with english language support
- Origin.pif (PID: 5280)
Creates files or folders in the user directory
- Origin.pif (PID: 5280)
Checks proxy server information
- slui.exe (PID: 4996)
Reads the software policy settings
- slui.exe (PID: 4996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RisePro
(PID) Process(8032) Origin.pif
C2 (1)3.36.173.8:50500
Strings (55)\GHISLER\wcx_ftp.ini
\databases
\Minecraft
frug?0
\launcher_profiles.json
\Messengers
\Skype
UaEt,
\Growtopia\save.dat
C:\program files\steam
\config.json
\accounts.xml
\.minecraft\launcher_msa_credentials.bin
\Local Storage
\TLauncher
\accounts.txt
\FileZilla
\FeatherClient
\.feather\accounts.json
\Element\Local Storage
\save.dat
\LunarClient
\Games
\Signal
VaultCloseVault
\.minecraft\launcher_profiles.json
\Steam
\OpenVPN Connect\profiles
WSASend
\config
\Microsoft\Skype for Desktop\Local Storage
J~|Hw
\.purple
\.lunarclient\settings\games\accounts.txt
\wcx_ftp.ini
\accounts.json
C:\program files (x86)\steam
\Element
\launcher_accounts.json
S,{w_6
\.minecraft\launcher_accounts.json
\ICQ\0001
\OpenVPN Connect
logins
\Battle.net
\Session Storage
\Pidgin
VaultOpenVault
\launcher_msa_credentials.bin
\tlauncher_profiles.json
\ey_tokens.txt
\TotalCommander
\Growtopia
APPDATA
VaultGetItem
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:02:24 19:19:54+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 28160 |
| InitializedDataSize: | 445952 |
| UninitializedDataSize: | 16896 |
| EntryPoint: | 0x3883 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
Total processes
171
Monitored processes
30
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 780 | "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit | C:\Windows\SysWOW64\cmd.exe | — | 525fdd584d9eb2256aba1d88d36ad76a.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 9009 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1052 | findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1056 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1180 | timeout 15 | C:\Windows\SysWOW64\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1348 | C:\Users\admin\AppData\Local\Temp\525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\525fdd584d9eb2256aba1d88d36ad76a.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1660 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2140 | "C:\WINDOWS\SysWOW64\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Windows\SysWOW64\cmd.exe | Origin.pif | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4784 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4892 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4988 | findstr /I "wrsa.exe opssvc.exe" | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 291
Read events
4 230
Write events
35
Delete events
26
Modification events
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\AppHVSI |
| Operation: | write | Name: | AllowAppHVSI_ProviderSet |
Value: 0 | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\EdgeUpdate |
| Operation: | write | Name: | UpdateDefault |
Value: 0 | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\Windows\Network Connections |
| Operation: | write | Name: | NC_DoNotShowLocalOnlyIcon |
Value: 1 | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\Windows\Windows Feeds |
| Operation: | write | Name: | EnableFeeds |
Value: 0 | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate |
| Operation: | write | Name: | WUServer |
Value: http://neverupdatewindows10.com | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate |
| Operation: | write | Name: | WUStatusServer |
Value: http://neverupdatewindows10.com | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate |
| Operation: | write | Name: | UpdateServiceUrlAlternate |
Value: http://neverupdatewindows10.com | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate |
| Operation: | write | Name: | **del.FillEmptyContentUrls |
Value: | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
| Operation: | write | Name: | UseWUServer |
Value: 1 | |||
| (PID) Process: | (8032) Origin.pif | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C8B88496-0CF0-4950-8DC9-51B1E6CCA18F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
| Operation: | write | Name: | NoAutoUpdate |
Value: 0 | |||
Executable files
2
Suspicious files
49
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Vendor | binary | |
MD5:3032F7CAD7D5FDC76480D35C1B96F1D7 | SHA256:8787ADE46BC3D7F369535A52AD0DDEEFB014652D8E2B83A531A7498E2770C2E3 | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Emotions | text | |
MD5:E1B45CCFF8C4F9B3F37B9BE092E5FC81 | SHA256:FB199496184C801EEA454E0534DEC3CE932573892155FD8DD79EFBD4AA734B4B | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Tags | binary | |
MD5:93E1FB7C29E1C5D82D72013FD87585A2 | SHA256:B910C0C4E8DFC593B3925AFC41F5BB1A5FA86A145E62577307AF2F7FF6427830 | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Stockings | binary | |
MD5:6675D3E1DA6AA19BB5135860F0EA0D37 | SHA256:A9A5D51B384D8C3F746A8881A46C285D2EFD7291386C794AE9B7640D4BCFD500 | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Massachusetts | binary | |
MD5:B1200B786C5397EBB9DCBC176B229B0D | SHA256:ACA2E1C133B9DFA829CE1705FDE04035D3775FD07F31D35EA5169D3D20C70721 | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Portraits | binary | |
MD5:A88120E86BA6642F82BA2854752F752B | SHA256:403446E9ADF7A1B92B7B067933DA55A2E16A866BB317C5CF1884A7F2B3D3FEF1 | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Radius | binary | |
MD5:1D5D54B6E631BFE5326A58FD4F4E51A5 | SHA256:1539BC762107D3365CC8B89200F744FE6128180DF90624697C5A01351C66EEDE | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Creator | binary | |
MD5:24DD5D66C756FA9137D34729169A7940 | SHA256:564193BF3415F803065F54113098012C86B9904A7D09DAD7C004658858248C48 | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Bdsm | binary | |
MD5:C7E15E6E38E166594B2C9C2A60945065 | SHA256:6AFE68081A9F723647DAC3276C79B46EA0577D4B3DEE7673438DB1D95989E95B | |||
| 7656 | 525fdd584d9eb2256aba1d88d36ad76a.exe | C:\Users\admin\AppData\Local\Temp\Convenience | binary | |
MD5:B0F0B5535514047C83C7B2FA25324DCC | SHA256:5754A22B9CCA09B0E018139D55BC32FC3206E399D416DB20F7207AA9F5A38425 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
40
DNS requests
22
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7944 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7944 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 20.190.160.3:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD |
| unknown |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |