File name:

RageMP131.exe

Full analysis: https://app.any.run/tasks/0998740c-bfc9-43d5-97b7-919261d66021
Verdict: Malicious activity
Threats:

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Malware Trends Tracker     >>>
Analysis date: May 14, 2024, 14:35:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
risepro
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

05481BAA9CDC76875C2D60D3C10FA76F

SHA1:

31E7F46EA3654854A128EF18F2B67A3C8EB3DD7E

SHA256:

C7310CFA388018FF51A94A34972C449C19D8442C8F89F31CEA82BF0DA6896C0D

SSDEEP:

98304:ueqFxvHiVacbfxVDiWmInlVFeVrDumNcIVFtgIg5Ty4iPS6szgY2mu/B6FGiAbxJ:hrMW6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RageMP131.exe (PID: 3972)

    • Changes the autorun value in the registry

      • RageMP131.exe (PID: 3972)

    • Uses Task Scheduler to autorun other applications

      • RageMP131.exe (PID: 3972)

    • RISEPRO has been detected (SURICATA)

      • RageMP131.exe (PID: 3972)

    • RISEPRO has been detected (YARA)

      • RageMP131.exe (PID: 3972)

  • SUSPICIOUS

    • Reads the BIOS version

      • RageMP131.exe (PID: 3972)

    • Process drops legitimate windows executable

      • RageMP131.exe (PID: 3972)

    • Starts a Microsoft application from unusual location

      • RageMP131.exe (PID: 3972)

    • Executable content was dropped or overwritten

      • RageMP131.exe (PID: 3972)

    • Reads settings of System Certificates

      • RageMP131.exe (PID: 3972)

    • Device Retrieving External IP Address Detected

      • RageMP131.exe (PID: 3972)

    • Contacting a server suspected of hosting an CnC

      • RageMP131.exe (PID: 3972)

    • Connects to unusual port

      • RageMP131.exe (PID: 3972)

    • Checks for external IP

      • RageMP131.exe (PID: 3972)

  • INFO

    • Reads the computer name

      • RageMP131.exe (PID: 3972)
      • wmpnscfg.exe (PID: 124)

    • Checks supported languages

      • RageMP131.exe (PID: 3972)
      • wmpnscfg.exe (PID: 124)

    • Creates files or folders in the user directory

      • RageMP131.exe (PID: 3972)

    • Creates files in the program directory

      • RageMP131.exe (PID: 3972)

    • Create files in a temporary directory

      • RageMP131.exe (PID: 3972)

    • Reads the machine GUID from the registry

      • RageMP131.exe (PID: 3972)

    • Reads the software policy settings

      • RageMP131.exe (PID: 3972)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RisePro

(PID) Process(3972) RageMP131.exe
C2 (1)147.45.47.126:58709
Strings (58)\launcher_profiles.json
\tlauncher_profiles.json
\.minecraft\launcher_msa_credentials.bin
\.lunarclient\settings\games\accounts.txt
\databases
VaultCloseVault
\OHqH
VaultOpenVault
\Battle.net
\Session Storage
]j8|q3
\Pidgin
\FileZilla
\LunarClient
\Minecraft
\Element\Local Storage
logins
\accounts.json
\TotalCommander
\Element
WSASend
\wcx_ftp.ini
M3ZQpD
w.'GS
\Messengers
\Skype
dHce5
\config.json
\OpenVPN Connect
\ICQ\0001
\Growtopia\save.dat
_*\Xq_
\launcher_msa_credentials.bin
\.feather\accounts.json
\TLauncher
\save.dat
\Growtopia
\ey_tokens.txt
APPDATA
\launcher_accounts.json
\.purple
\accounts.txt
\GHISLER\wcx_ftp.ini
VaultGetItem
\FeatherClient
\Signal
dH9zx46
C:\program files\steam
\Local Storage
\Microsoft\Skype for Desktop\Local Storage
\Games
\config
\Steam
C:\program files (x86)\steam
\.minecraft\launcher_profiles.json
\accounts.xml
\OpenVPN Connect\profiles
\.minecraft\launcher_accounts.json
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:08 10:22:34+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 1424384
InitializedDataSize: 273920
UninitializedDataSize: -
EntryPoint: 0x5f1000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.24032.58.0
ProductVersionNumber: 0.24032.58.0
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Windows NT
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (Canadian)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: CrossDeviceSettingsHost.exe
FileVersion: 0.24032.58.0
InternalName: CrossDeviceComponentStub.App
LegalCopyright: Microsoft Corporation. All rights reserved.
OriginalFileName: CrossDeviceSettingsHost.exe
ProductName: CrossDeviceSettingsHost.exe
ProductVersion: 0.24032.58.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RISEPRO ragemp131.exe schtasks.exe no specs schtasks.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
928schtasks /create /f /RU "admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTC:\Windows\System32\schtasks.exeRageMP131.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3972"C:\Users\admin\AppData\Local\Temp\RageMP131.exe" C:\Users\admin\AppData\Local\Temp\RageMP131.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CrossDeviceSettingsHost.exe
Version:
0.24032.58.0
Modules
Images
c:\users\admin\appdata\local\temp\ragemp131.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
RisePro
(PID) Process(3972) RageMP131.exe
C2 (1)147.45.47.126:58709
Strings (58)\launcher_profiles.json
\tlauncher_profiles.json
\.minecraft\launcher_msa_credentials.bin
\.lunarclient\settings\games\accounts.txt
\databases
VaultCloseVault
\OHqH
VaultOpenVault
\Battle.net
\Session Storage
]j8|q3
\Pidgin
\FileZilla
\LunarClient
\Minecraft
\Element\Local Storage
logins
\accounts.json
\TotalCommander
\Element
WSASend
\wcx_ftp.ini
M3ZQpD
w.'GS
\Messengers
\Skype
dHce5
\config.json
\OpenVPN Connect
\ICQ\0001
\Growtopia\save.dat
_*\Xq_
\launcher_msa_credentials.bin
\.feather\accounts.json
\TLauncher
\save.dat
\Growtopia
\ey_tokens.txt
APPDATA
\launcher_accounts.json
\.purple
\accounts.txt
\GHISLER\wcx_ftp.ini
VaultGetItem
\FeatherClient
\Signal
dH9zx46
C:\program files\steam
\Local Storage
\Microsoft\Skype for Desktop\Local Storage
\Games
\config
\Steam
C:\program files (x86)\steam
\.minecraft\launcher_profiles.json
\accounts.xml
\OpenVPN Connect\profiles
\.minecraft\launcher_accounts.json
4084schtasks /create /f /RU "admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTC:\Windows\System32\schtasks.exeRageMP131.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
3 133
Read events
3 118
Write events
15
Delete events
0

Modification events

(PID) Process:(3972) RageMP131.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RageMP131
Value:
C:\Users\admin\AppData\Local\RageMP131\RageMP131.exe
(PID) Process:(3972) RageMP131.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972RageMP131.exeC:\Users\admin\AppData\Local\RageMP131\RageMP131.exeexecutable
MD5:05481BAA9CDC76875C2D60D3C10FA76F
SHA256:C7310CFA388018FF51A94A34972C449C19D8442C8F89F31CEA82BF0DA6896C0D
3972RageMP131.exeC:\ProgramData\MPGPH131\MPGPH131.exeexecutable
MD5:05481BAA9CDC76875C2D60D3C10FA76F
SHA256:C7310CFA388018FF51A94A34972C449C19D8442C8F89F31CEA82BF0DA6896C0D
3972RageMP131.exeC:\Users\admin\AppData\Local\Temp\rage131MP.tmptext
MD5:98765EFEB4C6C482F64B4EDE60CFB662
SHA256:1F25A941B01C8B328F74214A580A7B304D4C94008C6895D597BFB8C3FBF3763E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
22

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3972
RageMP131.exe
147.45.47.126:58709
OOO FREEnet Group
RU
malicious
3972
RageMP131.exe
34.117.186.192:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
unknown
3972
RageMP131.exe
172.67.75.166:443
db-ip.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
ipinfo.io
  • 34.117.186.192
shared
db-ip.com
  • 172.67.75.166
  • 104.26.4.15
  • 104.26.5.15
whitelisted

Threats

PID
Process
Class
Message
3972
RageMP131.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
3972
RageMP131.exe
A Network Trojan was detected
ET MALWARE RisePro TCP Heartbeat Packet
3972
RageMP131.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (Token)
3972
RageMP131.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RisePro TCP (Token)
A Network Trojan was detected
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (activity)
3972
RageMP131.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
3972
RageMP131.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (get_settings)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (activity)
Process
Message
RageMP131.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
RageMP131.exe
ret 345 fdhg r
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RageMP131.exe