MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb
SHA3-384 hash: be52ca3761c55a4e2ffc7bcb0fc5495aec8381a6d47afbdca0ac5efa3facd4c6400f3b4092dc72299df9fb51f6189196
SHA1 hash: 2171ca05b095a17a7f55a5494c9fe1d6b506dff2
MD5 hash: f9d4b42971b91e6eef8fbf4f6e68e967
humanhash: fillet-oxygen-cold-floor
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:7'228'416 bytes
First seen:2024-05-28 20:48:45 UTC
Last seen:2024-05-28 21:17:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:sGuT9MZPhYaGGDcy8tdoT+aja70rcSQ9:bSgcy8tOT/jQ0l
TLSH T13D76D00677F8CA1AD26F0733D4F4416083B5E7826713DB6FAD85216A1D027CE9E09ADE
TrID 44.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
34.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
6.3% (.EXE) Win64 Executable (generic) (10523/12/4)
3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d8d8f8d8d8d8d8d8 (1 x RiseProStealer)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
url: https://vk.com/doc863235369_679711980?hash=Qf1VK7FVJosS8bSVozDAjrJmaxMNHwlgGxRFMoJpNp8&dl=J7se5lyKlM814Uo0VLwGlL0ymHYAKpZ1JLinIm1OVac&api=1&no_preview=1#otr

Intelligence

File Origin
# of uploads :
2
# of downloads :
401
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb.exe
Verdict:
Malicious activity
Analysis date:
2024-05-28 20:49:58 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/6a53dabd-ac6b-4226-98be-ba86c3c44a25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17477.15765.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6656434e5721c8e5271785cawin7simulatehigh_evasion
Tags:
Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand lolbin net packed
Link:
https://www.filescan.io/uploads/66564345458fabe8a95c9e92/reports/3aed61ae-232f-4d6c-9157-20e0a4801f59/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RisePro Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84d88b4c-4f9b-4767-8445-69e39251e135
Result
Threat name:
Clipboard Hijacker, PureLog Stealer, Ris
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1448693
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448693 Sample: file.exe Startdate: 29/05/2024 Architecture: WINDOWS Score: 100 58 ipinfo.io 2->58 60 db-ip.com 2->60 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 11 other signatures 2->74 10 file.exe 3 2->10         started        13 MSIUpdaterV2.exe 2->13         started        15 oobeldr.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 signatures5 84 Writes to foreign memory regions 10->84 86 Allocates memory in foreign processes 10->86 88 Injects a PE file into a foreign processes 10->88 19 RegAsm.exe 1 99 10->19         started        90 Antivirus detection for dropped file 13->90 92 Multi AV Scanner detection for dropped file 13->92 94 Detected unpacking (changes PE section rights) 13->94 24 schtasks.exe 1 13->24         started        26 schtasks.exe 1 15->26         started        process6 dnsIp7 62 185.172.128.136, 49705, 49710, 50500 NADYMSS-ASRU Russian Federation 19->62 64 185.172.128.82, 49708, 80 NADYMSS-ASRU Russian Federation 19->64 66 2 other IPs or domains 19->66 48 C:\Users\user\...\_rI29YA4dhrYvJP9V4Fm.exe, MS-DOS 19->48 dropped 50 C:\Users\user\AppData\Local\...dgeMS2.exe, MS-DOS 19->50 dropped 52 C:\Users\user\AppData\Local\...\l2[1].exe, MS-DOS 19->52 dropped 54 3 other malicious files 19->54 dropped 76 Found evasive API chain (may stop execution after checking mutex) 19->76 78 Tries to steal Mail credentials (via file / registry access) 19->78 80 Found stalling execution ending in API Sleep call 19->80 82 5 other signatures 19->82 28 _rI29YA4dhrYvJP9V4Fm.exe 1 19->28         started        32 schtasks.exe 1 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        file8 signatures9 process10 file11 56 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 28->56 dropped 96 Antivirus detection for dropped file 28->96 98 Multi AV Scanner detection for dropped file 28->98 100 Detected unpacking (changes PE section rights) 28->100 40 schtasks.exe 1 28->40         started        42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        signatures12 process13 process14 46 conhost.exe 40->46         started       
Score:
65%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-05-28 20:49:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azed77rcgr2ktaxkmxbjwoau2inxjxoot7smtz6b3q46ocumy7fq._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240528-zlz3hsda25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RisePro
Malware Config
C2 Extraction:
185.172.128.136:50500
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9218920d-832a-492e-9a39-315887ab9530
Unpacked files
SH256 hash:
81cadb6a9546328647f2fbd1713fcf8ee49921c6a0c7b155f6d287acddab5fd7
MD5 hash:
eb029ab5c2f8de328736c53dc3c7df47
SHA1 hash:
e05c4fba0236fee2516bf53a287e41e0e97a0ee5
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
Parent samples :
12df075fcaec366639ab37f203aa412540f351ee17e7f126a4a126e7a61c2a9b
b8a5ef9ea9fa588907a197db55c743559460190aa58b227db10d6be75d8bfe39
e603e36cae3f0fa9badbeaeff8fb0becb1ed444776892db76cd8d219e2ba92bd
SH256 hash:
d8e0ccdd5671a67d37664bae10d6c3809fd4f574cdd6fbd27d5c63deab5e2421
MD5 hash:
59b50cce8ed2e4c9bda3f7e0e67f79a8
SHA1 hash:
77c782d465a603165da440cc97e10b809470a8bd
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
SH256 hash:
0864db32089e9f8635dbdfaf3e5e191b416bcf3109828f5d0e7f1710ec7a7981
MD5 hash:
6138e0aae0abb4b53f3bb4f2fd3acd48
SHA1 hash:
5cb5474289b65b83f25666bd568b534722d725b8
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
SH256 hash:
64ff327b055d1ac858107d95726011701ba46d876fa606e876ed4e70ce49fecf
MD5 hash:
d00296d32b7c4df0b8e48b366bf5bcd1
SHA1 hash:
fe66d4ee59eb812cea66492fa2c8e0e8a21e8553
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
SH256 hash:
78438397669ef90dea8f71576744cc1259c710a7da902cb168c60649be6b20c6
MD5 hash:
adc18116879ee7b94e84e77165faa6aa
SHA1 hash:
6194d5363bc8cdab62e4f39151a1d1972880b8c7
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
SH256 hash:
8bfa92e3fe9915a625e8391766eb623e5d32b91e1e2d09cd3b4b0677c83158e4
MD5 hash:
74785ec23b8b609c1bf93e2813efe644
SHA1 hash:
3a1b1396c21692c136e77b91f9749f0136f2cbcd
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
SH256 hash:
6db1d2502ab0ece03a0bdf8385521f3f1a71d39d8565293a1bb345d094281a48
MD5 hash:
9e9c97f44a7237030e91673485b0c9e9
SHA1 hash:
a5341e32be5077873f229d2d4d7ef4887df9c18d
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
SH256 hash:
e08dc74c38c5c315c6f9a7d75f12394ea8391e3a8409b120524abac3275dbaf3
MD5 hash:
e5c30afbf4c73a728b1ecd1788f4beb5
SHA1 hash:
6914fa7f58a15056911d1815dfe6f80e5269b155
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
SH256 hash:
06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb
MD5 hash:
f9d4b42971b91e6eef8fbf4f6e68e967
SHA1 hash:
2171ca05b095a17a7f55a5494c9fe1d6b506dff2
Detections:
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Link:
https://www.unpac.me/results/10be290c-33be-4062-98b6-01ed92d15bed/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06483ffe2234/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 06483ffe223474a982ea65c29b3814d21b74ddce9fe4c9e7c1dc39e70a8cc7cb

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments