MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77
SHA3-384 hash: fa0f2ae523f381b7aa5f05d9e5973bf5ed9dca977bb5a3b7c56a7cc3744f7cb493e6318e0fd7d1cfb71aad2b642e3d14
SHA1 hash: aa8598d11eb914559928b8e1bbe9084d17b43f98
MD5 hash: 12cff5e9e26edfaa6e5395a36d64692b
humanhash: west-blue-charlie-mike
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'352'128 bytes
First seen:2024-01-30 18:01:04 UTC
Last seen:2024-01-30 19:26:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:ExSeyMPA9vgrddLmfNftOIWym09e79fevhZnbZQh:wyF9qzafzFE74ptbZQ
Threatray 9 similar samples on MalwareBazaar
TLSH T1BDB533D162720AE2E90B6BFA1F5B4542F31B1C73546A6AE42443F1E0873D53F06E9ED8
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
url: http://109.107.182.3/cost/lada.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
325
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473629/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.9933.4069.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
86%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65b93969bc91f83c807279c2/reports/4e208da0-236e-47e2-8202-1c671de7a5d8/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0a91d33d-0973-45ee-a274-1767dd14b0f4
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383507
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1383507 Sample: file.exe Startdate: 30/01/2024 Architecture: WINDOWS Score: 100 85 youtube-ui.l.google.com 2->85 87 www.youtube.com 2->87 89 31 other IPs or domains 2->89 119 Snort IDS alert for network traffic 2->119 121 Antivirus detection for URL or domain 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 9 other signatures 2->125 9 file.exe 1 109 2->9         started        14 MPGPH131.exe 2 2->14         started        16 RageMP131.exe 2 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 101 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->101 103 109.107.182.3, 49701, 80 TELEPORT-TV-ASRU Russian Federation 9->103 109 2 other IPs or domains 9->109 69 C:\Users\user\...\_E2L5sw8ZHCPPUpOr_j9.exe, PE32 9->69 dropped 71 C:\Users\user\...\I99UfUxBWKuXJsEexhC1.exe, PE32 9->71 dropped 73 C:\Users\user\...\C4tQrebOKkhKEzWgUdHJ.exe, PE32 9->73 dropped 81 10 other malicious files 9->81 dropped 147 Detected unpacking (changes PE section rights) 9->147 149 Binary is likely a compiled AutoIt script file 9->149 151 Tries to steal Mail credentials (via file / registry access) 9->151 169 5 other signatures 9->169 20 _E2L5sw8ZHCPPUpOr_j9.exe 9->20         started        23 C4tQrebOKkhKEzWgUdHJ.exe 9->23         started        25 I99UfUxBWKuXJsEexhC1.exe 13 9->25         started        34 4 other processes 9->34 153 Antivirus detection for dropped file 14->153 155 Multi AV Scanner detection for dropped file 14->155 157 Machine Learning detection for dropped file 14->157 159 Tries to evade debugger and weak emulator (self modifying code) 16->159 161 Hides threads from debuggers 16->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->163 105 142.250.105.190 GOOGLEUS United States 18->105 107 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 18->107 111 9 other IPs or domains 18->111 75 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 18->75 dropped 77 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 18->77 dropped 79 C:\Users\user\...\page_embed_script.js, ASCII 18->79 dropped 83 3 other malicious files 18->83 dropped 165 Maps a DLL or memory area into another process 18->165 167 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->167 27 msedge.exe 18->27         started        30 firefox.exe 18->30         started        32 firefox.exe 18->32         started        37 5 other processes 18->37 file6 signatures7 process8 dnsIp9 127 Multi AV Scanner detection for dropped file 20->127 129 Detected unpacking (changes PE section rights) 20->129 131 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->131 145 3 other signatures 20->145 133 Modifies windows update settings 23->133 135 Disables Windows Defender Tamper protection 23->135 137 Disable Windows Defender notifications (registry) 23->137 139 Disable Windows Defender real time protection (registry) 23->139 141 Binary is likely a compiled AutoIt script file 25->141 39 chrome.exe 25->39         started        42 chrome.exe 25->42         started        44 chrome.exe 25->44         started        50 9 other processes 25->50 113 bzib.nelreports.net 27->113 115 13.107.22.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->115 117 21 other IPs or domains 27->117 67 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 34->67 dropped 143 Hides threads from debuggers 34->143 46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        file10 signatures11 process12 dnsIp13 97 192.168.2.6, 443, 49698, 49699 unknown unknown 39->97 99 239.255.255.250 unknown Reserved 39->99 52 chrome.exe 39->52         started        55 chrome.exe 42->55         started        57 chrome.exe 44->57         started        59 msedge.exe 50->59         started        61 msedge.exe 50->61         started        63 msedge.exe 50->63         started        65 chrome.exe 50->65         started        process14 dnsIp15 91 youtube-ui.l.google.com 108.177.122.93 GOOGLEUS United States 52->91 93 www3.l.google.com 142.250.105.138 GOOGLEUS United States 52->93 95 17 other IPs or domains 52->95
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2024-01-30 18:02:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=az26j6afhqh2xhyzgbmtgx42ah2ysu3pyexlaow2sqwdhsu37v3q._file
Verdict:
malicious
Similar samples:
00e518ee9b4fe5909e432f9671b8f46f74f79a4f60fe882529cc068b8b50cdf8
RiseProStealer
2f7f23610e8e0633ef0b03d602a02734bdcadab3fdc8c15d0f6d93a0a454fa6f
RiseProStealer
9351da4f7387db729e9c8f5aa3c746197449922c6f1dafa59b02941bbe5615d2
RiseProStealer
9e0fdb12f3c1424fc1835a3f2fa330c876299cc072ada7a7ab265ac7207cccab
RiseProStealer
d0147494ca9687e1035bb977a4d3dd8381358603bcafa4adfb98b629e060bf32
RiseProStealer
fbeb0e418fb3c16c3ff0a654969998ab3c2237abd3d840066731df8f212c95bc
RiseProStealer
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240130-wlyb5saef2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
c4a1c553f464401271c2b2c8c1eddaed0d09b774227e3e01768b0f7acab99183
MD5 hash:
f09ab9148429c51f910c365ee0e2fe0d
SHA1 hash:
c220dc1079a4dbfad9b96af5f93b0338852d1ac2
Link:
https://www.unpac.me/results/d67ad1e8-960c-47dd-b86c-2ec322ab5aa7/
SH256 hash:
0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77
MD5 hash:
12cff5e9e26edfaa6e5395a36d64692b
SHA1 hash:
aa8598d11eb914559928b8e1bbe9084d17b43f98
Link:
https://www.unpac.me/results/d67ad1e8-960c-47dd-b86c-2ec322ab5aa7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0675e4f8053c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473629/
  
URLhaus
https://urlhaus.abuse.ch/url/2752629/

Comments