MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f
SHA3-384 hash: ca1e03509e0f65ee787846e33bba59df8872d14c77996ad1adc5bb51f1f1f6daf3a7ff8ffaa32794522109177ce4000e
SHA1 hash: a7620193cc85c05e6b341c8fcba18ef61c34b69c
MD5 hash: 2a3092d61d3c6208400625aeb8baa6fb
humanhash: arkansas-high-jupiter-bravo
File name:SecuriteInfo.com.Win32.TrojanX-gen.14293.13935
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'298'368 bytes
First seen:2024-01-31 20:26:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:w9irDtug2+sw5BmaEQ2OVg+neQOyP1K3H1GneQcgQa:wwHf2UwaErOVgOtK3Hg
Threatray 12 similar samples on MalwareBazaar
TLSH T1DCB533FA8A748291DA371BB4881D16D841CB7D8B4490ADA6006CFCE91FFD5F9A01FF58
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473858/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.14293.13935.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65baad197ddeff640e476996/reports/1962aa3b-151b-4f4f-8a4a-f646ed780e40/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/67a032c8-e8fe-45c2-9843-834be1cfc82b
Result
Threat name:
PureLog Stealer, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384362
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384362 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 97 youtube-ui.l.google.com 2->97 99 www.youtube.com 2->99 101 34 other IPs or domains 2->101 131 Snort IDS alert for network traffic 2->131 133 Antivirus detection for URL or domain 2->133 135 Antivirus / Scanner detection for submitted sample 2->135 137 7 other signatures 2->137 9 SecuriteInfo.com.Win32.TrojanX-gen.14293.13935.exe 1 107 2->9         started        14 MPGPH131.exe 93 2->14         started        16 MPGPH131.exe 102 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 103 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->103 105 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->105 107 2 other IPs or domains 9->107 79 C:\Users\user\...\nFcGiR_nhMdoxsUJbVmx.exe, PE32 9->79 dropped 81 C:\Users\user\...\a6RZt1CR44nhKVVEDtqD.exe, PE32 9->81 dropped 83 C:\Users\user\...\YsnGlq9NT0VlRjS9bwhp.exe, PE32 9->83 dropped 91 10 other malicious files 9->91 dropped 149 Detected unpacking (changes PE section rights) 9->149 151 Binary is likely a compiled AutoIt script file 9->151 153 Tries to steal Mail credentials (via file / registry access) 9->153 173 4 other signatures 9->173 20 UjlyxYRiyCY3ZP4N4zIl.exe 9->20         started        23 YsnGlq9NT0VlRjS9bwhp.exe 9->23         started        37 2 other processes 9->37 93 4 other malicious files 14->93 dropped 155 Antivirus detection for dropped file 14->155 157 Multi AV Scanner detection for dropped file 14->157 159 Machine Learning detection for dropped file 14->159 25 jkjsmyX9adcWntMAap9g.exe 14->25         started        85 C:\Users\user\...\rVuyoqHb79Ab_0omSZvC.exe, PE32 16->85 dropped 87 C:\Users\user\...\qHpFeUunHe_CG5guopIr.exe, PE32 16->87 dropped 89 C:\Users\user\...\jkjsmyX9adcWntMAap9g.exe, PE32 16->89 dropped 95 8 other malicious files 16->95 dropped 161 Tries to harvest and steal browser information (history, passwords, etc) 16->161 163 Hides threads from debuggers 16->163 165 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->165 27 jkjsmyX9adcWntMAap9g.exe 16->27         started        29 qHpFeUunHe_CG5guopIr.exe 16->29         started        167 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->167 169 Tries to evade debugger and weak emulator (self modifying code) 18->169 171 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->171 31 firefox.exe 18->31         started        35 msedge.exe 18->35         started        39 2 other processes 18->39 file6 signatures7 process8 dnsIp9 139 Modifies windows update settings 20->139 141 Disables Windows Defender Tamper protection 20->141 143 Disable Windows Defender notifications (registry) 20->143 145 Disable Windows Defender real time protection (registry) 20->145 147 Binary is likely a compiled AutoIt script file 23->147 41 chrome.exe 23->41         started        44 chrome.exe 23->44         started        46 chrome.exe 23->46         started        54 9 other processes 23->54 48 chrome.exe 25->48         started        50 chrome.exe 27->50         started        52 chrome.exe 27->52         started        119 172.253.124.190 GOOGLEUS United States 31->119 121 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 31->121 127 9 other IPs or domains 31->127 75 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 31->75 dropped 77 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 31->77 dropped 56 6 other processes 31->56 123 13.107.246.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->123 125 20.75.60.91 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->125 129 20 other IPs or domains 35->129 58 2 other processes 37->58 file10 signatures11 process12 dnsIp13 109 192.168.2.5 unknown unknown 41->109 111 239.255.255.250 unknown Reserved 41->111 60 chrome.exe 41->60         started        63 chrome.exe 44->63         started        65 chrome.exe 46->65         started        67 chrome.exe 50->67         started        69 msedge.exe 54->69         started        71 msedge.exe 54->71         started        73 msedge.exe 54->73         started        process14 dnsIp15 113 accounts.google.com 142.250.105.84 GOOGLEUS United States 60->113 115 clients.l.google.com 142.250.9.102 GOOGLEUS United States 60->115 117 17 other IPs or domains 60->117
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 20:27:06 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3glrzqqb7lfjoetm6zmn2tl4sg7zeoearswwqbakfx46e2qc6pq._file
Verdict:
malicious
Similar samples:
00e518ee9b4fe5909e432f9671b8f46f74f79a4f60fe882529cc068b8b50cdf8
RiseProStealer
0675e4f8053c0fab9f193059335f9a01f589536fc12eb03ada942c33ca9bfd77
RiseProStealer
2f7f23610e8e0633ef0b03d602a02734bdcadab3fdc8c15d0f6d93a0a454fa6f
RiseProStealer
9351da4f7387db729e9c8f5aa3c746197449922c6f1dafa59b02941bbe5615d2
RiseProStealer
9e0fdb12f3c1424fc1835a3f2fa330c876299cc072ada7a7ab265ac7207cccab
RiseProStealer
d0147494ca9687e1035bb977a4d3dd8381358603bcafa4adfb98b629e060bf32
RiseProStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240131-y8d8wscah7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
bc435412ab0573dd0f690eaafc3ca319f0bc2562508d9e66b21088d165c28209
MD5 hash:
cb19147a05abc053e438bb327e1b1504
SHA1 hash:
d0e0ccf40f2a230bbd22e49aade216c020919b14
Link:
https://www.unpac.me/results/0e60b59b-f26b-4c15-9cd4-4aae6b494f8f/
SH256 hash:
06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f
MD5 hash:
2a3092d61d3c6208400625aeb8baa6fb
SHA1 hash:
a7620193cc85c05e6b341c8fcba18ef61c34b69c
Link:
https://www.unpac.me/results/0e60b59b-f26b-4c15-9cd4-4aae6b494f8f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06ccb8e6100f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2754196/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473858/

Comments