MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bc90706defe0f5defbc5be90ea4d4c14ec01ad3b85ac35baa4db1b9906bcad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bc90706defe0f5defbc5be90ea4d4c14ec01ad3b85ac35baa4db1b9906bcad6
SHA3-384 hash: 9a6aca41772bcbcb12d0efb1d2aeae0dc1786dcb20b4c820ef318ec7afc5204b0df3b94ad858a20b6700a5554a3f6e26
SHA1 hash: 56dd9e9f55888f4b866c5f72dac7693c4c43a922
MD5 hash: 328fd7982434a7461238a8d884c3cf4c
humanhash: pluto-hot-eleven-arizona
File name:WEXTRACT.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:3'907'584 bytes
First seen:2024-01-05 06:05:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:33kEcRU7TlFw5pHdCzcGgWN7J4r9oVMRJOE35:33k+HlGAxfN7Y0MRb
TLSH T191063315EEE890B2DCD7877506F2038B1A36FF22AE3412657710EA005CA35F99574B7E
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RiseProStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469567/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Сreating synchronization primitives
Searching for the browser window
DNS request
Sending a custom TCP request
Setting a single autorun event
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer greyware installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65979c4bb855eb3693141f7a/reports/9b00e6c4-29aa-4fb6-b05f-d470d13f659d/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/0bc90706defe0f5defbc5be90ea4d4c14ec01ad3b85ac35baa4db1b9906bcad6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/556ad61f-5aa1-4def-9fe0-f4539039b45f
Result
Threat name:
Amadey, RHADAMANTHYS, RisePro Stealer, V
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370197
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected RHADAMANTHYS Stealer
Yara detected RisePro Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1370197 Sample: WEXTRACT.exe Startdate: 05/01/2024 Architecture: WINDOWS Score: 100 139 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 2->139 141 ipinfo.io 2->141 143 5 other IPs or domains 2->143 161 Snort IDS alert for network traffic 2->161 163 Found malware configuration 2->163 165 Antivirus detection for URL or domain 2->165 167 16 other signatures 2->167 11 WEXTRACT.exe 1 4 2->11         started        14 OfficeTrackerNMP131.exe 2->14         started        17 MaxLoonaFest131.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 125 C:\Users\user\AppData\Local\...\zy9NP42.exe, PE32 11->125 dropped 127 C:\Users\user\AppData\Local\...\7Mw7yx12.exe, PE32 11->127 dropped 21 zy9NP42.exe 1 4 11->21         started        129 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 14->129 dropped 131 C:\...behaviorgraphmQCgtJo64xqDHYcqLnUacvVXeiJ5uJt.zip, Zip 14->131 dropped 193 Antivirus detection for dropped file 14->193 195 Multi AV Scanner detection for dropped file 14->195 197 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->197 209 5 other signatures 14->209 25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        29 powershell.exe 14->29         started        37 11 other processes 14->37 133 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->133 dropped 199 Detected unpacking (changes PE section rights) 17->199 201 Tries to steal Mail credentials (via file / registry access) 17->201 203 Machine Learning detection for dropped file 17->203 31 conhost.exe 17->31         started        135 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->135 dropped 137 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->137 dropped 205 Tries to harvest and steal browser information (history, passwords, etc) 19->205 207 Hides threads from debuggers 19->207 33 powershell.exe 19->33         started        35 conhost.exe 19->35         started        39 2 other processes 19->39 signatures6 process7 file8 109 C:\Users\user\AppData\Local\...\MY6Wi92.exe, PE32 21->109 dropped 111 C:\Users\user\AppData\Local\...\3rm15HU.exe, PE32 21->111 dropped 169 Antivirus detection for dropped file 21->169 171 Multi AV Scanner detection for dropped file 21->171 173 Machine Learning detection for dropped file 21->173 41 MY6Wi92.exe 1 4 21->41         started        45 3rm15HU.exe 21 30 21->45         started        48 conhost.exe 25->48         started        50 conhost.exe 27->50         started        52 conhost.exe 29->52         started        54 conhost.exe 33->54         started        56 conhost.exe 37->56         started        58 conhost.exe 37->58         started        60 7 other processes 37->60 signatures9 process10 dnsIp11 113 C:\Users\user\AppData\Local\...\2al3504.exe, PE32 41->113 dropped 115 C:\Users\user\AppData\Local\...\1OJ96lj2.exe, PE32 41->115 dropped 175 Antivirus detection for dropped file 41->175 177 Multi AV Scanner detection for dropped file 41->177 179 Binary is likely a compiled AutoIt script file 41->179 62 2al3504.exe 1 41->62         started        65 1OJ96lj2.exe 12 41->65         started        157 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 45->157 159 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 45->159 117 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 45->117 dropped 119 C:\Users\user\AppData\...\FANBooster131.exe, PE32 45->119 dropped 121 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 45->121 dropped 123 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 45->123 dropped 181 Detected unpacking (changes PE section rights) 45->181 183 Machine Learning detection for dropped file 45->183 185 Disables Windows Defender Tamper protection 45->185 187 4 other signatures 45->187 67 powershell.exe 45->67         started        69 cmd.exe 45->69         started        71 powershell.exe 45->71         started        73 13 other processes 45->73 file12 signatures13 process14 signatures15 211 Antivirus detection for dropped file 62->211 213 Multi AV Scanner detection for dropped file 62->213 215 Detected unpacking (changes PE section rights) 62->215 217 Hides threads from debuggers 62->217 75 dialer.exe 62->75         started        219 Binary is likely a compiled AutoIt script file 65->219 221 Machine Learning detection for dropped file 65->221 223 Found API chain indicative of sandbox detection 65->223 225 Contains functionality to modify clipboard data 65->225 79 chrome.exe 9 65->79         started        81 chrome.exe 65->81         started        83 chrome.exe 65->83         started        227 Found many strings related to Crypto-Wallets (likely being stolen) 67->227 85 conhost.exe 67->85         started        229 Uses schtasks.exe or at.exe to add and modify task schedules 69->229 87 schtasks.exe 69->87         started        89 conhost.exe 71->89         started        91 conhost.exe 73->91         started        93 10 other processes 73->93 process16 dnsIp17 151 91.92.245.204 THEZONEBG Bulgaria 75->151 189 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 75->189 95 OpenWith.exe 75->95         started        153 192.168.2.5, 443, 49705, 49706 unknown unknown 79->153 155 239.255.255.250 unknown Reserved 79->155 191 Suspicious execution chain found 79->191 98 chrome.exe 79->98         started        101 chrome.exe 79->101         started        103 chrome.exe 6 79->103         started        105 chrome.exe 81->105         started        107 chrome.exe 83->107         started        signatures18 process19 dnsIp20 231 Found many strings related to Crypto-Wallets (likely being stolen) 95->231 233 Tries to harvest and steal browser information (history, passwords, etc) 95->233 145 142.250.113.100 GOOGLEUS United States 98->145 147 play.google.com 142.250.113.102 GOOGLEUS United States 98->147 149 26 other IPs or domains 98->149 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0bc90706defe0f5defbc5be90ea4d4c14ec01ad3b85ac35baa4db1b9906bcad6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bc90706defe0f5defbc5be90ea4d4c14ec01ad3b85ac35baa4db1b9906bcad6/
Threat name:
Win32.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2024-01-05 06:06:07 UTC
File Type:
PE (Exe)
Extracted files:
140
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpeqobw67yhv3354lpuq5jguyfhmagwtxbnmgw5kjwy3tedlzlla._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240105-gtqvpsedgr/
Behaviour
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a3d567a1958906e75aa85e0cbbe4aea5380aa9bba36cc5069241608d67ee8956
MD5 hash:
725ea7ffc4f29b13afdad0556d5f5f6b
SHA1 hash:
72ce38f591b78fe68c8c79439551165b9f138ef8
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/92e05f22-71c0-4afc-9aee-d9424d79de38/
SH256 hash:
0bc90706defe0f5defbc5be90ea4d4c14ec01ad3b85ac35baa4db1b9906bcad6
MD5 hash:
328fd7982434a7461238a8d884c3cf4c
SHA1 hash:
56dd9e9f55888f4b866c5f72dac7693c4c43a922
Link:
https://www.unpac.me/results/92e05f22-71c0-4afc-9aee-d9424d79de38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bc90706defe0f5defbc5be90ea4d4c14ec01ad3b85ac35baa4db1b9906bcad6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/edad2d56-3e5c-4be9-8c24-ae6248d0532c
Cape
Cape
https://www.capesandbox.com/analysis/469567/

Comments