MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cdec19adb735aca908f217797e20640983530d126d56beb20fde22886234cf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cdec19adb735aca908f217797e20640983530d126d56beb20fde22886234cf2
SHA3-384 hash: a89e56ec6616c06e72ae3dff1e3b1d1bac3d5b7c6edc61a8306c896f32c0fbee1835839dd038d79a1b5cf051e1676dc7
SHA1 hash: e35af824924047ada641cc7a2a99b189273291e3
MD5 hash: 95e77bdf04b7031650d6c6db30407cbd
humanhash: pluto-lion-enemy-aspen
File name:path32466.rar
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:8'577'262 bytes
First seen:2025-04-10 10:47:37 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
Note:This file is a password protected archive. The password is: 1234
ssdeep 196608:B0r0FPd7F7LlvUb5Ljz7993RREblHkt3bd3bJyEBqsMsQ0l7yw0:B02lIvz7bBREblEv3lyEY2RV0
TLSH T1458633E857A00534F660D4EFDBAC18478E30B439D98559CFC73E6CAEA0C773B5962A60
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter aachum
Tags:AutoIT file-pumped pw-1234 rar RiseProStealer sst-my


Avatar
iamaachum
https://sst.my/server/fold4rio24.rar (password 1234)

RisePro C2:
193.233.232.86

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
ES ES
File Archive Information

This file archive contains 4 file(s), sorted by their relevance:

File name:nvopencl64.dll
File size:10'710'664 bytes
SHA256 hash: cf10a54ba11815b597436f064619d034a8b498ba09c02ad0b55bf02037e7f424
MD5 hash: d42782c28535e4c714b2b5d412210b80
MIME type:application/x-dosexec
Signature RiseProStealer
File name:AppFile.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:738'197'504 bytes
SHA256 hash: c18cfe3c266f22c3ffe14b3ef378086a6a43c75ed39311ce9df14800b077e422
MD5 hash: 4391bf1f2f9d1931e05d1c4bda867d2b
De-pumped file size:338'432 bytes (Vs. original size of 738'197'504 bytes)
De-pumped SHA256 hash: ca75167306f9d392428aa49d07d2e3996502f1fc89185aefad1a37b22499bf87
De-pumped MD5 hash: 7a5e3dffa39575d876da23f538c7ecf9
MIME type:application/x-dosexec
Signature RiseProStealer
File name:NvFBC64.dll
File size:2'168'352 bytes
SHA256 hash: 13dad6eeb16f0ab99ff9d1933e5a09465115ce5a1816cb9a62f18d04b882ec0a
MD5 hash: d3c8b4321e0ff16607d3789a0056fb16
MIME type:application/x-dosexec
Signature RiseProStealer
File name:NvFBC.dll
File size:1'621'616 bytes
SHA256 hash: 62d9de1c56e7f71fead4b520252ed656fd22b1640d218a85f91653e3eb3d48b0
MD5 hash: a92382996045119ffdb2dea19e1484c2
MIME type:application/x-dosexec
Signature RiseProStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f7a4a91dba888a93cee9e1
Tags:
autoit emotet
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0cdec19adb735aca908f217797e20640983530d126d56beb20fde22886234cf2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cdec19adb735aca908f217797e20640983530d126d56beb20fde22886234cf2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=btpmdgw3onnmveepef3zpyqgicmdkmgre3kwx2za7xrcrbrdjtza._file
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro discovery stealer
Link:
https://tria.ge/reports/250410-njeg9aztgs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Network Share Discovery
Checks computer location settings
Executes dropped EXE
RisePro
Risepro family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
193.233.232.86
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cdec19adb735aca908f217797e20640983530d126d56beb20fde22886234cf2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

rar 0cdec19adb735aca908f217797e20640983530d126d56beb20fde22886234cf2

(this sample)

Executable exe ca75167306f9d392428aa49d07d2e3996502f1fc89185aefad1a37b22499bf87

  
Link
https://tria.ge/250410-mr9gxsywgt/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 ca75167306f9d392428aa49d07d2e3996502f1fc89185aefad1a37b22499bf87
  
Dropping
MD5 7a5e3dffa39575d876da23f538c7ecf9
  
Dropping
SHA256 e711519f57201d4a464f9af8109131173dd9f1ba9cad7fe94a6a1711037ba23f
  
Dropping
MD5 dd0e42a9bdd560ef03db901a72d26450

Comments