MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f
SHA3-384 hash: 159b8c50c96217b548357341c69293985a0f98d7db4b71b808b749b5718c6a914c733b14e03bc7dfc788f4c7366f5bb6
SHA1 hash: b5f98a7e028d272e82a77fc56678eeb9eec81db4
MD5 hash: fe9d5f33dabac2b6601cd86f4519f5bc
humanhash: colorado-oranges-whiskey-oranges
File name:fe9d5f33dabac2b6601cd86f4519f5bc
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:3'368'448 bytes
First seen:2023-12-15 09:22:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:/0zbiri3BqEz6807hQCkTTMo4/HtrmqWrLnbpQUbRLxXab:/+bWL8eIThKlmfbppbRLYb
Threatray 3 similar samples on MalwareBazaar
TLSH T16EF5282024C82647FD7ADFBC96DC72914F7AB5913722FB699B5209ED0ED1B48C803993
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467533/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Creating a file in the %temp% subdirectories
Running batch commands
Reading critical registry keys
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace setupapi
Link:
https://www.filescan.io/uploads/657c1af7b4e856b7281ab33b/reports/bd468dc7-7c8a-4e14-9d14-cc32acf1b9e0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc554607-9d3a-4def-a0c4-9da19c6c59a9
Result
Threat name:
RisePro Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362572
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RisePro Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362572 Sample: sWKQ4er8xH.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 60 transfer.sh 2->60 62 ipinfo.io 2->62 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected RisePro Stealer 2->74 76 6 other signatures 2->76 10 sWKQ4er8xH.exe 15 3 2->10         started        14 OfficeTrackerNMP131.exe 2 2->14         started        16 OfficeTrackerNMP131.exe 1 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 68 transfer.sh 144.76.136.153, 443, 49734 HETZNER-ASDE Germany 10->68 88 Found many strings related to Crypto-Wallets (likely being stolen) 10->88 90 Writes to foreign memory regions 10->90 92 Allocates memory in foreign processes 10->92 94 Injects a PE file into a foreign processes 10->94 20 RegAsm.exe 15 68 10->20         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        31 conhost.exe 18->31         started        33 conhost.exe 18->33         started        signatures6 process7 dnsIp8 64 91.92.249.253, 49735, 50500 THEZONEBG Bulgaria 20->64 66 ipinfo.io 34.117.59.81, 443, 49736 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->66 52 C:\...\YK3qkDp6TG9RE6sb99HGIH3GdIfgAPlZ.zip, Zip 20->52 dropped 54 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->54 dropped 56 C:\Users\user\AppData\...\FANBooster131.exe, PE32 20->56 dropped 58 2 other files (none is malicious) 20->58 dropped 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->80 82 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 20->82 84 Found many strings related to Crypto-Wallets (likely being stolen) 20->84 86 3 other signatures 20->86 35 cmd.exe 1 20->35         started        38 cmd.exe 1 20->38         started        40 WerFault.exe 20->40         started        file9 signatures10 process11 signatures12 78 Uses schtasks.exe or at.exe to add and modify task schedules 35->78 42 conhost.exe 35->42         started        44 schtasks.exe 1 35->44         started        46 schtasks.exe 1 38->46         started        48 conhost.exe 38->48         started        process13 process14 50 WerFault.exe 46->50         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 07:11:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bypytmjb34l6vzernuz7jvn7cppivfn3ancoiks3qicod77sxaxq._file
Verdict:
unknown
Similar samples:
0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f
RiseProStealer
139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
RiseProStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/231215-lcfqmabgdl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
592bfcb11a0ec07b7b0b7690fd791304d37fc3fe95c3a6fc0281f5d003128daf
MD5 hash:
568e05f23a1c49126b408887e101c267
SHA1 hash:
5cb4288cf5e313355c0f64c5877677bc15ed25fa
Link:
https://www.unpac.me/results/13838c42-b7f4-4ee4-9d06-b688102eb28f/
SH256 hash:
0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f
MD5 hash:
fe9d5f33dabac2b6601cd86f4519f5bc
SHA1 hash:
b5f98a7e028d272e82a77fc56678eeb9eec81db4
Detections:
INDICATOR_SUSPICIOUS_EXE_TransferSh_URL
Create hunting rule
Link:
https://www.unpac.me/results/13838c42-b7f4-4ee4-9d06-b688102eb28f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2741066/
Cape
Cape
https://www.capesandbox.com/analysis/467533/

Comments


Avatar
zbet commented on 2023-12-15 09:22:45 UTC

url : hxxp://109.107.182.3/dote/film.exe