MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f
SHA3-384 hash: 3fc20e42d04bb3930b8ccd5c9b0c41588812b9cbdcb262371519d8a4a3a1ec70ce0cc2772d78b78e16500c97d756f319
SHA1 hash: b6049ede02e71b33a31aa656e6b0d541bd043744
MD5 hash: 8ff72b28f884e621996adfb787ae9fbb
humanhash: timing-beer-vegan-sierra
File name:8ff72b28f884e621996adfb787ae9fbb
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'400'256 bytes
First seen:2024-02-09 11:49:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:+wFh0yf4702eWE6kjzB21+QW7j0+SOkilsGvDq9s5:+yA7AWizMXW7j0+SAtDq9s
Threatray 2 similar samples on MalwareBazaar
TLSH T1FFB523CDBC40A447CAC4A53088E2FAF9123FEC95A94290DA7CED7F977676A150523D2C
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
547
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475567/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c6116ca1fd0c3a5945c9e1/reports/448f07c7-c27c-480a-9776-ca7984df79c3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/08660d8e-ddac-4c25-8085-a927dd380e3f
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1389707
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1389707 Sample: 6l2HJTG7zd.exe Startdate: 09/02/2024 Architecture: WINDOWS Score: 100 124 Antivirus detection for URL or domain 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 Yara detected RisePro Stealer 2->128 130 4 other signatures 2->130 8 6l2HJTG7zd.exe 2 117 2->8         started        13 MPGPH131.exe 105 2->13         started        15 MPGPH131.exe 107 2->15         started        17 7 other processes 2->17 process3 dnsIp4 98 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->98 100 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 8->100 102 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 8->102 80 C:\Users\user\...\v3b1OsZ5aN3Jo9dcREaB.exe, PE32 8->80 dropped 82 C:\Users\user\...\jPKMCtd9jdaSaSEhdJma.exe, PE32 8->82 dropped 84 C:\Users\user\...\W8k5iJ_BsAkCZwZNGLXq.exe, PE32 8->84 dropped 92 12 other malicious files 8->92 dropped 154 Detected unpacking (changes PE section rights) 8->154 156 Binary is likely a compiled AutoIt script file 8->156 158 Tries to steal Mail credentials (via file / registry access) 8->158 176 4 other signatures 8->176 19 SBmOnJUpUOjJzfxbiJ0N.exe 8->19         started        22 v3b1OsZ5aN3Jo9dcREaB.exe 8->22         started        24 Sl3vWramtcO_MYlnhOPV.exe 8->24         started        34 4 other processes 8->34 86 C:\Users\user\...\uakcHToCEuKsCBwumL61.exe, PE32 13->86 dropped 88 C:\Users\user\...\q6L6ErzJ8DRHy33Hu45J.exe, PE32 13->88 dropped 90 C:\Users\user\...\h3OSVKsf7Y6p0oOrIP1O.exe, PE32 13->90 dropped 94 8 other malicious files 13->94 dropped 160 Multi AV Scanner detection for dropped file 13->160 162 Machine Learning detection for dropped file 13->162 164 Found many strings related to Crypto-Wallets (likely being stolen) 13->164 96 7 other malicious files 15->96 dropped 166 Tries to harvest and steal browser information (history, passwords, etc) 15->166 168 Hides threads from debuggers 15->168 170 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->170 172 Tries to evade debugger and weak emulator (self modifying code) 17->172 174 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->174 27 firefox.exe 17->27         started        30 firefox.exe 17->30         started        32 msedge.exe 17->32         started        36 9 other processes 17->36 file5 signatures6 process7 dnsIp8 132 Detected unpacking (changes PE section rights) 19->132 134 Modifies windows update settings 19->134 136 Disables Windows Defender Tamper protection 19->136 152 2 other signatures 19->152 138 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->138 140 Tries to evade debugger and weak emulator (self modifying code) 22->140 142 Hides threads from debuggers 22->142 70 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 24->70 dropped 144 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->144 146 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 24->146 112 18.160.60.125 MIT-GATEWAYSUS United States 27->112 114 18.160.60.75 MIT-GATEWAYSUS United States 27->114 120 26 other IPs or domains 27->120 72 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 27->72 dropped 74 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 27->74 dropped 76 FE1F5B94E735CF25E43C634E82ECB06C772BE012, COM 27->76 dropped 78 C:\Users\user\AppData\...\places.sqlite, SQLite 27->78 dropped 38 firefox.exe 27->38         started        148 Found many strings related to Crypto-Wallets (likely being stolen) 30->148 40 firefox.exe 30->40         started        116 13.107.21.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->116 118 13.107.22.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->118 122 25 other IPs or domains 32->122 150 Binary is likely a compiled AutoIt script file 34->150 42 chrome.exe 34->42         started        45 chrome.exe 34->45         started        47 chrome.exe 34->47         started        53 12 other processes 34->53 49 chrome.exe 36->49         started        51 chrome.exe 36->51         started        55 2 other processes 36->55 file9 signatures10 process11 dnsIp12 110 239.255.255.250 unknown Reserved 42->110 57 chrome.exe 42->57         started        60 chrome.exe 45->60         started        62 chrome.exe 47->62         started        64 chrome.exe 53->64         started        66 msedge.exe 53->66         started        68 msedge.exe 53->68         started        process13 dnsIp14 104 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->104 106 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->106 108 35 other IPs or domains 57->108
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-09 11:50:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzivt6qnwndojdglwm4yu7udvhssk7b53d7q4qrz2lfgak3x24hq._file
Verdict:
unknown
Similar samples:
8dd705797446f23b722e233efc84bd43c0ccf39a81fcd2c441351a2f3117b63c
RiseProStealer
f3cf23ba078950da05d1083572898338a9a8cb7dbf149dd89cea0d6f52e8849d
RiseProStealer
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240209-nzlaqsag71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
e648f3284026cc6f81c4671dbb4b62300180f5a62c9536ded0d04b818304016d
MD5 hash:
58d9520a47d18cd1e2fb217f21b80660
SHA1 hash:
bbb686f69e810f018a4048ac9466155d5dfaa916
Link:
https://www.unpac.me/results/3ad0bfdc-9e99-4e45-af71-c549a4805fc1/
SH256 hash:
0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f
MD5 hash:
8ff72b28f884e621996adfb787ae9fbb
SHA1 hash:
b6049ede02e71b33a31aa656e6b0d541bd043744
Link:
https://www.unpac.me/results/3ad0bfdc-9e99-4e45-af71-c549a4805fc1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e5159fa0db3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/475567/
  
URLhaus
https://urlhaus.abuse.ch/url/2758782/

Comments


Avatar
zbet commented on 2024-02-09 11:49:31 UTC

url : hxxp://109.107.182.38/dalas/hunta.exe