MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77
SHA3-384 hash: a257ff6e6207b046821db2fef31ea0e0a0249d42f70d5f7d1b49da321aebc96f3cd1a33b13b0716173ad6e57eeb7a814
SHA1 hash: d8bdfdb717b64ee4cd7a892bbddd293f7eaf915c
MD5 hash: 97768ab0a4837757b74de2ae892badab
humanhash: eight-zebra-california-seven
File name:97768ab0a4837757b74de2ae892badab
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'854'464 bytes
First seen:2024-07-01 07:15:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bea8657593f34831fef16a15915f462d (2 x LummaStealer, 1 x RiseProStealer)
ssdeep 49152:Ktx9fJc02euDyRs7NNvZpFW3wrqirfHWZjlavwpX:Ktx9fe02beG5Nv+w+irHWZjlavwpX
TLSH T1D085232174D58072E423103609F5DB74CABDBAB44B512ECFA7E48FBE4B312C2AB75256
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
Document Mod Malware.zip
Verdict:
Malicious activity
Analysis date:
2024-07-01 21:37:34 UTC
Tags:
hausbomber dcrat loader opendir bdaejec stealer redline metastealer gcleaner upx netreactor aspack trojan lokibot evasion exfiltration pastebin lumma risepro xworm antivm
Link:
https://app.any.run/tasks/25155eb6-6332-40f7-8188-1486b658240e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Keylogger.Lazy-10031941-0
Create hunting rule

Win.Packed.Zusy-10032583-0
Create hunting rule

Win.Packed.Zusy-10032584-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668257d74aef5fb03e2ec739win10vpnfull_triage
Tags:
Stealerc
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66825777eae3878d8f3c45d4/reports/969c45d5-f13e-495d-820c-5bce0ad9ff57/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e2d8b71-5d4f-4729-8054-3570a033cc02
Result
Threat name:
LummaC, PureLog Stealer, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1465070
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465070 Sample: zyJWi2vy29.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 87 t.me 2->87 89 potterryisiw.shop 2->89 91 2 other IPs or domains 2->91 109 Snort IDS alert for network traffic 2->109 111 Multi AV Scanner detection for domain / URL 2->111 113 Found malware configuration 2->113 115 17 other signatures 2->115 9 zyJWi2vy29.exe 1 2->9         started        12 MSIUpdaterV168.exe 1 2->12         started        14 MSIUpdaterV168.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 signatures5 143 Contains functionality to inject code into remote processes 9->143 145 Writes to foreign memory regions 9->145 147 Allocates memory in foreign processes 9->147 18 RegAsm.exe 4 95 9->18         started        23 RegAsm.exe 9->23         started        25 WerFault.exe 21 16 9->25         started        27 conhost.exe 9->27         started        149 Antivirus detection for dropped file 12->149 151 Multi AV Scanner detection for dropped file 12->151 153 Machine Learning detection for dropped file 12->153 29 conhost.exe 12->29         started        155 Injects a PE file into a foreign processes 14->155 157 LummaC encrypted strings found 14->157 31 conhost.exe 14->31         started        33 RegAsm.exe 14->33         started        159 Found many strings related to Crypto-Wallets (likely being stolen) 16->159 161 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->161 35 conhost.exe 16->35         started        37 5 other processes 16->37 process6 dnsIp7 93 77.105.132.27, 49747, 49752, 49756 PLUSTELECOM-ASRU Russian Federation 18->93 95 ipinfo.io 34.117.186.192, 443, 49748, 49762 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 18->95 97 db-ip.com 104.26.4.15, 443, 49749, 49765 CLOUDFLARENETUS United States 18->97 69 C:\Users\user\...\8x9h3ctqkpfTu0sNF0X2.exe, PE32 18->69 dropped 71 C:\Users\user\...\8jZLXI789L2zXDjlm7Fx.exe, PE32 18->71 dropped 73 C:\Users\user\...\6p7a7injLZJojhETBNhL.exe, PE32 18->73 dropped 77 14 other malicious files 18->77 dropped 117 Tries to steal Mail credentials (via file / registry access) 18->117 119 Creates multiple autostart registry keys 18->119 121 Tries to harvest and steal browser information (history, passwords, etc) 18->121 39 3f61nAONpe1PsLC0oJHy.exe 18->39         started        42 8x9h3ctqkpfTu0sNF0X2.exe 18->42         started        44 6p7a7injLZJojhETBNhL.exe 1 18->44         started        46 10 other processes 18->46 123 Found stalling execution ending in API Sleep call 23->123 125 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 23->125 127 Found API chain indicative of sandbox detection 23->127 129 3 other signatures 23->129 75 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->75 dropped file8 signatures9 process10 signatures11 131 Antivirus detection for dropped file 39->131 133 Multi AV Scanner detection for dropped file 39->133 135 Machine Learning detection for dropped file 39->135 48 RegAsm.exe 39->48         started        65 2 other processes 39->65 137 Writes to foreign memory regions 42->137 139 Allocates memory in foreign processes 42->139 141 Injects a PE file into a foreign processes 42->141 52 RegAsm.exe 42->52         started        55 WerFault.exe 42->55         started        57 RegAsm.exe 2 44->57         started        59 conhost.exe 44->59         started        61 WerFault.exe 44->61         started        63 conhost.exe 46->63         started        67 8 other processes 46->67 process12 dnsIp13 81 potterryisiw.shop 188.114.97.3, 443, 49759, 49761 CLOUDFLARENETUS European Union 48->81 99 Query firmware table information (likely to detect VMs) 48->99 101 Found many strings related to Crypto-Wallets (likely being stolen) 48->101 103 Tries to harvest and steal ftp login credentials 48->103 105 Tries to steal Crypto Currency Wallets 48->105 83 t.me 149.154.167.99, 443, 49760 TELEGRAMRU United Kingdom 52->83 85 195.201.251.214, 49764, 49767, 49769 HETZNER-ASDE Germany 52->85 79 C:\Users\user\AppData\Local\...\sqlt[1].dll, PE32 52->79 dropped 107 Tries to harvest and steal browser information (history, passwords, etc) 52->107 file14 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2024-06-30 10:53:41 UTC
File Type:
PE (Exe)
AV detection:
23 of 23 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6eouunfnwuwnujdcgsledvdu3cegfpaa5d2lcprtt2tl6im5v3q._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240701-h27zmasdkk/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
RisePro
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/511feea4-ee89-4056-9227-c2155a71b8af
Unpacked files
SH256 hash:
cb5b33b2c4d8e2e7307db022ffff080d9de6eb805d5029d31a2939c0c6be2eef
MD5 hash:
adee075bfbdc088591cab3c88586f0ee
SHA1 hash:
1c409e9d1165473fc3a6264209edb42187a86ab8
Link:
https://www.unpac.me/results/36e51e42-4c5c-42b3-957a-80ac7e92e4dc/
SH256 hash:
0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77
MD5 hash:
97768ab0a4837757b74de2ae892badab
SHA1 hash:
d8bdfdb717b64ee4cd7a892bbddd293f7eaf915c
Link:
https://www.unpac.me/results/36e51e42-4c5c-42b3-957a-80ac7e92e4dc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f88ea51a56d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2915800/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments


Avatar
zbet commented on 2024-07-01 07:15:01 UTC

url : hxxp://77.105.132.27/rise2806.exe