MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27
SHA3-384 hash: 04686724645d17d0b9e36381523fd17a89d98c1d4d34dbfda858b70399b018f1a9adab3eb4c58e9ef1d75392f31d9389
SHA1 hash: b2c6961b3f7e3c5fe0fe86743a3360633ab2c200
MD5 hash: e4a94d95c0af5a7082f90904e577ab04
humanhash: friend-glucose-spaghetti-echo
File name:124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'604'544 bytes
First seen:2024-01-02 18:58:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:hAcs6KxDps2x208AjgcbniYA5Ml2CgUBe+82POGAPmtnDguqFfzBk:OdtstrAjgcbiYx2rAZWJ4Uuq9+
Threatray 647 similar samples on MalwareBazaar
TLSH T15AC5334266915031CAE017709CFB47C716397EB3BAB8A71F2980E6C548F35A1B63673D
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
RO RO
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Crifi-10009289-0
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Сreating synchronization primitives
Searching for the browser window
DNS request
Sending a custom TCP request
Reading critical registry keys
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed risepro rundll32 setupapi sfx shell32 xpack
Link:
https://www.filescan.io/uploads/65945d187d4bdb7f8b037e1d/reports/4aed146e-3101-47a4-b3e1-2fb2e743aab4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/476d78db-f71b-4460-bfb4-3a752ffc1614
Result
Threat name:
RisePro Stealer, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368947
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368947 Sample: M9r5phxwIj.exe Startdate: 02/01/2024 Architecture: WINDOWS Score: 100 133 www.google.com 2->133 135 ipinfo.io 2->135 137 2 other IPs or domains 2->137 163 Snort IDS alert for network traffic 2->163 165 Antivirus detection for URL or domain 2->165 167 Antivirus detection for dropped file 2->167 169 11 other signatures 2->169 11 M9r5phxwIj.exe 1 4 2->11         started        14 FANBooster131.exe 2->14         started        17 MaxLoonaFest131.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 file5 109 C:\Users\user\AppData\Local\...\oI7UZ69.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\Local\...\7SO0vB82.exe, PE32 11->111 dropped 21 oI7UZ69.exe 1 4 11->21         started        113 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 14->113 dropped 115 C:\...\ld9S7WfxsGctaMEr3JqUZcteoNCGuw6L.zip, Zip 14->115 dropped 201 Antivirus detection for dropped file 14->201 203 Multi AV Scanner detection for dropped file 14->203 205 Detected unpacking (changes PE section rights) 14->205 221 4 other signatures 14->221 25 WerFault.exe 14->25         started        27 WerFault.exe 14->27         started        117 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->117 dropped 119 C:\...\4gEbmOvrDFP6YY1uyfoLPLHvYkjctn2V.zip, Zip 17->119 dropped 207 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->207 209 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->209 211 Tries to steal Mail credentials (via file / registry access) 17->211 29 WerFault.exe 17->29         started        31 WerFault.exe 17->31         started        121 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->121 dropped 123 C:\...\sx8rVM6gO5zoPgi0rzc3QGlXuk7QwJUe.zip, Zip 19->123 dropped 213 Detected unpacking (overwrites its own PE header) 19->213 215 Machine Learning detection for dropped file 19->215 217 Found many strings related to Crypto-Wallets (likely being stolen) 19->217 219 Modifies Windows Defender protection settings 19->219 33 powershell.exe 19->33         started        35 powershell.exe 19->35         started        37 powershell.exe 19->37         started        39 22 other processes 19->39 signatures6 process7 file8 101 C:\Users\user\AppData\Local\...101P7ET53.exe, PE32 21->101 dropped 103 C:\Users\user\AppData\Local\...\6Qm8xN5.exe, PE32 21->103 dropped 171 Antivirus detection for dropped file 21->171 173 Multi AV Scanner detection for dropped file 21->173 175 Machine Learning detection for dropped file 21->175 41 NP7ET53.exe 1 4 21->41         started        45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        51 conhost.exe 39->51         started        53 conhost.exe 39->53         started        55 conhost.exe 39->55         started        57 18 other processes 39->57 signatures9 process10 file11 105 C:\Users\user\AppData\Local\...\5al0xM9.exe, PE32 41->105 dropped 107 C:\Users\user\AppData\Local\...\2KA3418.exe, PE32 41->107 dropped 177 Antivirus detection for dropped file 41->177 179 Multi AV Scanner detection for dropped file 41->179 181 Binary is likely a compiled AutoIt script file 41->181 183 Machine Learning detection for dropped file 41->183 59 5al0xM9.exe 21 41 41->59         started        64 2KA3418.exe 12 41->64         started        signatures12 process13 dnsIp14 151 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 59->151 153 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 59->153 125 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 59->125 dropped 127 C:\Users\user\AppData\...\FANBooster131.exe, PE32 59->127 dropped 129 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 59->129 dropped 131 2 other malicious files 59->131 dropped 185 Antivirus detection for dropped file 59->185 187 Multi AV Scanner detection for dropped file 59->187 189 Detected unpacking (changes PE section rights) 59->189 199 9 other signatures 59->199 66 cmd.exe 59->66         started        69 powershell.exe 59->69         started        71 cmd.exe 59->71         started        80 13 other processes 59->80 191 Binary is likely a compiled AutoIt script file 64->191 193 Machine Learning detection for dropped file 64->193 195 Found API chain indicative of sandbox detection 64->195 197 Contains functionality to modify clipboard data 64->197 73 chrome.exe 9 64->73         started        76 chrome.exe 64->76         started        78 chrome.exe 64->78         started        file15 signatures16 process17 dnsIp18 155 Uses schtasks.exe or at.exe to add and modify task schedules 66->155 95 2 other processes 66->95 157 Found many strings related to Crypto-Wallets (likely being stolen) 69->157 82 conhost.exe 69->82         started        97 2 other processes 71->97 145 192.168.2.9 unknown unknown 73->145 147 192.168.2.4 unknown unknown 73->147 149 2 other IPs or domains 73->149 159 Modifies Windows Defender protection settings 73->159 84 chrome.exe 73->84         started        87 chrome.exe 73->87         started        89 chrome.exe 73->89         started        161 Suspicious execution chain found 76->161 91 chrome.exe 76->91         started        93 chrome.exe 78->93         started        99 11 other processes 80->99 signatures19 process20 dnsIp21 139 i1.ytimg.com 142.250.113.101 GOOGLEUS United States 84->139 141 www.google.com 142.250.113.103 GOOGLEUS United States 84->141 143 54 other IPs or domains 84->143
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-02 04:35:35 UTC
File Type:
PE (Exe)
Extracted files:
202
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjgxk2tfljwegohwd3epinkr3trda6hajvi4utadzi2plx3gv4tq._file
Verdict:
malicious
Similar samples:
13735fe34c4fb1fc5efca9336215af08efaeca20859c61409f9fb7c7afc82332
RiseProStealer
460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69
RiseProStealer
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
RiseProStealer
46daf94d7a9c2eafa685ff553c11a89b3af75671cbbebbe61bfaca9be6adc815
RiseProStealer
66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384
RiseProStealer
7324e9649a54a5f6767cf58fcec138770627780486cbb709f751a684be7a0b1a
RiseProStealer
94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233
RiseProStealer
ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9
RiseProStealer
c7c312035f6694f1941a1fc437a68c9c3e1aabdae242d1e3fd557dda53bdfcb0
RiseProStealer
+ 637 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:smokeloader backdoor evasion persistence stealer trojan
Link:
https://tria.ge/reports/240102-231fqabfcp/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Detect Lumma Stealer payload V4
Lumma Stealer
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
Unpacked files
SH256 hash:
816c4023e1fe6544b80a0abfd33ed78cd18203461e989a513f4af858085bfc38
MD5 hash:
a95af31546f72a8b7a5dc92fbb8e332a
SHA1 hash:
feaf3074785595ddf1e46a36bba4c2b9c8f672b7
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/df1b46c2-74db-425b-9746-606ffffc2b98/
SH256 hash:
124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27
MD5 hash:
e4a94d95c0af5a7082f90904e577ab04
SHA1 hash:
b2c6961b3f7e3c5fe0fe86743a3360633ab2c200
Link:
https://www.unpac.me/results/df1b46c2-74db-425b-9746-606ffffc2b98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download

Comments