MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9
SHA3-384 hash: 0ad613b11cb568165e97c5da6b255fe83208e6763b81b1cbb591d4316feb3b2a7264fb17056112d632f21076361b2c13
SHA1 hash: 36dc7b7e24a75dbbbf025adc74cea9bdfa14e66f
MD5 hash: 8b51bcee6a4f5325e66cdc5fb547937f
humanhash: louisiana-two-carbon-oregon
File name:155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'312'192 bytes
First seen:2024-01-07 23:02:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:MHTU7hl7v7n5J+KrnJgkWPrjF2bIToFCMgtCO2vez+FP:77hp75MKrJjWPwdFCltCO2v5
Threatray 986 similar samples on MalwareBazaar
TLSH T10AB5331691AC9236DA6C5FB068F71367067978C2DD3582B933961CCA7CB22B0E275337
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RiseProStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469810/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Behavior that indicates a threat
Searching for the browser window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer lolbin obfuscated packed risepro rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/659b2da93c61cd5b424cfba3/reports/559d15fb-a8ca-4fe4-9095-2eb5ff1b8067/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a61cf6c-9110-48c0-93d4-5eb62f57dd29
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370969
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1370969 Sample: aPaYYYDKms.exe Startdate: 08/01/2024 Architecture: WINDOWS Score: 100 124 z-p42-instagram.c10r.instagram.com 2->124 126 yt3.ggpht.com 2->126 128 56 other IPs or domains 2->128 142 Snort IDS alert for network traffic 2->142 144 Antivirus detection for dropped file 2->144 146 Antivirus / Scanner detection for submitted sample 2->146 148 7 other signatures 2->148 10 aPaYYYDKms.exe 1 4 2->10         started        13 OfficeTrackerNMP131.exe 2->13         started        16 FANBooster131.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 110 C:\Users\user\AppData\Local\...\UR3ug92.exe, PE32 10->110 dropped 112 C:\Users\user\AppData\Local\...\4PP010YV.exe, PE32 10->112 dropped 20 UR3ug92.exe 1 4 10->20         started        114 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 13->114 dropped 170 Multi AV Scanner detection for dropped file 13->170 172 Machine Learning detection for dropped file 13->172 174 Modifies Windows Defender protection settings 13->174 24 powershell.exe 13->24         started        26 powershell.exe 13->26         started        28 powershell.exe 13->28         started        36 10 other processes 13->36 116 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 16->116 dropped 176 Tries to steal Mail credentials (via file / registry access) 16->176 178 Tries to harvest and steal browser information (history, passwords, etc) 16->178 180 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 16->180 30 conhost.exe 16->30         started        118 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->118 dropped 120 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->120 dropped 122 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->122 dropped 32 powershell.exe 18->32         started        34 powershell.exe 18->34         started        38 13 other processes 18->38 signatures6 process7 file8 98 C:\Users\user\AppData\Local\...\2RP5237.exe, PE32 20->98 dropped 100 C:\Users\user\AppData\Local\...\1mQ51Ow5.exe, PE32 20->100 dropped 150 Multi AV Scanner detection for dropped file 20->150 152 Binary is likely a compiled AutoIt script file 20->152 154 Machine Learning detection for dropped file 20->154 40 2RP5237.exe 21 30 20->40         started        45 1mQ51Ow5.exe 12 20->45         started        47 conhost.exe 24->47         started        49 conhost.exe 26->49         started        51 conhost.exe 28->51         started        53 conhost.exe 32->53         started        55 conhost.exe 34->55         started        57 9 other processes 36->57 59 10 other processes 38->59 signatures9 process10 dnsIp11 138 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 40->138 140 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->140 102 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 40->102 dropped 104 C:\Users\user\AppData\...\FANBooster131.exe, PE32 40->104 dropped 106 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 40->106 dropped 108 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 40->108 dropped 156 Multi AV Scanner detection for dropped file 40->156 158 Machine Learning detection for dropped file 40->158 160 Found many strings related to Crypto-Wallets (likely being stolen) 40->160 168 4 other signatures 40->168 61 powershell.exe 40->61         started        64 cmd.exe 40->64         started        66 powershell.exe 40->66         started        75 12 other processes 40->75 162 Binary is likely a compiled AutoIt script file 45->162 164 Found API chain indicative of sandbox detection 45->164 166 Contains functionality to modify clipboard data 45->166 68 chrome.exe 1 45->68         started        71 chrome.exe 45->71         started        73 chrome.exe 45->73         started        77 7 other processes 45->77 file12 signatures13 process14 dnsIp15 182 Found many strings related to Crypto-Wallets (likely being stolen) 61->182 79 conhost.exe 61->79         started        184 Uses schtasks.exe or at.exe to add and modify task schedules 64->184 81 schtasks.exe 64->81         started        83 conhost.exe 66->83         started        130 239.255.255.250 unknown Reserved 68->130 85 chrome.exe 68->85         started        92 2 other processes 68->92 88 chrome.exe 71->88         started        90 chrome.exe 73->90         started        94 11 other processes 75->94 96 7 other processes 77->96 signatures16 process17 dnsIp18 132 192.168.2.4 unknown unknown 85->132 134 23.41.168.118 ZAYO-6461US United States 85->134 136 96 other IPs or domains 85->136
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9/
Threat name:
Win32.Trojan.Crifi
Create hunting rule
Status:
Malicious
First seen:
2024-01-06 15:11:34 UTC
File Type:
PE (Exe)
Extracted files:
102
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvpgl2uon3hzmkxhqubtevdsxn4n26d5aqzeltbr56bbwfbxbleq._file
Verdict:
malicious
Similar samples:
1d1685c4b298ccddbddc67e03a2bc252ba9cd8381a7c45638cfef438f47e3e22
RiseProStealer
3e0159326f354109d2b468ead12982d5d33d6d5936081eb59903965b995bad22
RiseProStealer
6142cc637622fcb15e3bd67869c5ec28c7021d27a2bc22b73346ad9322971521
RiseProStealer
7761e6403caabbe4742e7afaf1be7dbf908974fd6d9f8367ca44352ea79a96a7
RiseProStealer
cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966
RiseProStealer
d3e4f5863b1d06e57ee98bc50998d0addd25b93f86bb7f6aed8f7fa7d656b830
RiseProStealer
f9aa5c8b66fdab9dad594bf1b84aa90193efe5e5c4317f76118dd2e06b6202ae
RiseProStealer
+ 976 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240107-21nn5shad3/
Behaviour
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
e11c1eeedac3077319b35b398c4e3003a731c41610a234908d4e53d72eb0400c
MD5 hash:
9c65b94f52f8adda57123ec51db08dc9
SHA1 hash:
bb3c6c8324e79147fc5af296838fc4fa4987a3c4
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/e370efd9-052f-4c6b-a585-d5aaeeea6dca/
Parent samples :
7761e6403caabbe4742e7afaf1be7dbf908974fd6d9f8367ca44352ea79a96a7
155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9
4b77afc2c93fc493b97111ad3e0cb3d1622483091855d5207f37ab9a8acb2d25
SH256 hash:
d821c20d4af258334724c99addfbda8c4a1ee7a70765c5ee54a4ccbc59916ff0
MD5 hash:
2f5d1a0361ea3317e0edf59bf1ce0676
SHA1 hash:
8c8800b2235032aa0c8381fd38dc8b469725f2fe
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e370efd9-052f-4c6b-a585-d5aaeeea6dca/
Parent samples :
7761e6403caabbe4742e7afaf1be7dbf908974fd6d9f8367ca44352ea79a96a7
155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9
4b77afc2c93fc493b97111ad3e0cb3d1622483091855d5207f37ab9a8acb2d25
SH256 hash:
155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9
MD5 hash:
8b51bcee6a4f5325e66cdc5fb547937f
SHA1 hash:
36dc7b7e24a75dbbbf025adc74cea9bdfa14e66f
Link:
https://www.unpac.me/results/e370efd9-052f-4c6b-a585-d5aaeeea6dca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/155e65ea8e6ecf962ae78503325472bb78dd787d043245cc31ef821b14370ac9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469810/

Comments