MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6
SHA3-384 hash: e13da0228b183c416de4b7765c1a3ce105cd7f193dbcde9ad30ad7b481aaef81074166fca5170d20a6206865510c436f
SHA1 hash: 794b7e3f3c22f55038b85f21636a1d701f49b81c
MD5 hash: 0a4b84a8d0915c93c9735aa095c573b7
humanhash: single-queen-asparagus-white
File name:0a4b84a8d0915c93c9735aa095c573b7
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'253'824 bytes
First seen:2024-02-02 13:22:48 UTC
Last seen:2024-02-02 15:23:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:i0CiVVuUugafDcp1cAnAAAxcinIvj+m+vdqK+eV5IGxkp:Qiqop1BnAxxd0+m+VzVI
Threatray 3 similar samples on MalwareBazaar
TLSH T127A533E02DB727AAD927473F22447509A2935C83E94EF190AA49F5D2937F9B30617F03
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
396
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6.zip
Verdict:
Malicious activity
Analysis date:
2024-02-02 15:33:01 UTC
Tags:
risepro stealer evasion loader
Link:
https://app.any.run/tasks/6bf03604-81cc-4514-bfb0-cba3d893017a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474197/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.9102.20377.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65bcecbe4f733f8cc1bd6e9d/reports/7be56cd9-5190-4014-8279-f77edde1ba61/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8a7dd7a0-c5c2-4112-80b4-577d1b9421f0
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385599
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385599 Sample: vyAZOo1jhA.exe Startdate: 02/02/2024 Architecture: WINDOWS Score: 100 97 youtube-ui.l.google.com 2->97 99 www.youtube.com 2->99 101 33 other IPs or domains 2->101 133 Snort IDS alert for network traffic 2->133 135 Multi AV Scanner detection for domain / URL 2->135 137 Antivirus detection for URL or domain 2->137 139 9 other signatures 2->139 9 vyAZOo1jhA.exe 2 122 2->9         started        14 MPGPH131.exe 109 2->14         started        16 MPGPH131.exe 24 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 109 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->109 111 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->111 113 2 other IPs or domains 9->113 75 C:\Users\user\...\vfJZ2qAPvOa3Oa6adFzw.exe, PE32 9->75 dropped 77 C:\Users\user\...\vVRT2HgT9Tim8SaIonEx.exe, PE32 9->77 dropped 79 C:\Users\user\...\mmDCAq_zbB4r6ulVssRs.exe, PE32 9->79 dropped 87 13 other malicious files 9->87 dropped 163 Detected unpacking (changes PE section rights) 9->163 165 Binary is likely a compiled AutoIt script file 9->165 167 Tries to steal Mail credentials (via file / registry access) 9->167 185 5 other signatures 9->185 20 DFlxSHnQ3XUfuEVBTCdU.exe 9->20         started        23 mmDCAq_zbB4r6ulVssRs.exe 9->23         started        25 HTFqglQHLliJBCQjv1BB.exe 9->25         started        37 5 other processes 9->37 81 C:\Users\user\...\zvbH87AMDB7pTjQ3UJFK.exe, PE32 14->81 dropped 83 C:\Users\user\...\gOtABMa9vs04qzenaSqq.exe, PE32 14->83 dropped 85 C:\Users\user\...\eSa3sQPtCl53hesSH0gY.exe, PE32 14->85 dropped 89 8 other malicious files 14->89 dropped 169 Tries to harvest and steal browser information (history, passwords, etc) 14->169 171 Hides threads from debuggers 14->171 173 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->173 175 Antivirus detection for dropped file 16->175 177 Multi AV Scanner detection for dropped file 16->177 179 Machine Learning detection for dropped file 16->179 91 5 other malicious files 18->91 dropped 181 Tries to evade debugger and weak emulator (self modifying code) 18->181 183 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->183 27 firefox.exe 18->27         started        31 msedge.exe 18->31         started        33 firefox.exe 18->33         started        35 firefox.exe 18->35         started        file6 signatures7 process8 dnsIp9 141 Detected unpacking (changes PE section rights) 20->141 143 Detected unpacking (overwrites its own PE header) 20->143 145 Modifies windows update settings 20->145 159 3 other signatures 20->159 147 Multi AV Scanner detection for dropped file 23->147 149 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->149 151 Tries to evade debugger and weak emulator (self modifying code) 23->151 161 2 other signatures 23->161 153 Binary is likely a compiled AutoIt script file 25->153 39 chrome.exe 25->39         started        42 chrome.exe 25->42         started        44 chrome.exe 25->44         started        54 9 other processes 25->54 121 108.177.122.84 GOOGLEUS United States 27->121 123 142.251.15.91 GOOGLEUS United States 27->123 129 9 other IPs or domains 27->129 93 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 27->93 dropped 95 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 27->95 dropped 155 Found many strings related to Crypto-Wallets (likely being stolen) 27->155 56 2 other processes 27->56 125 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->125 127 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->127 131 26 other IPs or domains 31->131 157 Hides threads from debuggers 37->157 46 conhost.exe 37->46         started        48 conhost.exe 37->48         started        50 conhost.exe 37->50         started        52 conhost.exe 37->52         started        file10 signatures11 process12 dnsIp13 103 192.168.2.5 unknown unknown 39->103 105 192.168.2.16 unknown unknown 39->105 107 2 other IPs or domains 39->107 58 chrome.exe 39->58         started        61 chrome.exe 39->61         started        63 chrome.exe 39->63         started        65 chrome.exe 42->65         started        67 chrome.exe 44->67         started        69 msedge.exe 54->69         started        71 msedge.exe 54->71         started        73 msedge.exe 54->73         started        process14 dnsIp15 115 172.217.215.101 GOOGLEUS United States 58->115 117 youtube-ui.l.google.com 172.217.215.136 GOOGLEUS United States 58->117 119 20 other IPs or domains 58->119
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-02 13:23:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fdtlxrhpehmgc7o7rraxxc46w4rjos5q6gauo4s353kxjkd44lla._file
Verdict:
malicious
Similar samples:
4627c39174d9e902993cadc68aaa3a9feb7addabc77277eee6d88cd989b5472f
RiseProStealer
5239eb589ac4d96a633db9d7031f4e04b3d07268aa42822a228a0eaa6d94c1bf
RiseProStealer
fd2d44b495e61093c56a17a825de9891dc5672ba633226fab04878693c95ecea
RiseProStealer
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240202-qmsv6afaf9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
d304dd8a33636130f505370105d20d268ab54e29895987709b758a38c056b1a4
MD5 hash:
7527915007af865128f0cac1540a4df6
SHA1 hash:
bf594edabcbd02826636e0b63039f5e76176a904
Link:
https://www.unpac.me/results/4fc039f7-e9cd-4528-bc3c-0c7fd5d8c9ba/
SH256 hash:
28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6
MD5 hash:
0a4b84a8d0915c93c9735aa095c573b7
SHA1 hash:
794b7e3f3c22f55038b85f21636a1d701f49b81c
Link:
https://www.unpac.me/results/4fc039f7-e9cd-4528-bc3c-0c7fd5d8c9ba/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28e6bbc4ef21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 28e6bbc4ef21d8617ddf8c417b8b9eb722974bb0f18147725beed574a87ce2d6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2755484/
Cape
Cape
https://www.capesandbox.com/analysis/474197/

Comments


Avatar
zbet commented on 2024-02-02 13:22:50 UTC

url : hxxp://109.107.182.3/cost/ladas.exe