MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c1c344c0b0ba8c38994c6dbc5d35000e83bd5e6719116144216b76071c365fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	2c1c344c0b0ba8c38994c6dbc5d35000e83bd5e6719116144216b76071c365fc
SHA3-384 hash:	a100e5504514083860fab6bc83a76f58539c20ccb0937443c82ab34d48fef41cdc54c38b6435bccd58430a3a93ac0869
SHA1 hash:	7868d82a2595f0a24503b157f5102a15c29d7447
MD5 hash:	31a5378db5ce5c35d1f2f7b29bf8fdb5
humanhash:	cat-fish-alanine-oscar
File name:	31a5378db5ce5c35d1f2f7b29bf8fdb5.exe
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	821'248 bytes
First seen:	2023-12-15 11:05:23 UTC
Last seen:	2023-12-15 12:25:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'250 x SnakeKeylogger)
ssdeep	12288:vKtrEjLmF/l8oBimvYPD1FlsAYtLJp3tPBU3QEQWJ9Ts4HaSv4MehIPViF2cMFqe:ytruAl8oBi
Threatray	31 similar samples on MalwareBazaar
TLSH	T1D905999D765071DFC86BC972CEA82C64FA6074BB931B9207901315EDAE0D99BDF180F2
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe RiseProStealer

abuse_ch

RiseProStealer C2:
91.92.249.253:50500

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467542/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.28779.14782.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

confuserex crypto lolbin lolbin packed replace setupapi

Link:

https://www.filescan.io/uploads/657c33197d4bdb7f8bf486f0/reports/a5d1919f-6632-4632-8784-73f542e34e29/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/2c1c344c0b0ba8c38994c6dbc5d35000e83bd5e6719116144216b76071c365fc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bd284676-0a08-47c4-9f36-7285a8a1cec0

Result

Threat name:

RisePro Stealer, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1362608

Signature

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected RisePro Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2c1c344c0b0ba8c38994c6dbc5d35000e83bd5e6719116144216b76071c365fc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c1c344c0b0ba8c38994c6dbc5d35000e83bd5e6719116144216b76071c365fc/

Threat name:

ByteCode-MSIL.Trojan.RiseProStealer

Status:

Malicious

First seen:

2023-12-15 11:06:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 23 (60.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fqoditalboumhcmuy3n4lu2qadudxvpgogirmfccc23wa4odmx6a._file

Verdict:

malicious

RiseProStealer

139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4

RiseProStealer

2f67f590cabb9c79257d27b578d8bf9d1a278afa96b205ad2b4704e7b9a87ca7

RiseProStealer

ba7f4474a334d79dd16cfb8a082987000764ff24c8a882c696e4c214b0e5e9cf

RiseProStealer

e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13

RiseProStealer

+ 21 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/231215-m7d1yscbhq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Program crash

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

2c1c344c0b0ba8c38994c6dbc5d35000e83bd5e6719116144216b76071c365fc

MD5 hash:

31a5378db5ce5c35d1f2f7b29bf8fdb5

SHA1 hash:

7868d82a2595f0a24503b157f5102a15c29d7447

Detections:

INDICATOR_EXE_Packed_ConfuserEx

Link:

https://www.unpac.me/results/0203a531-46b3-4767-ac57-3e67b815e0fa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2c1c344c0b0ba8c38994c6dbc5d35000e83bd5e6719116144216b76071c365fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/467542/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample