MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments 1

SHA256 hash:	31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76
SHA3-384 hash:	a70fa494251afd67f44be374eff63cbde81da2295beac5fc16fe246202e27244e5ef198a4214474e9613c961c8e2d72c
SHA1 hash:	da691b351bc7f986adf63d6107e3b90d9225462b
MD5 hash:	d5bbf22862dc13f2e55369d2940591e8
humanhash:	bakerloo-double-montana-quebec
File name:	d5bbf22862dc13f2e55369d2940591e8
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	2'075'648 bytes
First seen:	2024-04-02 09:24:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:1aR2wtFNbcdc16urgEPUZJ+Y9e6WvkUjsd3jrtk8TTxINr3DjdG:1aRjO+XrgZsY7WMUm3jZk8/Wz
TLSH	T154A5336A4D61FBABDFA9633208F1D8596CF8760380A1F60E06447DBBB58F74E8306D45
TrID	32.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.9% (.EXE) Win32 Executable (generic) (4504/4/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	86696ddce4f4d269 (91 x RiseProStealer)
Reporter	zbetcheckin
Tags:	32 exe RiseProStealer

Intelligence

File Origin

# of uploads :

# of downloads :

406

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76.exe

Verdict:

Malicious activity

Analysis date:

2024-04-02 09:27:05 UTC

Tags:

risepro

Link:

https://app.any.run/tasks/8267cdf8-b150-4f8f-a0c2-70244726a265

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Launching a process

Creating a file in the %temp% directory

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Сreating synchronization primitives

Moving a file to the Program Files subdirectory

Replacing files

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Sending a TCP request to an infection source

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm packed stealer

Link:

https://www.filescan.io/uploads/660bcef3391c61c479131437/reports/3f276a35-1cf2-4cab-bd0d-3f127b14ad74/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/96d69d20-4d92-4eda-ab5d-c1b95a68d05e

Result

Threat name:

RisePro Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1418623

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected RisePro Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76/

Threat name:

Win32.Trojan.RisePro

Status:

Malicious

First seen:

2024-04-02 09:25:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ghghplapmt3kuvjhk663ldz3vqpg6nugvkmewkx2fdjpd4epjv3a._file

Verdict:

malicious

Result

Malware family:

risepro

Score:

10/10

Tags:

family:risepro evasion stealer

Link:

https://tria.ge/reports/240402-ldlm9scg3x/

Behaviour

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RisePro

Unpacked files

SH256 hash:

a2105b5dda1dc1fb3dc73639c77c0989d272217cf5a1734bc729d46969f9344a

MD5 hash:

234b5d3308e50da73046eff7cffa57b7

SHA1 hash:

981bbcc09a2bd01f7ce92bae81842d882cbd54c4

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

SH256 hash:

9865a0b00d3afa7b060eac6685ed36f1d2214cbf904ff451ec63b223bf6b1410

MD5 hash:

d0edea8daf8db93725c715e1b42ad082

SHA1 hash:

fecfc468a311b79253b35e1d7316b9d8a6e0f205

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

SH256 hash:

4bf1109d02442e73198138d0f9d0fccd52caaccf5ee5bbc89c4c583b505e8dbf

MD5 hash:

3f459b435d74cbc77fcae6c1971e2f2e

SHA1 hash:

73b48dc81d87c7d29b9fc15a8c47e755e7dafdc4

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

SH256 hash:

e728b893d5d782a215849e63fec8d5754cc4bffff527f87f4ba46f5e4e7e471b

MD5 hash:

2ca0a72401db99067e4e7bf64b200403

SHA1 hash:

be70b62af8b97f6ad4526cd7625aaba89b88e370

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

SH256 hash:

a458b34708268b75f732a3e6b503d0b43bf08912cc8aa97ff39719ee127d8a0f

MD5 hash:

8108aeeb051e627200f1fbd9a78f3b13

SHA1 hash:

78017bb93238440182fb33b7b942a4a4b2ca3687

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

SH256 hash:

e2e72158be4fe0f92e93bc4fcc37d0a78d22fe9ce1a3e18be16d0a66174e883c

MD5 hash:

1e208c453f8acf0c017bc8707223e839

SHA1 hash:

8f9c136dd5381e2a5884f410ace8d508b4593c88

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

SH256 hash:

4b4cfadba5b24c26ed8ae139cfabbbc25e0642d09a8e246966bee47c1196d09f

MD5 hash:

04e62d738a99157c9525dc139a05d122

SHA1 hash:

1d742255caaed8a689eb908c5004ba2fe933d872

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

SH256 hash:

cdd77e8076e417b03c95c47a40b4c5abc8f18191adb484bba2adf6eb5429ccd6

MD5 hash:

e6ffd65598afd32a04c1d81ede95477f

SHA1 hash:

93944801c51e32983361c34a8b0259dd803b1545

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

SH256 hash:

31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76

MD5 hash:

d5bbf22862dc13f2e55369d2940591e8

SHA1 hash:

da691b351bc7f986adf63d6107e3b90d9225462b

Link:

https://www.unpac.me/results/82f6996b-5418-476f-9021-f4033b936ba2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/31cc77ac0f64/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

exe 31cc77ac0f64f6aa552757bdb58f3bac1e6f3686aa984b2afa28d2f1f08f4d76

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2790064/

URLhaus

https://urlhaus.abuse.ch/url/2798685/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-04-02 09:24:43 UTC

url : hxxp://185.215.113.46/cost/sarra.exe