MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39
SHA3-384 hash: ea02257f538b1729c5d1f979c73f9bb6fb80569fe280c81b2eee1b94b33737d375d7729d638845e9b4914b280ff723e2
SHA1 hash: ef7729ea96589b7ef5df4eedb9a51bae18712734
MD5 hash: 47abef561c78932606d35c88d542a1db
humanhash: double-uranus-mango-network
File name:47abef561c78932606d35c88d542a1db.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'419'200 bytes
First seen:2024-05-07 18:15:22 UTC
Last seen:2024-05-07 19:23:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:RTs9zpYo556eURBCnmK2OJxYud8/puGtMDJ3oLsZYO8J/zpiTB:R49SoqrRBCn1P7Zd8ttMN3oLIYXoTB
Threatray 808 similar samples on MalwareBazaar
TLSH T179B5330BF379D9B1D8AD047B914696851325BD246521CB13A04FBB2B71AB3FCDF61B20
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 6261e422c8c8788d (63 x RiseProStealer, 1 x Loki, 1 x N-W0rm)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
147.45.47.126:58709

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39.exe
Verdict:
Malicious activity
Analysis date:
2024-05-07 18:15:53 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/a83ed635-4876-4350-b332-86538ee77360

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.RisePro.143.32337.2823.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/663a6fe311114a9ab5e1bf6f/reports/7dd194c4-09ba-4c25-ba76-61778e9c339d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bea3e54a-bc67-4039-a095-c4c2c8896ae7
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1437696
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1437696 Sample: 7B8hQcSm5O.exe Startdate: 07/05/2024 Architecture: WINDOWS Score: 100 37 ipinfo.io 2->37 39 db-ip.com 2->39 47 Snort IDS alert for network traffic 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 8 7B8hQcSm5O.exe 1 63 2->8         started        13 MPGPH131.exe 55 2->13         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 41 147.45.47.126, 49699, 49700, 49701 FREE-NET-ASFREEnetEU Russian Federation 8->41 43 ipinfo.io 34.117.186.192, 443, 49702, 49703 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->43 27 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->27 dropped 29 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->29 dropped 31 C:\Users\user\...\fLZHU15TnLK2bDLBLBTztxI.zip, Zip 8->31 dropped 55 Detected unpacking (changes PE section rights) 8->55 57 Tries to steal Mail credentials (via file / registry access) 8->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 8->59 79 3 other signatures 8->79 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        45 db-ip.com 104.26.4.15, 443, 49705, 49706 CLOUDFLARENETUS United States 13->45 33 C:\Users\user\...\9AgqPmLfcuChGGBiLrs8LtN.zip, Zip 13->33 dropped 61 Antivirus detection for dropped file 13->61 63 Multi AV Scanner detection for dropped file 13->63 65 Machine Learning detection for dropped file 13->65 67 Potentially malicious time measurement code found 13->67 35 C:\Users\user\...\KT6NkQ5FQi5iz5tbDwvHyid.zip, Zip 15->35 dropped 69 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->69 71 Tries to harvest and steal browser information (history, passwords, etc) 15->71 73 Tries to evade debugger and weak emulator (self modifying code) 15->73 75 Hides threads from debuggers 17->75 77 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->77 file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2024-05-07 18:16:05 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqwfv6gxosmljyu6enujdwfqezncl4jbfpkyiv7izp3kwigchq4q._file
Verdict:
malicious
Similar samples:
01d63645f4c648e12fa693ecc9a926eda29ca031c5d067c687ee65cab67e74e3
RiseProStealer
0e153cb1e3a6011a6c8c812ed24d0af683db1edfb9a1c3edf501732b00453095
RiseProStealer
2a92b3f6761a6202524f0f45241c9f449dfc9282364c9a726bce5beb5245bdd1
RiseProStealer
3ad4e957e9982149de9dcab1a4f6c657a60997b70ac4f7b9714f214c61fb0b4a
RiseProStealer
5cb9acbd4d0bfa2ae8a094291a44580bbcfb576042fe2328aa437d40c90f6e1c
RiseProStealer
6a845dde74086e4e06ad25bcb08d3fbd66c7e5f6db3bf83ed3290a3a5583eb5c
RiseProStealer
84176781043f8f95306328477f7b28fa721f44b1767fe740cbd207233c2a47c6
RiseProStealer
bbad6ec8a097e4194d258bde65582ed6ee0c3d0698bb0312f455eacffa8e0d69
RiseProStealer
bf550e571ef0bf5b24387f59769ba89e05c0b5ad42e23f01f0bae341517c6e73
RiseProStealer
+ 798 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240507-wwfj3shc9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
147.45.47.126:58709
Unpacked files
SH256 hash:
19cc253b55ba2375b1bf530c05dcea4b048d41c32d0d16982496c2601d16209c
MD5 hash:
6c6c9dd1d3ceb02932a00f1b163205b8
SHA1 hash:
13a73dcc7828af5ec4895917b9363625f6c8a282
Link:
https://www.unpac.me/results/77584a1e-09f0-42a3-915f-e2e9ca42e49f/
SH256 hash:
342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39
MD5 hash:
47abef561c78932606d35c88d542a1db
SHA1 hash:
ef7729ea96589b7ef5df4eedb9a51bae18712734
Link:
https://www.unpac.me/results/77584a1e-09f0-42a3-915f-e2e9ca42e49f/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/342c5af8d774/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 342c5af8d77498b4e29e236891d8b0265a25f1212bd58457e8cbf6ab20c23c39

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2835115/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments