MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 342db20b878cad669904cae39476c93baba80c4c82a270d49e0a6977e1b87d6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 342db20b878cad669904cae39476c93baba80c4c82a270d49e0a6977e1b87d6a
SHA3-384 hash: d5057e84e3f65d40658f48bc3e67f4dc405d792d0d6bf59f29c7fae504ebe0a96723c5c3ae499493f8552ec4a4d973d0
SHA1 hash: 3b0204fe92c357f8738af14a9ec1704a4307d255
MD5 hash: 095d74a4b9592ee8f9463ada962aa7e7
humanhash: hydrogen-one-sink-shade
File name:SecuriteInfo.com.Win32.TrojanX-gen.995.31569
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'334'720 bytes
First seen:2024-02-03 00:43:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:BNSxJ3kK57s6MROrDJUYuHAAemHnLr3PQMO/7:BNsr3M4GAADPKz
TLSH T1D1B533E826360452E0137FFD9EA3A75508A39D13D6AC61391278FB254BFC8B3815CE76
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474261/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.995.31569.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65bd8c544f733f8cc1bdb492/reports/c845fc7c-84c5-4526-b6ed-f3a5474d3c09/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/342db20b878cad669904cae39476c93baba80c4c82a270d49e0a6977e1b87d6a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1f58c257-2f82-4f57-ae2d-fc110ccf7eb3
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385930
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385930 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 03/02/2024 Architecture: WINDOWS Score: 100 91 youtube-ui.l.google.com 2->91 93 www3.l.google.com 2->93 95 48 other IPs or domains 2->95 129 Snort IDS alert for network traffic 2->129 131 Multi AV Scanner detection for domain / URL 2->131 133 Antivirus detection for URL or domain 2->133 135 8 other signatures 2->135 9 SecuriteInfo.com.Win32.TrojanX-gen.995.31569.exe 2 123 2->9         started        14 MPGPH131.exe 107 2->14         started        16 MPGPH131.exe 108 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 103 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->103 105 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->105 109 2 other IPs or domains 9->109 83 16 other malicious files 9->83 dropped 157 Detected unpacking (changes PE section rights) 9->157 159 Binary is likely a compiled AutoIt script file 9->159 161 Tries to steal Mail credentials (via file / registry access) 9->161 181 5 other signatures 9->181 20 x4NU3X2coe5tahBhUAqN.exe 9->20         started        23 UlbxGMIs7tCbN5OB2htM.exe 9->23         started        25 K1kpVjrxieH0XtsrMEWb.exe 9->25         started        35 5 other processes 9->35 107 mitmdetection.services.mozilla.com 14->107 71 C:\Users\user\...\nMhYy3gE0KQxg4gFFRPC.exe, PE32 14->71 dropped 73 C:\Users\user\...\VZZUm8SwifICh7LlOYeP.exe, PE32 14->73 dropped 75 C:\Users\user\...\TWi41jAKKauJiXhMrjkX.exe, PE32 14->75 dropped 85 8 other malicious files 14->85 dropped 163 Antivirus detection for dropped file 14->163 165 Multi AV Scanner detection for dropped file 14->165 167 Machine Learning detection for dropped file 14->167 77 C:\Users\user\...\_KGqK7Xx2z7eW6Oh0Y4Z.exe, PE32 16->77 dropped 79 C:\Users\user\...\V1fQWiMhoOWdtBdkL7yS.exe, PE32 16->79 dropped 81 C:\Users\user\...\ONPuH1j1QZFg8_ILkHPK.exe, PE32 16->81 dropped 87 7 other malicious files 16->87 dropped 169 Found many strings related to Crypto-Wallets (likely being stolen) 16->169 171 Tries to harvest and steal browser information (history, passwords, etc) 16->171 173 Hides threads from debuggers 16->173 175 Tries to evade debugger and weak emulator (self modifying code) 18->175 177 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->177 179 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->179 27 firefox.exe 18->27         started        31 msedge.exe 18->31         started        33 chrome.exe 18->33         started        37 5 other processes 18->37 file6 signatures7 process8 dnsIp9 137 Detected unpacking (changes PE section rights) 20->137 139 Detected unpacking (overwrites its own PE header) 20->139 141 Disables Windows Defender Tamper protection 20->141 153 3 other signatures 20->153 143 Multi AV Scanner detection for dropped file 23->143 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->145 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 23->147 155 2 other signatures 23->155 149 Binary is likely a compiled AutoIt script file 25->149 39 chrome.exe 25->39         started        42 chrome.exe 25->42         started        44 chrome.exe 25->44         started        56 9 other processes 25->56 117 172.253.124.106 GOOGLEUS United States 27->117 119 173.194.219.136 GOOGLEUS United States 27->119 125 14 other IPs or domains 27->125 89 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 27->89 dropped 46 firefox.exe 27->46         started        121 13.107.22.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->121 123 13.107.246.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->123 127 25 other IPs or domains 31->127 151 Hides threads from debuggers 35->151 48 conhost.exe 35->48         started        50 conhost.exe 35->50         started        52 conhost.exe 35->52         started        54 conhost.exe 35->54         started        file10 signatures11 process12 dnsIp13 97 192.168.2.6 unknown unknown 39->97 99 192.168.2.7 unknown unknown 39->99 101 239.255.255.250 unknown Reserved 39->101 58 chrome.exe 39->58         started        61 chrome.exe 42->61         started        63 chrome.exe 44->63         started        65 msedge.exe 56->65         started        67 msedge.exe 56->67         started        69 msedge.exe 56->69         started        process14 dnsIp15 111 clients.l.google.com 142.250.105.139 GOOGLEUS United States 58->111 113 142.250.105.84 GOOGLEUS United States 58->113 115 17 other IPs or domains 58->115
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/342db20b878cad669904cae39476c93baba80c4c82a270d49e0a6977e1b87d6a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/342db20b878cad669904cae39476c93baba80c4c82a270d49e0a6977e1b87d6a/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2024-02-02 22:28:39 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqw3ec4hrswwngiezlrzi5wjhov2qdcmqkrhbve6bjuxpynypvva._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240203-a3g6lachh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
aae773a3db3ff7521eb1df7aa0844c39a4a120ece4f79d9a5b49a8b092ca3c1c
MD5 hash:
770c19176931c8e1ba4a969325f270ee
SHA1 hash:
8d8c7b35d0df9f4ad939999aac84f2fdb7787192
Link:
https://www.unpac.me/results/677744f7-7401-43a7-83ca-b6e6a73fed18/
SH256 hash:
342db20b878cad669904cae39476c93baba80c4c82a270d49e0a6977e1b87d6a
MD5 hash:
095d74a4b9592ee8f9463ada962aa7e7
SHA1 hash:
3b0204fe92c357f8738af14a9ec1704a4307d255
Link:
https://www.unpac.me/results/677744f7-7401-43a7-83ca-b6e6a73fed18/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/342db20b878c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/342db20b878cad669904cae39476c93baba80c4c82a270d49e0a6977e1b87d6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 342db20b878cad669904cae39476c93baba80c4c82a270d49e0a6977e1b87d6a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2755484/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474261/

Comments