MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6
SHA3-384 hash: e79712e8fbd7d4a329e696be59d9889be4f38284343eac50d69560e8d2b3baac0536628034aa3ba2e1787f11fc4ad1a3
SHA1 hash: 542aa409b7a39d221c81f80a08249467adc7ed7c
MD5 hash: 596b5f00ef8e33cce3b908005d899d17
humanhash: mockingbird-video-two-fourteen
File name:596b5f00ef8e33cce3b908005d899d17
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:3'072'000 bytes
First seen:2024-03-13 08:29:02 UTC
Last seen:2024-03-13 10:28:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:ng94f4cds5c2ENUsnOd4qpxv9/yEq8E8zIDl:nLI5lEN3nOKqpxtyu5IDl
Threatray 207 similar samples on MalwareBazaar
TLSH T1F5E57B92A509F1CFD49E177C9427CD827A2E82FC479048D3B8AC787A7D67DC212B5D28
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b3b2b3b2cceee7b2 (146 x RiseProStealer, 7 x CoinMiner, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
435
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6.exe
Verdict:
Malicious activity
Analysis date:
2024-03-13 08:34:24 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/0fbb689d-5085-4854-a395-b30b0bea2ea7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478865/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.23976.6069.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Reading critical registry keys
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin msbuild packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65f163db5cd908a33db0d37f/reports/724b279b-20fb-4ae9-afcb-5ff92c17e5b9/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6c8b3676-7924-49ec-8758-e18af5fd0ae6
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1408048
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1408048 Sample: UTCy4CLqRJ.exe Startdate: 13/03/2024 Architecture: WINDOWS Score: 100 68 ipinfo.io 2->68 70 db-ip.com 2->70 80 Snort IDS alert for network traffic 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 6 other signatures 2->86 8 RageMP131.exe 2->8         started        12 MPGPH131.exe 73 2->12         started        15 MPGPH131.exe 1 75 2->15         started        17 7 other processes 2->17 signatures3 process4 dnsIp5 50 C:\Users\user\...\VOPC9BcsU1q30BKGijJ5.exe, PE32 8->50 dropped 52 C:\Users\user\...\RNfJjD_GBZYAOqC4h5pr.exe, PE32 8->52 dropped 60 6 other malicious files 8->60 dropped 98 Multi AV Scanner detection for dropped file 8->98 100 Detected unpacking (changes PE section rights) 8->100 102 Tries to steal Mail credentials (via file / registry access) 8->102 120 2 other signatures 8->120 19 RNfJjD_GBZYAOqC4h5pr.exe 8->19         started        22 schtasks.exe 8->22         started        24 schtasks.exe 8->24         started        72 ipinfo.io 34.117.186.192, 443, 49732, 49733 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->72 54 C:\Users\user\...\lUBEESpI5QnhBKDdfd1y.exe, PE32 12->54 dropped 62 3 other malicious files 12->62 dropped 104 Machine Learning detection for dropped file 12->104 106 Found many strings related to Crypto-Wallets (likely being stolen) 12->106 108 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->108 110 Found API chain indicative of sandbox detection 12->110 26 lUBEESpI5QnhBKDdfd1y.exe 12->26         started        28 schtasks.exe 12->28         started        30 schtasks.exe 12->30         started        74 193.233.132.167, 49736, 49737, 49762 FREE-NET-ASFREEnetEU Russian Federation 15->74 76 db-ip.com 104.26.4.15, 443, 49734, 49735 CLOUDFLARENETUS United States 15->76 56 C:\Users\user\...\1tJs08p6_iYQpwPpReQe.exe, PE32 15->56 dropped 58 C:\Users\user\AppData\Local\...dgeMS131.exe, PE32 15->58 dropped 64 3 other malicious files 15->64 dropped 112 Creates multiple autostart registry keys 15->112 114 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->114 32 1tJs08p6_iYQpwPpReQe.exe 15->32         started        78 193.233.132.62, 49730, 49731, 49738 FREE-NET-ASFREEnetEU Russian Federation 17->78 66 2 other malicious files 17->66 dropped 116 Antivirus detection for dropped file 17->116 118 Found stalling execution ending in API Sleep call 17->118 122 2 other signatures 17->122 34 schtasks.exe 1 17->34         started        36 schtasks.exe 1 17->36         started        file6 signatures7 process8 signatures9 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        88 Tries to evade debugger and weak emulator (self modifying code) 26->88 90 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->90 42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        92 Antivirus detection for dropped file 32->92 94 Detected unpacking (changes PE section rights) 32->94 96 Machine Learning detection for dropped file 32->96 46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-03-13 08:30:06 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gujtbt6hz5rcgzbeg67msewehcvhatzav7ebiisr7nshvfplgg3a._file
Verdict:
malicious
Similar samples:
127320b6f35c9014ba3fd5f97ba6e8317c444fb0d907c8cc5b2fad053d9fa51a
RiseProStealer
1bbf4caf546512e09ca6c0dc5778857fc4ad629cd7dd856fe243cc99d05b25d0
RiseProStealer
5008e2d6e04d5619881f6007c3526c39e89d5c826a4a3e8f7fb2d22a5c0186f7
RiseProStealer
7eda96196aba8ede36cfb15ac508debe75927d0b2997ef9c494d0223fb478dd3
RiseProStealer
97efe91fe5eff3dcdcb055f037f1df01c1409e6bd38a8f07170ea53a0ff265ef
RiseProStealer
c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a
RiseProStealer
c596382cb0d70ffc611e7e49f9dc6c85269c98e92b76b23d6d54655609416d2c
RiseProStealer
cb9c4d1d3bdec4066ee2ab596cbbe4846a28130e42ffae0b0a336b26e29a8a37
RiseProStealer
d30c694d7f1f9caf7d46268371607364bb25199b0e2c5559e8bd73bd6b9993fb
RiseProStealer
e6152cc4702000546accc8d72aed7cb2a17381fbfed6b2dae32a336e15440549
RiseProStealer
+ 197 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240313-kdkkjagg6x/
Behaviour
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
a115cd30b2892fc81c2fb9462e067a8d468110e9f67f5f55e1d9370340c2e5c5
MD5 hash:
a2a9cdbb05bddba669f4ab20db187fcd
SHA1 hash:
cfadcca19856fe5dee22e8e265b3f4c0ad08906f
Link:
https://www.unpac.me/results/ce18cf02-6cf1-4e74-b086-406766470a88/
SH256 hash:
3157fcd721bdf4adfc156327fc314639f906a4171d7f1a100fe0dd766f4ef363
MD5 hash:
24ae399a5d08ab7714f65d4ae53bf2b8
SHA1 hash:
c0276b13e2b383665e70e70728f0afc2be9b80cd
Link:
https://www.unpac.me/results/ce18cf02-6cf1-4e74-b086-406766470a88/
SH256 hash:
351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6
MD5 hash:
596b5f00ef8e33cce3b908005d899d17
SHA1 hash:
542aa409b7a39d221c81f80a08249467adc7ed7c
Link:
https://www.unpac.me/results/ce18cf02-6cf1-4e74-b086-406766470a88/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 351330cfc7cf6223642437bec912c438aa704f20afc8142251fb647a95eb31b6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2781842/
  
URLhaus
https://urlhaus.abuse.ch/url/2775398/
Cape
Cape
https://www.capesandbox.com/analysis/478865/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-03-13 08:29:03 UTC

url : hxxp://193.233.132.167/cost/lenin.exe