MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
SHA3-384 hash: b093fa4ea9f7c548990283e09ce2ddd9c57635e303ec92f2d84d882f4d7903fcd0c774b275843c34280a571e2075d11a
SHA1 hash: 699038b57cb6442818325a8138fa83d0e05ea4ef
MD5 hash: 0e7c3afcce5e1afbdcc07e76fcac2411
humanhash: fifteen-jersey-oranges-six
File name:0e7c3afcce5e1afbdcc07e76fcac2411
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'950'720 bytes
First seen:2024-01-04 21:30:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:Bm0qroo2q2hNg2kSoeu+JL5wRHD5pasPskF:Y0joWjg2k6GtmmskF
TLSH T1E59533839AF491B3E57507B008F7429B1E32BDB0BEB8405E2251CE9659B3A585D3273F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
471
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469539/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Crifi-10009288-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Launching cmd.exe command interpreter
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65972397314dbc3b9b5b7acf/reports/a9ea44fa-50cb-407d-b4d5-ee29e93c2318/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de335d84-42ce-44ae-92f8-4fd32801eafc
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370027
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Phishing site detected (based on logo match)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1370027 Sample: bQAztKaOuq.exe Startdate: 04/01/2024 Architecture: WINDOWS Score: 100 125 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 2->125 127 ipinfo.io 2->127 129 2 other IPs or domains 2->129 147 Snort IDS alert for network traffic 2->147 149 Found malware configuration 2->149 151 Antivirus detection for dropped file 2->151 153 17 other signatures 2->153 13 bQAztKaOuq.exe 1 4 2->13         started        16 wscript.exe 2->16         started        19 rundll32.exe 2->19         started        21 rundll32.exe 2->21         started        signatures3 process4 file5 111 C:\Users\user\AppData\Local\...\Qv3ac95.exe, PE32 13->111 dropped 113 C:\Users\user\AppData\Local\...\7Um7OF20.exe, PE32 13->113 dropped 23 Qv3ac95.exe 1 4 13->23         started        145 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->145 27 QuantumFlow.pif 16->27         started        signatures6 process7 file8 99 C:\Users\user\AppData\Local\...\2OP8223.exe, PE32 23->99 dropped 101 C:\Users\user\AppData\Local\...\1hs68Hq1.exe, PE32 23->101 dropped 163 Binary is likely a compiled AutoIt script file 23->163 165 Machine Learning detection for dropped file 23->165 29 2OP8223.exe 14 23->29         started        33 1hs68Hq1.exe 12 23->33         started        103 C:\Users\user\AppData\Local\...\jsc.exe, PE32 27->103 dropped 167 Writes to foreign memory regions 27->167 169 Injects a PE file into a foreign processes 27->169 35 jsc.exe 27->35         started        signatures9 process10 dnsIp11 115 C:\Users\user\AppData\Local\Temp\...\Compound, PE32 29->115 dropped 181 Contains functionality to register a low level keyboard hook 29->181 38 cmd.exe 1 29->38         started        41 conhost.exe 29->41         started        183 Binary is likely a compiled AutoIt script file 33->183 185 Machine Learning detection for dropped file 33->185 187 Found API chain indicative of sandbox detection 33->187 189 Contains functionality to modify clipboard data 33->189 43 chrome.exe 1 33->43         started        46 chrome.exe 33->46         started        48 chrome.exe 33->48         started        131 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 35->131 133 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 35->133 117 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 35->117 dropped 119 C:\Users\user\AppData\...\FANBooster131.exe, PE32 35->119 dropped 121 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 35->121 dropped 123 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 35->123 dropped 50 cmd.exe 35->50         started        52 cmd.exe 35->52         started        54 conhost.exe 35->54         started        file12 signatures13 process14 dnsIp15 155 Uses ping.exe to sleep 38->155 157 Drops PE files with a suspicious file extension 38->157 159 Uses schtasks.exe or at.exe to add and modify task schedules 38->159 161 Uses ping.exe to check the status of other devices and networks 38->161 56 cmd.exe 1 38->56         started        59 conhost.exe 38->59         started        135 192.168.2.4 unknown unknown 43->135 137 239.255.255.250 unknown Reserved 43->137 61 chrome.exe 43->61         started        64 chrome.exe 43->64         started        66 chrome.exe 6 43->66         started        68 chrome.exe 46->68         started        70 chrome.exe 48->70         started        72 schtasks.exe 50->72         started        74 schtasks.exe 52->74         started        signatures16 process17 dnsIp18 171 Uses ping.exe to sleep 56->171 76 Ground.pif 5 56->76         started        80 cmd.exe 2 56->80         started        82 cmd.exe 2 56->82         started        84 6 other processes 56->84 139 i1.ytimg.com 142.251.111.101 GOOGLEUS United States 61->139 141 www3.l.google.com 142.251.16.101 GOOGLEUS United States 61->141 143 44 other IPs or domains 61->143 signatures19 process20 file21 105 C:\Users\user\AppData\...\QuantumFlow.pif, PE32 76->105 dropped 107 C:\Users\user\AppData\Local\Temp\...\jsc.exe, PE32 76->107 dropped 173 Found API chain indicative of debugger detection 76->173 175 Found API chain indicative of sandbox detection 76->175 177 Drops PE files with a suspicious file extension 76->177 179 3 other signatures 76->179 86 cmd.exe 76->86         started        89 jsc.exe 76->89         started        109 C:\Users\user\AppData\Local\...behaviorgraphround.pif, PE32 80->109 dropped signatures22 process23 file24 97 C:\Users\user\AppData\...\QuantumFlow.url, MS 86->97 dropped 91 conhost.exe 86->91         started        93 conhost.exe 89->93         started        95 WerFault.exe 89->95         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
Detection:
stealc
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-01-04 21:31:06 UTC
File Type:
PE (Exe)
Extracted files:
120
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g4tp2kw4izshxlxnxkiujup2nyddjqepkxyyh7huyxthy5r3irva._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:zgrat botnet:@pixelive botnet:legaa botnet:livetrafic brand:google evasion infostealer persistence phishing rat trojan
Link:
https://tria.ge/reports/240104-1c14wscge6/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Enumerates system info in registry
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Amadey
Detect ZGRat V1
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68
20.79.30.95:13856
195.20.16.103:20440
185.172.128.33:38294
Unpacked files
SH256 hash:
49f726559690aee6d88cfb1e775bbcbb53686d5655cb127f334e2bd51e596a54
MD5 hash:
d040e6b89d3e9b6c792c9b4a89549801
SHA1 hash:
995a51ac061716ef7dc327653a90c14c40fb3fc8
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/9352427b-7bad-4424-b1d4-4b0f7b0ce89b/
Parent samples :
e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d
cdf64a111349a82f90434e360e6312f107a45a6dafa24f8fcddb497e1584ee79
9e56bc168efc43001c19a1720891c88fa4cefb2057b0b38b8c0effaab170e190
cf0c7d8987626b0d2f0115ca56a525762382a4e453365ea740caf733fd8a908e
da928ea0a7b11461c0e4e77880b48723a1138e68c7948a153c17f5e9da624209
e8e307f94d9319f62b20920b93bec8ad8fad2341a3fa1d072a0cd8257295d881
3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb
828cda2143a5d51706f89716c96c8714cdadac696df62a806e566ecead0ed4ce
9120ce3b64b1eea0eccc343744f4e8ff3bdc88b8a79743e07a975c6c313789ee
3830e8249b95e86065288cb7a00ee9139d9e2fd918ff9c7e427e8684c1481579
17eb1a2f794ad5e02a0d96fcbd42fcfe328eb4a10bdda74d8e5cb1dfc46e4fa6
cbb21348582932ab0b31c23529c0cf675ba8b40f85f373d9a33b2853aedd1c16
9410861cbe8204310017cdec72056d49f8effbe26961cc6cb73fee37c731e0a0
267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1
c97aa2240452b4c1db4ccfbfc783c95d6b47309d5bd389675864d0fc3541b93a
fdb1515e4b51131fe289ea794f76acacb9939416b0905ed9e9e44f0ca60fc805
9bccd2dc8f14b92f591fab90b458da775598de51f9c56dca13ed0561e33eea24
SH256 hash:
66f1f56f51a966ee82ea2845551761246e6a72cadac0747b9fbf10c61df95a4d
MD5 hash:
0a9bf459a75b4e6932b5dc5e2ec360f7
SHA1 hash:
50566ae1205ea1e5c1e2798ce48245cce38a5957
Link:
https://www.unpac.me/results/9352427b-7bad-4424-b1d4-4b0f7b0ce89b/
SH256 hash:
1ec9440df98e7b65880eddf1dbf0cd98efd137314f4b1320140ab23351b69c5f
MD5 hash:
4bbcfd6f8689d4e5d65475b4c18ab90e
SHA1 hash:
c75e2c3c729b0edfc6dda488ffa0f4976d54e100
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/9352427b-7bad-4424-b1d4-4b0f7b0ce89b/
SH256 hash:
3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
MD5 hash:
0e7c3afcce5e1afbdcc07e76fcac2411
SHA1 hash:
699038b57cb6442818325a8138fa83d0e05ea4ef
Link:
https://www.unpac.me/results/9352427b-7bad-4424-b1d4-4b0f7b0ce89b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469539/

Comments


Avatar
zbet commented on 2024-01-04 21:30:43 UTC

url : hxxp://109.107.182.3/love/bongo.exe