MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697
SHA3-384 hash: 6e3b062d4d9bb1097701f7297f1ffb0016fe9bbc2888dd5fe9f12259edf7819a1da4de7bd7c85c931cbc8380616d48d8
SHA1 hash: 5021f26c951626d2e3e4473c221886b0eb9b5fdd
MD5 hash: d6a339754292a9feebfd3660fbac3a55
humanhash: arkansas-north-florida-comet
File name:SecuriteInfo.com.Win32.TrojanX-gen.27020.26387
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'302'464 bytes
First seen:2024-01-31 22:30:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:vOEiPsx7rouKqmsX0Zf89lOOmCvS0+NgIynZ7KDNMrDuExSzWf6:vOEUsxNKqmsX+k7P+NzyKDirDh0Wf
Threatray 17 similar samples on MalwareBazaar
TLSH T128B533F073F68840E0AB0775852BAAA364A7FC8B471284F47906F339277D7369716E61
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473868/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.27020.26387.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65baca27096abd9a02745151/reports/d2342dbf-1cab-4c2f-adfc-ee791b23e815/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4697f780-0f0f-4f5e-bae4-2b18c2f38977
Result
Threat name:
PureLog Stealer, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384407
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384407 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 86 youtube-ui.l.google.com 2->86 88 www.youtube.com 2->88 90 32 other IPs or domains 2->90 116 Snort IDS alert for network traffic 2->116 118 Antivirus detection for URL or domain 2->118 120 Antivirus / Scanner detection for submitted sample 2->120 122 8 other signatures 2->122 9 SecuriteInfo.com.Win32.TrojanX-gen.27020.26387.exe 1 103 2->9         started        14 MPGPH131.exe 96 2->14         started        16 MPGPH131.exe 10 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 98 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->98 100 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->100 106 2 other IPs or domains 9->106 62 C:\Users\user\...\zoRJxki3yuNyyVpGck8v.exe, PE32 9->62 dropped 74 12 other malicious files 9->74 dropped 144 Detected unpacking (changes PE section rights) 9->144 146 Binary is likely a compiled AutoIt script file 9->146 148 Tries to steal Mail credentials (via file / registry access) 9->148 168 4 other signatures 9->168 20 2aaVTcqKXB6rLPViLsw_.exe 9->20         started        23 zoRJxki3yuNyyVpGck8v.exe 9->23         started        25 YKfJEDteQ52TxyKiWT1a.exe 9->25         started        34 3 other processes 9->34 64 C:\Users\user\...\zCsw45b1OfgD78HqPnnd.exe, PE32 14->64 dropped 66 C:\Users\user\...\vCOSU_GMrs_46UPsBSK8.exe, PE32 14->66 dropped 68 C:\Users\user\...\jCjnFCOXOpGEI8EjVMTQ.exe, PE32 14->68 dropped 76 8 other malicious files 14->76 dropped 150 Antivirus detection for dropped file 14->150 152 Multi AV Scanner detection for dropped file 14->152 154 Machine Learning detection for dropped file 14->154 156 Found many strings related to Crypto-Wallets (likely being stolen) 16->156 158 Tries to harvest and steal browser information (history, passwords, etc) 16->158 160 Hides threads from debuggers 16->160 102 142.250.9.136 GOOGLEUS United States 18->102 104 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 18->104 108 11 other IPs or domains 18->108 70 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 18->70 dropped 72 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 18->72 dropped 78 5 other malicious files 18->78 dropped 162 Tries to evade debugger and weak emulator (self modifying code) 18->162 164 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->164 166 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->166 27 msedge.exe 18->27         started        30 firefox.exe 18->30         started        32 firefox.exe 18->32         started        file6 signatures7 process8 dnsIp9 124 Detected unpacking (changes PE section rights) 20->124 126 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->126 128 Tries to evade debugger and weak emulator (self modifying code) 20->128 142 2 other signatures 20->142 130 Modifies windows update settings 23->130 132 Disables Windows Defender Tamper protection 23->132 134 Disable Windows Defender notifications (registry) 23->134 136 Disable Windows Defender real time protection (registry) 23->136 138 Binary is likely a compiled AutoIt script file 25->138 36 chrome.exe 25->36         started        39 chrome.exe 25->39         started        41 chrome.exe 25->41         started        47 9 other processes 25->47 110 104.97.85.37 TWC-7843-BBUS United States 27->110 112 23.222.4.135 TISCALI-IT United States 27->112 114 26 other IPs or domains 27->114 140 Hides threads from debuggers 34->140 43 conhost.exe 34->43         started        45 conhost.exe 34->45         started        signatures10 process11 dnsIp12 92 192.168.2.7 unknown unknown 36->92 94 192.168.2.16 unknown unknown 36->94 96 239.255.255.250 unknown Reserved 36->96 49 chrome.exe 36->49         started        52 chrome.exe 39->52         started        54 chrome.exe 41->54         started        56 msedge.exe 47->56         started        58 msedge.exe 47->58         started        60 msedge.exe 47->60         started        process13 dnsIp14 80 accounts.google.com 142.250.105.84 GOOGLEUS United States 49->80 82 www3.l.google.com 142.250.9.101 GOOGLEUS United States 49->82 84 20 other IPs or domains 49->84
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 22:31:06 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjsj7ki2cnjdvbvxxuly7ngm6kexbulcpp5u5tqefjbpaibge2lq._file
Verdict:
malicious
Similar samples:
00e518ee9b4fe5909e432f9671b8f46f74f79a4f60fe882529cc068b8b50cdf8
RiseProStealer
06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f
RiseProStealer
2f7f23610e8e0633ef0b03d602a02734bdcadab3fdc8c15d0f6d93a0a454fa6f
RiseProStealer
9351da4f7387db729e9c8f5aa3c746197449922c6f1dafa59b02941bbe5615d2
RiseProStealer
9e0fdb12f3c1424fc1835a3f2fa330c876299cc072ada7a7ab265ac7207cccab
RiseProStealer
d0147494ca9687e1035bb977a4d3dd8381358603bcafa4adfb98b629e060bf32
RiseProStealer
fbeb0e418fb3c16c3ff0a654969998ab3c2237abd3d840066731df8f212c95bc
RiseProStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240131-2fcq5sdfb7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
5f0ac52e9609cfdd54a7aecd5b613146db658119ce472fff3b6be10d4b0e88fc
MD5 hash:
20a426ca3d97c039c3b9f00e4f301f40
SHA1 hash:
3f4ea8bf5d8fb8329e9777c4910cc7cd9da898b5
Link:
https://www.unpac.me/results/db75bf3e-291d-4f0b-9128-2faaa04aec6b/
SH256 hash:
3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697
MD5 hash:
d6a339754292a9feebfd3660fbac3a55
SHA1 hash:
5021f26c951626d2e3e4473c221886b0eb9b5fdd
Link:
https://www.unpac.me/results/db75bf3e-291d-4f0b-9128-2faaa04aec6b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a649fa91a13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2754196/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473868/

Comments