MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aec2bcb76da203ec5e6c59b712a69a048b0b1da14d4234bf0ba700cf6c2ba0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aec2bcb76da203ec5e6c59b712a69a048b0b1da14d4234bf0ba700cf6c2ba0a
SHA3-384 hash: 2f8731b4035977db934f35ec827dba54c399105c76c31aa100206491be0e0d7b173eb7e6dcf883cd840d94444ee6d4f8
SHA1 hash: 957fe870a6ab1afe50a92b290936935847519016
MD5 hash: 739edbbab87a6cad0eb66d08be2696af
humanhash: mars-violet-eight-potato
File name:739edbbab87a6cad0eb66d08be2696af
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'362'880 bytes
First seen:2024-02-12 05:31:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:NJfOUhQenQZiiQrOrBg1qNGv0MsfshzejgkNVypVmm:7WIznQZiTrN1aMswkXy/mm
TLSH T1B9B533E9BD739579E21B87B9A81A4401CF0BFD9B1274036C6088F8A257BF934D469D38
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475776/
Detection(s):
Win.Packed.Trojanx-10020211-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a process from a recently created file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed risepro
Link:
https://www.filescan.io/uploads/65c9ad55bef28d0c6fb59a6e/reports/fc7db151-4cc3-448d-8986-9cc33f33096e/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/3aec2bcb76da203ec5e6c59b712a69a048b0b1da14d4234bf0ba700cf6c2ba0a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/87b33ae9-c0a2-446b-97ae-63577d9dc03e
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1390514
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1390514 Sample: osvpYbj9SC.exe Startdate: 12/02/2024 Architecture: WINDOWS Score: 100 117 Multi AV Scanner detection for domain / URL 2->117 119 Antivirus detection for URL or domain 2->119 121 Antivirus / Scanner detection for submitted sample 2->121 123 7 other signatures 2->123 8 osvpYbj9SC.exe 2 116 2->8         started        13 MPGPH131.exe 103 2->13         started        15 MSIUpdaterV131.exe 2->15         started        17 8 other processes 2->17 process3 dnsIp4 99 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 8->99 101 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->101 103 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 8->103 69 C:\Users\user\...\Y3LioifhBKCjHppsamEX.exe, PE32 8->69 dropped 71 C:\Users\user\...\UsG4XxpJdyfes55pJM0i.exe, PE32 8->71 dropped 83 16 other malicious files 8->83 dropped 143 Detected unpacking (changes PE section rights) 8->143 145 Binary is likely a compiled AutoIt script file 8->145 147 Tries to steal Mail credentials (via file / registry access) 8->147 167 4 other signatures 8->167 19 NCKXbrxGtHGdaGvPyFZu.exe 8->19         started        22 IxfvgRVbbWkIsOAXsSA1.exe 8->22         started        24 Y3LioifhBKCjHppsamEX.exe 8->24         started        33 4 other processes 8->33 73 C:\Users\user\...\sAup6wpzvvxKJQdsiUM9.exe, PE32 13->73 dropped 75 C:\Users\user\...\oepkJ78I0gXihO2LQnAh.exe, PE32 13->75 dropped 77 C:\Users\user\...\ZPRxJpr5f_p3STdN5HSS.exe, PE32 13->77 dropped 85 10 other malicious files 13->85 dropped 149 Antivirus detection for dropped file 13->149 151 Multi AV Scanner detection for dropped file 13->151 153 Machine Learning detection for dropped file 13->153 155 Tries to evade debugger and weak emulator (self modifying code) 15->155 157 Hides threads from debuggers 15->157 159 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->159 105 108.177.122.84 GOOGLEUS United States 17->105 107 142.250.9.93 GOOGLEUS United States 17->107 109 19 other IPs or domains 17->109 79 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 17->79 dropped 81 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 17->81 dropped 161 Found many strings related to Crypto-Wallets (likely being stolen) 17->161 163 Creates multiple autostart registry keys 17->163 165 Tries to harvest and steal browser information (history, passwords, etc) 17->165 26 firefox.exe 17->26         started        28 msedge.exe 17->28         started        31 msedge.exe 17->31         started        35 4 other processes 17->35 file5 signatures6 process7 dnsIp8 125 Detected unpacking (changes PE section rights) 19->125 127 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->127 129 Modifies windows update settings 19->129 141 5 other signatures 19->141 131 Multi AV Scanner detection for dropped file 22->131 133 Tries to evade debugger and weak emulator (self modifying code) 22->133 135 Hides threads from debuggers 22->135 137 Binary is likely a compiled AutoIt script file 24->137 37 chrome.exe 24->37         started        40 chrome.exe 24->40         started        42 chrome.exe 24->42         started        52 10 other processes 24->52 139 Found many strings related to Crypto-Wallets (likely being stolen) 26->139 111 23.34.82.12 SAUDINETSTC-ASSA United States 28->111 113 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->113 115 25 other IPs or domains 28->115 44 conhost.exe 33->44         started        46 conhost.exe 33->46         started        48 conhost.exe 33->48         started        50 conhost.exe 33->50         started        signatures9 process10 dnsIp11 87 192.168.2.4 unknown unknown 37->87 89 192.168.2.5 unknown unknown 37->89 91 239.255.255.250 unknown Reserved 37->91 54 chrome.exe 37->54         started        57 chrome.exe 40->57         started        59 chrome.exe 42->59         started        61 chrome.exe 52->61         started        63 msedge.exe 52->63         started        65 msedge.exe 52->65         started        67 msedge.exe 52->67         started        process12 dnsIp13 93 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 54->93 95 144.2.9.1 LINKEDINUS Netherlands 54->95 97 44 other IPs or domains 54->97
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3aec2bcb76da203ec5e6c59b712a69a048b0b1da14d4234bf0ba700cf6c2ba0a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3aec2bcb76da203ec5e6c59b712a69a048b0b1da14d4234bf0ba700cf6c2ba0a/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2024-02-12 05:32:07 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlwcxs3w3iqd5rpgywnxcktjubelbmo2ctkcgs7qxjyaz5wcxifa._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240212-f8aatsde81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
f5725ecda0420d3613ef628bc1635d90d451393e0863aa463c3d00b5514b87a7
MD5 hash:
cd6229cf20b5ff4746d9c880b2210b6b
SHA1 hash:
4a2fc48fed47d93824b175378d57468bb4b6f2e8
Link:
https://www.unpac.me/results/ced63012-c702-4168-9cd9-dda73f520402/
SH256 hash:
3aec2bcb76da203ec5e6c59b712a69a048b0b1da14d4234bf0ba700cf6c2ba0a
MD5 hash:
739edbbab87a6cad0eb66d08be2696af
SHA1 hash:
957fe870a6ab1afe50a92b290936935847519016
Link:
https://www.unpac.me/results/ced63012-c702-4168-9cd9-dda73f520402/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3aec2bcb76da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3aec2bcb76da203ec5e6c59b712a69a048b0b1da14d4234bf0ba700cf6c2ba0a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 3aec2bcb76da203ec5e6c59b712a69a048b0b1da14d4234bf0ba700cf6c2ba0a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2758175/
  
URLhaus
https://urlhaus.abuse.ch/url/2759950/
Cape
Cape
https://www.capesandbox.com/analysis/475776/

Comments


Avatar
zbet commented on 2024-02-12 05:31:58 UTC

url : hxxp://185.215.113.46/cost/ladas.exe