MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0
SHA3-384 hash: 052aab34e98e6d81f062e8bb8a5b58d424c00a0ef81e0919bfba44855bb98a152cbc41585042632424982a1f36616d5c
SHA1 hash: b77f1cd319b84f846382507c82d941c733d01fa2
MD5 hash: d87cea33c84c896ba288ed045548ece9
humanhash: bulldog-wolfram-angel-uranus
File name:SecuriteInfo.com.Win32.TrojanX-gen.19516.30614
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'319'360 bytes
First seen:2024-02-03 00:43:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:nlpN5tVF+G3ckhqtJesUC+VcDloq7xU7Scm2OSwEaqxJCxKY0NEbkZfnnoa1IOL:lppL+GMkwJ9UC+ad7xU2JfUxJWKY0q4h
TLSH T15AB533EA65368106C15B4FB4DC15597AE7638FF318851EF828EAF9169B3E03DCC0AC91
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0.zip
Verdict:
Malicious activity
Analysis date:
2024-02-03 01:21:21 UTC
Tags:
risepro stealer evasion loader
Link:
https://app.any.run/tasks/b0136dd2-eb9d-4d7a-9cbb-90ae2619c7ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474262/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.19516.30614.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65bd8c5619fc3809141cc5b4/reports/af1fd82b-9597-4c05-8a81-547af2569eca/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NtHack
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0b1e183-7514-410e-aec8-af9bb62834b7
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385929
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385929 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 03/02/2024 Architecture: WINDOWS Score: 100 95 youtube-ui.l.google.com 2->95 97 www.youtube.com 2->97 99 29 other IPs or domains 2->99 133 Snort IDS alert for network traffic 2->133 135 Antivirus detection for URL or domain 2->135 137 Antivirus / Scanner detection for submitted sample 2->137 139 9 other signatures 2->139 9 SecuriteInfo.com.Win32.TrojanX-gen.19516.30614.exe 2 112 2->9         started        14 MPGPH131.exe 95 2->14         started        16 MPGPH131.exe 13 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 115 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->115 117 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->117 119 2 other IPs or domains 9->119 79 C:\Users\user\...\yUlbxGMIs7tCbN5OB2ht.exe, PE32 9->79 dropped 81 C:\Users\user\...\bx4NU3X2coe5tahBhUAq.exe, PE32 9->81 dropped 83 C:\Users\user\...83QN8GUyoPyocNxuyfVDc.exe, PE32 9->83 dropped 91 13 other malicious files 9->91 dropped 165 Detected unpacking (changes PE section rights) 9->165 167 Binary is likely a compiled AutoIt script file 9->167 169 Tries to steal Mail credentials (via file / registry access) 9->169 189 3 other signatures 9->189 20 bx4NU3X2coe5tahBhUAq.exe 9->20         started        23 M09nzqNfzQEYBvBr2nsd.exe 9->23         started        26 yUlbxGMIs7tCbN5OB2ht.exe 9->26         started        37 6 other processes 9->37 85 C:\Users\user\...\ZONPuH1j1QZFg8_ILkHP.exe, PE32 14->85 dropped 87 C:\Users\user\...\SIbRetbUh8CoAHMo6M1r.exe, PE32 14->87 dropped 89 C:\Users\user\...\RV1fQWiMhoOWdtBdkL7y.exe, PE32 14->89 dropped 93 8 other malicious files 14->93 dropped 171 Tries to harvest and steal browser information (history, passwords, etc) 14->171 173 Hides threads from debuggers 14->173 175 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->175 177 Antivirus detection for dropped file 16->177 179 Multi AV Scanner detection for dropped file 16->179 181 Machine Learning detection for dropped file 16->181 183 Potentially malicious time measurement code found 16->183 185 Tries to evade debugger and weak emulator (self modifying code) 18->185 187 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->187 28 msedge.exe 18->28         started        31 firefox.exe 18->31         started        33 firefox.exe 18->33         started        35 chrome.exe 18->35         started        file6 signatures7 process8 dnsIp9 141 Detected unpacking (changes PE section rights) 20->141 143 Detected unpacking (overwrites its own PE header) 20->143 145 Modifies windows update settings 20->145 155 3 other signatures 20->155 69 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 23->69 dropped 39 explorhe.exe 23->39         started        147 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->147 149 Tries to evade debugger and weak emulator (self modifying code) 26->149 151 Hides threads from debuggers 26->151 157 2 other signatures 26->157 127 23.96.180.189 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->127 129 ssl.bingadsedgeextension-prod-eastus.azurewebsites.net 40.71.99.188 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->129 131 22 other IPs or domains 28->131 153 Binary is likely a compiled AutoIt script file 37->153 44 firefox.exe 37->44         started        46 chrome.exe 37->46         started        48 chrome.exe 37->48         started        50 13 other processes 37->50 file10 signatures11 process12 dnsIp13 101 detectportal.firefox.com 39->101 71 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 39->71 dropped 73 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 39->73 dropped 159 Detected unpacking (changes PE section rights) 39->159 161 Creates an undocumented autostart registry key 39->161 163 Hides threads from debuggers 39->163 103 142.250.9.84 GOOGLEUS United States 44->103 105 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 44->105 113 8 other IPs or domains 44->113 75 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 44->75 dropped 77 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 44->77 dropped 52 firefox.exe 44->52         started        54 firefox.exe 44->54         started        56 firefox.exe 44->56         started        107 192.168.2.5 unknown unknown 46->107 109 192.168.2.7 unknown unknown 46->109 111 239.255.255.250 unknown Reserved 46->111 58 chrome.exe 46->58         started        61 chrome.exe 48->61         started        63 chrome.exe 50->63         started        65 msedge.exe 50->65         started        67 msedge.exe 50->67         started        file14 signatures15 process16 dnsIp17 121 142.250.105.139 GOOGLEUS United States 58->121 123 142.250.9.100 GOOGLEUS United States 58->123 125 25 other IPs or domains 58->125
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-03 00:44:07 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izz6e2sib5tip4kadue5gdwhiyu7eb25brhpanvo2ceoyvms4xia._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240203-a3hgcschh3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
c6abb30c6a6351137006328ea400cb6504e4464c6d80a2409205c77002aa7130
MD5 hash:
9f4d70f0aebcff15fac81630d800534c
SHA1 hash:
b06a841e382554b96dd404ae98f60bba6847d29d
Link:
https://www.unpac.me/results/66acdabd-4f85-4201-8130-0d0fb3406d92/
SH256 hash:
4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0
MD5 hash:
d87cea33c84c896ba288ed045548ece9
SHA1 hash:
b77f1cd319b84f846382507c82d941c733d01fa2
Link:
https://www.unpac.me/results/66acdabd-4f85-4201-8130-0d0fb3406d92/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4673e26a480f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2755571/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474262/

Comments