MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 469981acf9f08fe587adf5bf98ec0a68628bd55fb1041a2e348bfc5e7d12d33d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RisePro

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	469981acf9f08fe587adf5bf98ec0a68628bd55fb1041a2e348bfc5e7d12d33d
SHA3-384 hash:	ff9c5b8f61e730dbf0e8fc3a678b1df526e5eebfbe0662d3a2119c029a80f90443159a1cdee5f415a662dcc3aff1630f
SHA1 hash:	11c0a0d1bcb6cdc60fe8570b505e1fb9566396f2
MD5 hash:	bcf91be0d8ff593ab085fcd7f14bbc3b
humanhash:	monkey-lamp-twelve-nineteen
File name:	file
Download:	download sample
Signature	RisePro Create hunting rule
File size:	1'343'488 bytes
First seen:	2023-10-18 16:21:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d0a056364cb56fcba1362a2948fd000d (2 x RiseProStealer, 1 x RisePro)
ssdeep	24576:R6kGQinz+EqbUuGe/Ncfy8YtKu28CNSsbQJWdBaFkxLfylTeBGlZaCx8tmrc9jc:f3qqEJUQFWCjbQJW3aFkxL6lTTlZaCxn
Threatray	29 similar samples on MalwareBazaar
TLSH	T129559D71B402D037E1A101F5A67E9BA611A9BA3017AB08D7B7C05E7D94F1DC36236F2B
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	jstrosch
Tags:	exe RisePro

Intelligence

File Origin

# of uploads :

# of downloads :

326

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Sality-1023

Win.Malware.Doina-10010822-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control crypto fingerprint greyware lolbin obfuscated packed setupapi shell32

Link:

https://www.filescan.io/uploads/653005f131e7dae3d7a764fa/reports/7c8c7505-ac5c-4c47-9b3c-ddc637856f9c/overview

Verdict:

Malicious

Labled as:

Virus.Sality

Link:

https://www.hybrid-analysis.com/sample/469981acf9f08fe587adf5bf98ec0a68628bd55fb1041a2e348bfc5e7d12d33d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4c0deac1-b38b-4733-bada-7b3ded4818f8

Result

Threat name:

PrivateLoader

Detection:

malicious

Classification:

n/a

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1328194

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject threads in other processes

Machine Learning detection for sample

PE file has a writeable .text section

Yara detected PrivateLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/469981acf9f08fe587adf5bf98ec0a68628bd55fb1041a2e348bfc5e7d12d33d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/469981acf9f08fe587adf5bf98ec0a68628bd55fb1041a2e348bfc5e7d12d33d/

Threat name:

Win32.Virus.Sality

Status:

Malicious

First seen:

2023-10-18 17:05:10 UTC

AV detection:

23 of 23 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i2mydlhz6ch6lb5n6w7zr3aknbrixvk7wecbulrurp6f47is2m6q._file

Verdict:

unknown

RisePro

5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a

RisePro

8a323c15d9371a15cedf914b75c2887a399d7372e0a0ed7107cec899b41472ee

RisePro

a45b0a2c9b50d058ed9b1fac56eca9d3fc92cf6a16b37d96a3284e127e7313ee

RisePro

f085d02e9963e01c80fec62d35da0b433db957333a0d4bae4d7fe38d4ba41992

RisePro

f0f4648624a7d35c58bc4d6b67792744727fdf8c1fdc149df0dcfe3b1eed2a27

RisePro

ff2177c078dfed4b10a0214acefabf09b691a831479b06866e1d35e1a144cb3e

RisePro

+ 19 additional samples on MalwareBazaar

Result

Malware family:

risepro

Score:

10/10

Tags:

family:privateloader family:risepro loader stealer

Link:

https://tria.ge/reports/231018-ttnrkahe86/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

PrivateLoader

RisePro

Unpacked files

SH256 hash:

469981acf9f08fe587adf5bf98ec0a68628bd55fb1041a2e348bfc5e7d12d33d

MD5 hash:

bcf91be0d8ff593ab085fcd7f14bbc3b

SHA1 hash:

11c0a0d1bcb6cdc60fe8570b505e1fb9566396f2

Link:

https://www.unpac.me/results/4a19949d-bd8c-42da-b631-0849276b751f/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/469981acf9f0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/469981acf9f08fe587adf5bf98ec0a68628bd55fb1041a2e348bfc5e7d12d33d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RisePro

exe 469981acf9f08fe587adf5bf98ec0a68628bd55fb1041a2e348bfc5e7d12d33d

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample