MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209
SHA3-384 hash: 62f7cf8679736bd95acc40a455fb89c3c877e561a7baa90e0911afc6dcad374e5ede1b17de0aa40064ac3f56241f0a96
SHA1 hash: 9b56cea1c6622139ec63a33175e7db8f35e44a53
MD5 hash: 046ca0cee23915bf236e53d0aa03b66f
humanhash: august-xray-indigo-twelve
File name:046ca0cee23915bf236e53d0aa03b66f.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:7'140'544 bytes
First seen:2023-08-07 07:30:26 UTC
Last seen:2023-08-07 09:04:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 713f2679b25b10e65da54bb5dd0f93c8 (2 x RedLineStealer, 1 x CoinMiner, 1 x RiseProStealer)
ssdeep 196608:QAKok6DFOo0xNRu1CeGMRQndQDIF4f/Qi:Q7J6DEo0xNO9QGDU
TLSH T1137623B87758339EC429C1B99923EC47F2B7951F22E4A59A73CB7A407B96330D702B05
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f4e4e4e4c8c4f0e0 (1 x RiseProStealer)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
185.225.73.32:14387

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
046ca0cee23915bf236e53d0aa03b66f.exe
Verdict:
Malicious activity
Analysis date:
2023-08-07 07:31:59 UTC
Tags:
privateloader evasion opendir risepro stealer lumma fabookie arkei vidar rat redline
Link:
https://app.any.run/tasks/eb11b4a1-93d5-4ec0-9b7c-7efbe46f1731

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440970/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.22745.6353.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Modifying a system file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Connecting to a non-recommended domain
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/64d09db75bc43bf553b191ae/reports/c7bd2629-7527-499c-9446-3adedeb4f5ab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e69cfbe4-96d5-488f-bece-559054d9774b
Result
Threat name:
Amadey, Fabookie, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1286902
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1286902 Sample: OnBVJLAX6e.exe Startdate: 07/08/2023 Architecture: WINDOWS Score: 100 174 Found malware configuration 2->174 176 Malicious sample detected (through community Yara rule) 2->176 178 Antivirus detection for URL or domain 2->178 180 21 other signatures 2->180 13 OnBVJLAX6e.exe 10 51 2->13         started        18 rundll32.exe 2->18         started        20 rundll32.exe 2->20         started        22 pdates.exe 2->22         started        process3 dnsIp4 160 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 13->160 162 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 13->162 164 19 other IPs or domains 13->164 136 C:\Users\...\zjHhNb_5rawfkp_TCQLtmqH3.exe, PE32 13->136 dropped 138 C:\Users\...\xlvbrx8xK8by1c_1w1HqqTZe.exe, PE32 13->138 dropped 140 C:\Users\...\v419lisuei_EpJRf631MW5aG.exe, PE32 13->140 dropped 142 22 other malicious files 13->142 dropped 216 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->216 218 Creates HTML files with .exe extension (expired dropper behavior) 13->218 220 Disables Windows Defender (deletes autostart) 13->220 222 2 other signatures 13->222 24 knGV3HwyeoybeQvym1bJpDaA.exe 13->24         started        29 hNlUINnJ71hk_PHwJKSqnded.exe 13->29         started        31 KBdidF2pWpCCaS6A9pFs1KDm.exe 13->31         started        33 12 other processes 13->33 file5 signatures6 process7 dnsIp8 144 94.142.138.131 IHOR-ASRU Russian Federation 24->144 152 2 other IPs or domains 24->152 110 C:\Users\...\wHtU2iNqlS8pL1t5LlGPfSWG.exe, PE32 24->110 dropped 112 C:\Users\...\uYutREpzz1NCIyfug7ZF_Y8R.exe, PE32+ 24->112 dropped 114 C:\Users\...\oPJKYyMUBELXkHw96gcBBbFE.exe, PE32 24->114 dropped 120 22 other malicious files 24->120 dropped 200 Disables Windows Defender (deletes autostart) 24->200 202 Tries to harvest and steal browser information (history, passwords, etc) 24->202 204 Disable Windows Defender real time protection (registry) 24->204 35 chrome.exe 24->35         started        122 2 other malicious files 29->122 dropped 37 v0715525.exe 1 4 29->37         started        146 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 31->146 148 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->148 154 2 other IPs or domains 31->154 116 C:\Users\...\muLplrU6jvKbkOD1bI4UYd8q.exe, PE32+ 31->116 dropped 118 C:\Users\...\m1s0QGjfJo3aK3AaWBKNYq7Y.exe, PE32 31->118 dropped 124 2 other malicious files 31->124 dropped 206 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->206 40 m1s0QGjfJo3aK3AaWBKNYq7Y.exe 31->40         started        150 149.154.167.99 TELEGRAMRU United Kingdom 33->150 156 5 other IPs or domains 33->156 126 7 other malicious files 33->126 dropped 208 Tries to steal Mail credentials (via file / registry access) 33->208 42 tuiDeFhbNV1IDwAfuzgI0oR3.exe 33->42         started        44 cmd.exe 33->44         started        46 regsvr32.exe 33->46         started        49 conhost.exe 33->49         started        file9 signatures10 process11 file12 102 C:\Users\user\AppData\Local\...\v4345340.exe, PE32 37->102 dropped 104 C:\Users\user\AppData\Local\...\d6524604.exe, PE32 37->104 dropped 51 v4345340.exe 37->51         started        106 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 40->106 dropped 108 C:\Users\user\AppData\Local\...\7d7f91ce.exe, PE32 40->108 dropped 54 tfmp01.exe 42->54         started        57 work.exe 44->57         started        59 conhost.exe 44->59         started        214 Tries to detect sandboxes / dynamic malware analysis system (file name check) 46->214 signatures13 process14 file15 90 C:\Users\user\AppData\Local\...\v5399386.exe, PE32 51->90 dropped 92 C:\Users\user\AppData\Local\...\c4591844.exe, PE32 51->92 dropped 61 v5399386.exe 51->61         started        64 c4591844.exe 51->64         started        94 C:\Users\user\AppData\Local\...\evbE21A.tmp, PE32+ 54->94 dropped 96 C:\Users\user\AppData\Local\...\evb2FEC.tmp, PE32+ 54->96 dropped 182 Writes to foreign memory regions 54->182 184 Allocates memory in foreign processes 54->184 186 Modifies the context of a thread in another process (thread injection) 54->186 188 Injects a PE file into a foreign processes 54->188 98 C:\Users\user\AppData\Local\Temp\...\fwa.exe, PE32 57->98 dropped 190 Multi AV Scanner detection for dropped file 57->190 signatures16 process17 file18 132 C:\Users\user\AppData\Local\...\b2467239.exe, PE32 61->132 dropped 134 C:\Users\user\AppData\Local\...\a2156768.exe, PE32 61->134 dropped 67 b2467239.exe 61->67         started        70 a2156768.exe 61->70         started        166 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 64->166 168 Maps a DLL or memory area into another process 64->168 170 Checks if the current machine is a virtual machine (disk enumeration) 64->170 172 Creates a thread in another existing process (thread injection) 64->172 signatures19 process20 file21 100 C:\Users\user\AppData\Local\...\pdates.exe, PE32 67->100 dropped 73 pdates.exe 67->73         started        192 Multi AV Scanner detection for dropped file 70->192 194 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->194 196 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 70->196 198 Disable Windows Defender notifications (registry) 70->198 signatures22 process23 dnsIp24 158 77.91.68.61 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 73->158 128 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 73->128 dropped 130 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 73->130 dropped 210 Creates an undocumented autostart registry key 73->210 212 Uses schtasks.exe or at.exe to add and modify task schedules 73->212 78 cmd.exe 73->78         started        80 schtasks.exe 73->80         started        file25 signatures26 process27 process28 82 conhost.exe 78->82         started        84 cmd.exe 78->84         started        86 cacls.exe 78->86         started        88 conhost.exe 80->88         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 23:07:55 UTC
File Type:
PE+ (Exe)
Extracted files:
6
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jb22ljo5awewdsvngj5sw4moah57faq6jbz7co4f46ikbhbxcieq._file
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230807-jcc9dsfd7s/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209
MD5 hash:
046ca0cee23915bf236e53d0aa03b66f
SHA1 hash:
9b56cea1c6622139ec63a33175e7db8f35e44a53
Link:
https://www.unpac.me/results/8a046bf4-c412-433e-94cd-63ec18f99a4f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4875a5a5dd05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/440970/

Comments