MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 498fb5d3430b064a7ce4dbdf5934cde9a584838cc676e7c5270734c1b59d8f51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	498fb5d3430b064a7ce4dbdf5934cde9a584838cc676e7c5270734c1b59d8f51
SHA3-384 hash:	e5e5fb6bb222eca989aa815bb861a63c375f83a82b02c6253abaadc0dac65f150bffce158f59e9c2181f7363cdfca911
SHA1 hash:	4c30223f4b0b6f5de590abb5bfa69f7fa7f9efb5
MD5 hash:	589d8f48e989f5c5bdf5398c1afe13a7
humanhash:	one-stream-romeo-cat
File name:	589d8f48e989f5c5bdf5398c1afe13a7.exe
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	1'033'728 bytes
First seen:	2023-12-18 06:14:45 UTC
Last seen:	2023-12-18 08:17:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	25c5b39875f5a4f6c67ff13501770773 (3 x Smoke Loader, 1 x LummaStealer, 1 x RiseProStealer)
ssdeep	24576:NBGAF3LrdCTOjjeU91SRWz52Mzyp3TG4Rx:XGIvlneUmRwij
TLSH	T17F25121133D045B2EA3396329A6EC7B5265EB0669F6229DF2BC419BF0F351D2D73130A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1e65656565a58558 (2 x RedLineStealer, 2 x RiseProStealer, 1 x Mercurial)
Reporter	abuse_ch
Tags:	exe RiseProStealer

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468222/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.36962.19272.6830.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Сreating synchronization primitives

Reading critical registry keys

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin packed xpack

Link:

https://www.filescan.io/uploads/657fe369a6bc59352f2b4b26/reports/77a9887d-17aa-47fe-b305-b404693cc19d/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/498fb5d3430b064a7ce4dbdf5934cde9a584838cc676e7c5270734c1b59d8f51

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RisePro Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f78706f3-1263-4af0-a581-4cd4094f186e

Result

Threat name:

PrivateLoader, RisePro Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1363779

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject threads in other processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected PrivateLoader

Yara detected RisePro Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/498fb5d3430b064a7ce4dbdf5934cde9a584838cc676e7c5270734c1b59d8f51

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/498fb5d3430b064a7ce4dbdf5934cde9a584838cc676e7c5270734c1b59d8f51/

Threat name:

Win32.Ransomware.Stopcrypt

Status:

Malicious

First seen:

2023-12-18 00:35:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 23 (95.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jgh3lu2dbmdeu7he3ppvsngn5gsyja4myz3oprjha42mdnm5r5iq._file

Verdict:

malicious

Result

Malware family:

risepro

Score:

10/10

Tags:

family:privateloader family:risepro collection discovery loader spyware stealer

Link:

https://tria.ge/reports/231218-gzwyxahbhn/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Program crash

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

PrivateLoader

RisePro

Malware Config

C2 Extraction:

91.92.253.38

Unpacked files

SH256 hash:

46fdd9e0c1cde9c5efa8b263797cff2f61635e8a41548196ad9c1ffff4c1d8d3

MD5 hash:

eecb6554f3343358c9b75aba4d50910d

SHA1 hash:

b643a211f03f00a28c5a72e58c0c6c089f734058

Link:

https://www.unpac.me/results/c3c3892c-c4d7-4f0a-8619-5af4a62de24e/

SH256 hash:

498fb5d3430b064a7ce4dbdf5934cde9a584838cc676e7c5270734c1b59d8f51

MD5 hash:

589d8f48e989f5c5bdf5398c1afe13a7

SHA1 hash:

4c30223f4b0b6f5de590abb5bfa69f7fa7f9efb5

Link:

https://www.unpac.me/results/c3c3892c-c4d7-4f0a-8619-5af4a62de24e/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/498fb5d3430b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/498fb5d3430b064a7ce4dbdf5934cde9a584838cc676e7c5270734c1b59d8f51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/468222/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample