MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30
SHA3-384 hash: 8c0e886cef3c1a9cbd7b48196c923cbfef77f638a9fa2f63ec89eb50931c28930e728a8eb4ebe686bbe30c4efa5b4182
SHA1 hash: 4a6e56ac02d5ecbfb19bed02a60948027884be7c
MD5 hash: 70f2e5816767b8a308a399a8a3fa85a1
humanhash: fanta-speaker-hotel-missouri
File name:70f2e5816767b8a308a399a8a3fa85a1.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'383'360 bytes
First seen:2023-12-15 14:05:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:tdOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:qfwnEg4hVvNCm6GpR5Rw
TLSH T176B52327A2D8C472E8E4A3717DF40386273738E118B9C66B6761748FD872AD9A531373
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
91.92.249.253:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467553/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed replace rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657c5d4bf4b6e5e1634ad4ef/reports/a8be1118-5a2c-4db6-b075-4bfbd05ccaa7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53bddb19-cd5f-4d83-a93d-77efc9f50b09
Result
Threat name:
Glupteba, LummaC Stealer, RedLine, RiseP
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362669
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362669 Sample: k1bB5WGzI3.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 135 soupinterestoe.fun 2->135 137 reviveincapablewew.pw 2->137 139 17 other IPs or domains 2->139 179 Snort IDS alert for network traffic 2->179 181 Found malware configuration 2->181 183 Malicious sample detected (through community Yara rule) 2->183 185 21 other signatures 2->185 11 k1bB5WGzI3.exe 1 4 2->11         started        14 svchost.exe 2->14         started        16 svchost.exe 1 1 2->16         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 129 C:\Users\user\AppData\Local\...\5eb1Fz9.exe, PE32 11->129 dropped 131 C:\Users\user\AppData\Local\...\2cX5455.exe, PE32 11->131 dropped 21 5eb1Fz9.exe 11->21         started        24 2cX5455.exe 15 3 11->24         started        27 WerFault.exe 14->27         started        29 WerFault.exe 14->29         started        133 127.0.0.1 unknown unknown 16->133 31 conhost.exe 19->31         started        33 conhost.exe 19->33         started        file6 process7 dnsIp8 187 Multi AV Scanner detection for dropped file 21->187 189 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->189 191 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->191 201 3 other signatures 21->201 35 explorer.exe 21->35 injected 161 77.91.124.172, 49734, 80 ECOTEL-ASRU Russian Federation 24->161 193 Found many strings related to Crypto-Wallets (likely being stolen) 24->193 195 Writes to foreign memory regions 24->195 197 Allocates memory in foreign processes 24->197 199 Injects a PE file into a foreign processes 24->199 40 RegAsm.exe 15 68 24->40         started        signatures9 process10 dnsIp11 151 185.215.113.68, 49744, 80 WHOLESALECONNECTIONSNL Portugal 35->151 153 5.42.65.125, 49755, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 35->153 159 3 other IPs or domains 35->159 99 C:\Users\user\AppData\Roaming\sgbttif, PE32 35->99 dropped 101 C:\Users\user\AppData\Local\Temp\9C1C.exe, PE32 35->101 dropped 103 C:\Users\user\AppData\Local\Temp\75C6.exe, PE32 35->103 dropped 111 4 other malicious files 35->111 dropped 203 System process connects to network (likely due to code injection or exploit) 35->203 205 Benign windows process drops PE files 35->205 207 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->207 42 9C1C.exe 35->42         started        46 6123.exe 35->46         started        48 75C6.exe 35->48         started        58 6 other processes 35->58 155 91.92.249.253, 49735, 50500 THEZONEBG Bulgaria 40->155 157 ipinfo.io 34.117.186.192, 443, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->157 105 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 40->105 dropped 107 C:\...behaviorgraphsn4wNRjVwcaQ6HO84oAoCsr5A9Ni23S.zip, Zip 40->107 dropped 109 C:\Users\user\AppData\...\FANBooster131.exe, PE32 40->109 dropped 113 2 other files (none is malicious) 40->113 dropped 209 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->209 211 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 40->211 213 Found many strings related to Crypto-Wallets (likely being stolen) 40->213 215 3 other signatures 40->215 50 cmd.exe 1 40->50         started        52 cmd.exe 40->52         started        54 WerFault.exe 40->54         started        56 Conhost.exe 40->56         started        file12 signatures13 process14 dnsIp15 115 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 42->115 dropped 117 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 42->117 dropped 119 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 42->119 dropped 121 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 42->121 dropped 217 Multi AV Scanner detection for dropped file 42->217 61 toolspub2.exe 42->61         started        64 31839b57a4f11171d6abc8bbc4451ee4.exe 42->64         started        66 InstallSetup9.exe 42->66         started        72 2 other processes 42->72 123 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 46->123 dropped 125 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 46->125 dropped 219 Machine Learning detection for dropped file 46->219 74 3 other processes 46->74 127 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 48->127 dropped 221 Writes to foreign memory regions 48->221 223 Allocates memory in foreign processes 48->223 225 Sample uses process hollowing technique 48->225 227 Injects a PE file into a foreign processes 48->227 70 RegSvcs.exe 48->70         started        229 Uses schtasks.exe or at.exe to add and modify task schedules 50->229 76 2 other processes 50->76 78 2 other processes 52->78 163 soupinterestoe.fun 104.21.24.252, 49745, 80 CLOUDFLARENETUS United States 58->163 165 ratefacilityframw.fun 104.21.74.182, 49751, 80 CLOUDFLARENETUS United States 58->165 167 5 other IPs or domains 58->167 231 Antivirus detection for dropped file 58->231 233 Detected unpacking (changes PE section rights) 58->233 235 Detected unpacking (overwrites its own PE header) 58->235 237 4 other signatures 58->237 80 4 other processes 58->80 file16 signatures17 process18 dnsIp19 239 Multi AV Scanner detection for dropped file 61->239 241 Detected unpacking (changes PE section rights) 61->241 243 Injects a PE file into a foreign processes 61->243 82 toolspub2.exe 61->82         started        245 Antivirus detection for dropped file 64->245 247 Detected unpacking (overwrites its own PE header) 64->247 249 UAC bypass detected (Fodhelper) 64->249 259 3 other signatures 64->259 141 api4.ipify.org 64.185.227.156 WEBNXUS United States 66->141 143 91.92.254.7 THEZONEBG Bulgaria 66->143 149 2 other IPs or domains 66->149 89 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 66->89 dropped 91 C:\Users\user\AppData\Local\...\INetC.dll, PE32 66->91 dropped 93 C:\Users\user\AppData\...\nsmF4B9.tmp.exe, PE32 66->93 dropped 97 2 other malicious files 66->97 dropped 85 BroomSetup.exe 66->85         started        145 195.20.16.103 EITADAT-ASFI Finland 70->145 251 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->251 253 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 70->253 255 Tries to harvest and steal browser information (history, passwords, etc) 70->255 95 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 72->95 dropped 87 tuc3.tmp 72->87         started        147 176.123.10.211, 47430, 49754 ALEXHOSTMD Moldova Republic of 74->147 257 Tries to steal Crypto Currency Wallets 74->257 file20 signatures21 process22 signatures23 169 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 82->169 171 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 82->171 173 Maps a DLL or memory area into another process 82->173 177 2 other signatures 82->177 175 Multi AV Scanner detection for dropped file 85->175
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 14:06:06 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 22 (77.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jrlattun3g2x44i6nqbsamxmf7nn6cr6xcnaisch4ptpqwtahyya._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader botnet:@oleh_ps backdoor collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/231215-red8gaedh8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Lumma Stealer payload V4
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
Unpacked files
SH256 hash:
849b0856c18fca682189263808788a6c529cee7ba873a6ca280854bc9d190a3f
MD5 hash:
6e3595a2c9e4f2f50535e83547be7c15
SHA1 hash:
514130d86ecdbcda3c39e882922cea5441c23643
Link:
https://www.unpac.me/results/5b8a9d03-b0d5-43cb-a401-c8e3d0cdc022/
SH256 hash:
95cfcfc65e61665fc55362d725ab55f3360e818dbd6403f10d098aea6e6bf99f
MD5 hash:
c237b265f5c01975e19b68464bbb47d4
SHA1 hash:
1eee87dde72aa22d3949ef845095b6dd1f8d0f5c
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/5b8a9d03-b0d5-43cb-a401-c8e3d0cdc022/
SH256 hash:
4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30
MD5 hash:
70f2e5816767b8a308a399a8a3fa85a1
SHA1 hash:
4a6e56ac02d5ecbfb19bed02a60948027884be7c
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/5b8a9d03-b0d5-43cb-a401-c8e3d0cdc022/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c5609ce8dd9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467553/

Comments