MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0
SHA3-384 hash: 18cecc65ff2c1a31b056e0255c289bb3d2774f020652dc55b29eea60edccf8504d6f8a40018a1770cd8978af25291b10
SHA1 hash: 8dfae47dd19f92f9af53d952f6334e3cbe02ec24
MD5 hash: d3cebcd37fdc54f842ab9804fe489333
humanhash: princess-apart-florida-cola
File name:d3cebcd37fdc54f842ab9804fe489333.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'383'360 bytes
First seen:2023-12-15 15:20:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:xKOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:ffwnEg4hVvNCm6GpR5Rw
TLSH T1BCB5232792D8C472E8E4A3717DF40386273738E218B9C66B2761748F9872AD9E531773
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
91.92.249.253:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/467564/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
Creating a file
Unauthorized injection to a recently created process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed replace rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657c6edea6bc59352f29ce91/reports/a2666260-e090-44fb-b6f3-24053b9a56aa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23c5d922-acfb-4407-8995-4c8a5c56e385
Result
Threat name:
Glupteba, LummaC Stealer, RedLine, RiseP
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362726
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362726 Sample: 2KqWKAbcSA.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 127 reviveincapablewew.pw 2->127 129 ratefacilityframw.fun 2->129 131 14 other IPs or domains 2->131 209 Found malware configuration 2->209 211 Malicious sample detected (through community Yara rule) 2->211 213 Antivirus detection for URL or domain 2->213 215 20 other signatures 2->215 10 2KqWKAbcSA.exe 1 4 2->10         started        13 svchost.exe 2->13         started        15 OfficeTrackerNMP131.exe 1 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 111 C:\Users\user\AppData\Local\...\5fW0Ax9.exe, PE32 10->111 dropped 113 C:\Users\user\AppData\Local\...\2lW7454.exe, PE32 10->113 dropped 20 5fW0Ax9.exe 10->20         started        23 2lW7454.exe 15 3 10->23         started        26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        30 WerFault.exe 13->30         started        32 conhost.exe 15->32         started        125 127.0.0.1 unknown unknown 17->125 34 conhost.exe 17->34         started        file6 process7 dnsIp8 217 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->217 219 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->219 221 Maps a DLL or memory area into another process 20->221 225 2 other signatures 20->225 36 explorer.exe 20->36 injected 41 conhost.exe 20->41         started        43 WerFault.exe 20->43         started        161 77.91.124.172, 49714, 80 ECOTEL-ASRU Russian Federation 23->161 223 Found many strings related to Crypto-Wallets (likely being stolen) 23->223 45 RegAsm.exe 15 69 23->45         started        signatures9 process10 dnsIp11 141 185.215.113.68, 49726, 80 WHOLESALECONNECTIONSNL Portugal 36->141 143 5.42.65.125, 49737, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 36->143 149 2 other IPs or domains 36->149 95 C:\Users\user\AppData\Local\Temp\AFBD.exe, PE32 36->95 dropped 97 C:\Users\user\AppData\Local\Temp\9435.exe, PE32 36->97 dropped 99 C:\Users\user\AppData\Local\Temp\7523.exe, PE32 36->99 dropped 107 4 other malicious files 36->107 dropped 227 System process connects to network (likely due to code injection or exploit) 36->227 229 Benign windows process drops PE files 36->229 47 9435.exe 36->47         started        51 7523.exe 36->51         started        53 4F67.exe 36->53         started        62 6 other processes 36->62 145 91.92.249.253, 49716, 50500 THEZONEBG Bulgaria 45->145 147 ipinfo.io 34.117.186.192, 443, 49722 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 45->147 101 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 45->101 dropped 103 C:\...\Ca81ZFpv4RcBZMbFvqq8pZrQmDlqMKBJ.zip, Zip 45->103 dropped 105 C:\Users\user\AppData\...\FANBooster131.exe, PE32 45->105 dropped 109 2 other files (none is malicious) 45->109 dropped 231 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->231 233 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 45->233 235 Found many strings related to Crypto-Wallets (likely being stolen) 45->235 237 3 other signatures 45->237 56 cmd.exe 1 45->56         started        58 cmd.exe 1 45->58         started        60 WerFault.exe 45->60         started        file12 signatures13 process14 dnsIp15 115 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 47->115 dropped 117 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 47->117 dropped 119 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 47->119 dropped 121 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 47->121 dropped 163 Multi AV Scanner detection for dropped file 47->163 64 31839b57a4f11171d6abc8bbc4451ee4.exe 47->64         started        67 InstallSetup9.exe 47->67         started        71 toolspub2.exe 47->71         started        77 2 other processes 47->77 123 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 51->123 dropped 165 Writes to foreign memory regions 51->165 167 Allocates memory in foreign processes 51->167 185 2 other signatures 51->185 73 RegSvcs.exe 51->73         started        151 dayfarrichjwclik.fun 104.21.80.57, 49728, 80 CLOUDFLARENETUS United States 53->151 153 neighborhoodfeelsa.fun 172.67.143.130, 49730, 80 CLOUDFLARENETUS United States 53->153 159 3 other IPs or domains 53->159 169 Antivirus detection for dropped file 53->169 171 Detected unpacking (changes PE section rights) 53->171 173 Detected unpacking (overwrites its own PE header) 53->173 175 Found evasive API chain (may stop execution after checking computer name) 53->175 75 WerFault.exe 53->75         started        177 Uses schtasks.exe or at.exe to add and modify task schedules 56->177 79 2 other processes 56->79 81 2 other processes 58->81 155 77.105.132.161 PLUSTELECOM-ASRU Russian Federation 62->155 157 176.123.7.190, 32927, 49729 ALEXHOSTMD Moldova Republic of 62->157 179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 62->179 181 Machine Learning detection for dropped file 62->181 183 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 62->183 187 2 other signatures 62->187 83 2 other processes 62->83 file16 signatures17 process18 dnsIp19 189 Antivirus detection for dropped file 64->189 191 Multi AV Scanner detection for dropped file 64->191 193 Detected unpacking (changes PE section rights) 64->193 207 5 other signatures 64->207 133 api4.ipify.org 173.231.16.77 WEBNXUS United States 67->133 135 91.92.254.7 THEZONEBG Bulgaria 67->135 137 5.42.64.35 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 67->137 85 C:\Users\user\AppData\...\nsjC342.tmp.exe, PE32 67->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 67->87 dropped 89 C:\Users\user\AppData\Local\...\INetC.dll, PE32 67->89 dropped 93 2 other malicious files 67->93 dropped 195 Sample uses process hollowing technique 71->195 197 Injects a PE file into a foreign processes 71->197 139 195.20.16.103, 18305, 49739 EITADAT-ASFI Finland 73->139 199 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 73->199 201 Found many strings related to Crypto-Wallets (likely being stolen) 73->201 203 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 73->203 205 Tries to harvest and steal browser information (history, passwords, etc) 73->205 91 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 77->91 dropped file20 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 15:21:06 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kblluvlhwzso73o2trenhahyj3xk7qfk7jh7oi6ys43is4twhtqa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader botnet:@oleh_ps backdoor collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/231215-sra71sfbd2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Lumma Stealer payload V4
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
Unpacked files
SH256 hash:
ba371d9e60e85e6c91e7fd9b3d39cfa4c9059de88453abb3fea9a4d77f3a2fd2
MD5 hash:
e78ecb791f6a541e31bc519d875fdb42
SHA1 hash:
90b3dee1fd89ec9c334fecc3dcdea7ee28b58710
Link:
https://www.unpac.me/results/ca74561a-6eab-4a14-8333-6c40283f537c/
SH256 hash:
5c0897a7221e2b2a6b5ae739c87a1e8749cc117e4e1d3eb24f658bb1e726c21a
MD5 hash:
658f51a7ebe4719ee978f8f67d968983
SHA1 hash:
e68a19a57037053989385bbccfce7ae61bb0a8b6
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ca74561a-6eab-4a14-8333-6c40283f537c/
SH256 hash:
5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0
MD5 hash:
d3cebcd37fdc54f842ab9804fe489333
SHA1 hash:
8dfae47dd19f92f9af53d952f6334e3cbe02ec24
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/ca74561a-6eab-4a14-8333-6c40283f537c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5056ba5567b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467564/

Comments