MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 16 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4
SHA3-384 hash: f5669c8b8630383ffed3d13dcfc957754fff7c22c739ede4a98c16a275a93d3c82e05d6ca45b0ed6b8ef252556ef430b
SHA1 hash: 3e867e45fc92483bb7cbbdfe8e4dd4a447ed5ecd
MD5 hash: 62c131dbeb291bc1c2fe5e43d3d3ef2a
humanhash: monkey-don-william-pennsylvania
File name:62c131dbeb291bc1c2fe5e43d3d3ef2a
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'199'616 bytes
First seen:2024-02-08 03:13:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ab723dc8d5af21b79dc301ed6a56a64 (49 x RiseProStealer, 1 x Amadey)
ssdeep 24576:9Md/R2FuhEnxB6gHfMLzyb2xwQORHW/nSkcLEdX5g94C:e9QgKnxB6g0LSClOR2/SkXf64
Threatray 263 similar samples on MalwareBazaar
TLSH T1FB453374426CC6D0CF217CF981110AE4CD9DBB5B27154A22609F27F60EB6AAF63E7187
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4.exe
Verdict:
Malicious activity
Analysis date:
2024-02-08 18:52:47 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/50eb89ae-796d-460b-8238-2ff81512ce13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475268/
Detection(s):
PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto enigma lolbin obfuscated packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/65c446fb2cb3f19023f528f0/reports/2e436e75-8080-4f35-b437-70b71af00c62/overview
Verdict:
Malicious
Labled as:
Ser.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b412132c-a69e-4a7c-8a94-4f27311fc820
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1388792
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to check for running processes (XOR)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1388792 Sample: 5Jrztt780M.exe Startdate: 08/02/2024 Architecture: WINDOWS Score: 100 122 Multi AV Scanner detection for domain / URL 2->122 124 Antivirus detection for URL or domain 2->124 126 Multi AV Scanner detection for dropped file 2->126 128 6 other signatures 2->128 8 5Jrztt780M.exe 3 122 2->8         started        13 MPGPH131.exe 103 2->13         started        15 MPGPH131.exe 106 2->15         started        17 7 other processes 2->17 process3 dnsIp4 94 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 8->94 96 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 8->96 88 15 other malicious files 8->88 dropped 148 Detected unpacking (changes PE section rights) 8->148 150 Contains functionality to check for running processes (XOR) 8->150 152 Binary is likely a compiled AutoIt script file 8->152 168 2 other signatures 8->168 19 hSpFimdhSoim7HTD1SV7.exe 8->19         started        23 teouTawrElKNMaOwx1Mx.exe 8->23         started        25 xFiOLvAYxOzbrei_3YV_.exe 8->25         started        36 2 other processes 8->36 76 C:\Users\user\...\x9Gk9xbEn2kJUh2LvFPR.exe, PE32 13->76 dropped 90 10 other malicious files 13->90 dropped 154 Multi AV Scanner detection for dropped file 13->154 156 Tries to steal Mail credentials (via file / registry access) 13->156 158 Machine Learning detection for dropped file 13->158 27 YVAiA9QrvQGr_WXDnIC6.exe 13->27         started        98 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->98 78 C:\Users\user\...\XPDHhb2tJlsH4pKbcKpu.exe, PE32 15->78 dropped 80 C:\Users\user\...\X6KSmj9Tzd1zaUOwPfzg.exe, PE32 15->80 dropped 82 C:\Users\user\...\DdQfQpNsrMp83L7RGxj9.exe, PE32 15->82 dropped 92 5 other malicious files 15->92 dropped 160 Tries to harvest and steal browser information (history, passwords, etc) 15->160 162 Hides threads from debuggers 15->162 100 108.177.122.95 GOOGLEUS United States 17->100 102 172.217.215.84 GOOGLEUS United States 17->102 104 15 other IPs or domains 17->104 84 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 17->84 dropped 86 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 17->86 dropped 164 Contains functionality to inject threads in other processes 17->164 166 Contains functionality to detect sleep reduction / modifications 17->166 29 msedge.exe 17->29         started        32 chrome.exe 17->32         started        34 chrome.exe 17->34         started        38 13 other processes 17->38 file5 signatures6 process7 dnsIp8 74 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 19->74 dropped 130 Detected unpacking (changes PE section rights) 19->130 132 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->132 134 Tries to evade debugger and weak emulator (self modifying code) 19->134 144 4 other signatures 19->144 136 Detected unpacking (overwrites its own PE header) 23->136 138 Modifies windows update settings 23->138 140 Disables Windows Defender Tamper protection 23->140 146 2 other signatures 23->146 142 Binary is likely a compiled AutoIt script file 25->142 40 chrome.exe 25->40         started        43 chrome.exe 25->43         started        45 chrome.exe 25->45         started        51 11 other processes 25->51 53 2 other processes 27->53 116 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->116 118 13.107.22.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->118 120 35 other IPs or domains 29->120 47 chrome.exe 32->47         started        49 chrome.exe 34->49         started        55 2 other processes 36->55 57 3 other processes 38->57 file9 signatures10 process11 dnsIp12 106 192.168.2.4 unknown unknown 40->106 108 239.255.255.250 unknown Reserved 40->108 59 chrome.exe 40->59         started        62 chrome.exe 43->62         started        64 chrome.exe 45->64         started        66 chrome.exe 51->66         started        68 chrome.exe 51->68         started        70 msedge.exe 51->70         started        72 msedge.exe 51->72         started        process13 dnsIp14 110 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->110 112 144.2.9.1 LINKEDINUS Netherlands 59->112 114 39 other IPs or domains 59->114
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-02-08 03:14:09 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkjc3s4wahm7sgvfvfgz4oqs3eyvaluaxg7opwrnv6pykgwxf7ka._file
Verdict:
malicious
Similar samples:
1f5bdeca95e56f530d84301ac656c0516996e991a61002b22ed3e56d324659c3
RiseProStealer
3028c4efec4d494f0d1fb0420f268c896185cab6906212b5bda7de849bb9db30
RiseProStealer
4cb4e4ea3f66b2199b83623e6d1e7f5ebd8608ce11b30c895d899ec434f4c81b
RiseProStealer
5fa3dea08fd0d0f579b15febf23f25c63e5b40d39a1ee5d06e0efb81cf0519ca
RiseProStealer
987cacc42e60a851e0071c101e376af43a43b227f824555a4b6f6dec54cadd0c
RiseProStealer
c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d
RiseProStealer
eeed7ff69fd813b5d177f9d15863c8b4de68b4f818fec0eb9f8a9c771fe436f2
RiseProStealer
f5e9fbd5e21af911631990625f0f1abf0b7d8cd0ea7ae635767bfa069ad60123
RiseProStealer
fea21c72ee724e5bbfc7578f1165be0262f9f4be470d72e48461195a947911f3
RiseProStealer
+ 253 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240208-dra5paag8x/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4
MD5 hash:
62c131dbeb291bc1c2fe5e43d3d3ef2a
SHA1 hash:
3e867e45fc92483bb7cbbdfe8e4dd4a447ed5ecd
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/5b9caabf-9b0d-466b-843d-a420f186ce15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 52922dcb9601d9f91aa5a94d9e3a12d931502e80b9bee7da2daf9f851ad72fd4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2758128/
Cape
Cape
https://www.capesandbox.com/analysis/475268/

Comments


Avatar
zbet commented on 2024-02-08 03:13:46 UTC

url : hxxp://109.107.182.3/mine/plaza.exe