MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a
SHA3-384 hash:	11f25e2616e86229b6281f721e3093a9185f00bd500ba23217dd854be7a99f59d4d63fe953272e22637af918bc8847b9
SHA1 hash:	51621600acfd50cdfa029d4a71f60bd1d84f89a7
MD5 hash:	a4ae0ede0423659b0e0fa54bb7a72dff
humanhash:	moon-island-salami-lion
File name:	file
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	5'743'616 bytes
First seen:	2023-10-10 09:24:36 UTC
Last seen:	2023-10-11 08:22:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8b609662a1bb2ab7e471e49c70dcc22f (3 x Vidar, 1 x Amadey, 1 x RiseProStealer)
ssdeep	49152:fpi8VPYwNW/Fg1mJyRXL68HID3higFPt+6wODn24bd/WbISiAtA7VN56k136hRh5:Qu9iDwanRp/Wb7I7fd6R/RYlNS3
Threatray	3 similar samples on MalwareBazaar
TLSH	T1A846AE05BBE519E5E42BC630CA2ED332D7B2B8550B31979F0815D34E2E736D18FAB621
TrID	51.7% (.EXE) InstallShield setup (43053/19/16) 19.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.6% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.4% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	andretavare5
Tags:	exe RiseProStealer

andretavare5

Sample downloaded from https://vk.com/doc52355237_666772349?hash=hYVRMj3VXZEN6TuoRIyuNJBsp1uaaX2imFKbcIG1Vfg&dl=9cyMlTApKcbHG0TjdzdQvAAFPBW96Jc1btF9S5guV48&api=1&no_preview=1#rise

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/452836/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.30690.29632.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file in the %temp% directory

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Forced shutdown of a system process

Sending a TCP request to an infection source

Unauthorized injection to a system process

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug control greyware lolbin packed

Link:

https://www.filescan.io/uploads/652518701e07d7e1e9bcaf4c/reports/2c14dc82-8ec7-4ca9-b8b2-f60d48b4d385/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/55094b19-e95e-4153-9164-2719aac5d24b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-10-10 10:04:22 UTC

AV detection:

11 of 23 (47.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ljnf5pn4vla2o7r3rktpiontocamc4dwsnetaeqwag5u46fw3sfa._file

Verdict:

malicious

RiseProStealer

e4972f23b390d71961d55dcea84503fdfb26a8c285858fe66937bf54aac55a88

RiseProStealer

fc05a007f7b6a6e4a69f15f1a31822957f3aae14a81e01e7c6eb9ceac0835a3b

RiseProStealer

Result

Malware family:

risepro

Score:

10/10

Tags:

family:privateloader family:risepro collection loader stealer

Link:

https://tria.ge/reports/231010-ldl9sscd9x/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

PrivateLoader

RisePro

Malware Config

C2 Extraction:

194.169.175.128

Unpacked files

SH256 hash:

5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a

MD5 hash:

a4ae0ede0423659b0e0fa54bb7a72dff

SHA1 hash:

51621600acfd50cdfa029d4a71f60bd1d84f89a7

Link:

https://www.unpac.me/results/f28fa819-1ec2-43db-abfd-071ca12a44d8/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5a5a5ebdbcaa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/452836/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample