MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95
SHA3-384 hash: da3e254da876f24011d9e610e0354f9adb2c763641611a8d0a5dcc3ac3a2bc5a5785ac54be43c6282fe2041cf133b1a8
SHA1 hash: 072f761709ec6fceec17187e7caae058d3955e94
MD5 hash: 61f68a3fe16a68260f185579bcf6d7ab
humanhash: sierra-tennis-shade-robert
File name:61f68a3fe16a68260f185579bcf6d7ab.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:6'632'960 bytes
First seen:2024-04-04 09:15:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7649bdb702869dd598eb0596dc791dc2 (9 x RiseProStealer)
ssdeep 196608:FTX0QyhZKEv000yJFFY9/HBI9gVIxOsW1OLugGjlhXWkVhw3q:pe6hhI9QWVieMm3
TLSH T15A66330945D25DCADCDDA9331F91B6BCF7B61DB603D25C2A108027EBDAF64B42632782
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
193.233.132.253:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95.exe
Verdict:
Malicious activity
Analysis date:
2024-04-04 09:16:32 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/2f284f31-6a44-40de-a804-93be18420954

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Reading critical registry keys
Creating a file in the %temp% subdirectories
Creating a window
Creating a file
Sending an HTTP GET request to an infection source
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto lolbin packed setupapi shell32
Link:
https://www.filescan.io/uploads/660e6fdfeda31927461c3e27/reports/e9c5d68c-7f17-4889-8309-835ece4f5970/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6cf9d14c-ed5e-463b-bd98-8d2bebda2c85
Result
Threat name:
LummaC, PureLog Stealer, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1420043
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1420043 Sample: bX5uIt2kh3.exe Startdate: 04/04/2024 Architecture: WINDOWS Score: 100 59 speedparticipatewo.shop 2->59 61 birdpenallitysydw.shop 2->61 63 2 other IPs or domains 2->63 75 Snort IDS alert for network traffic 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Found malware configuration 2->79 81 11 other signatures 2->81 8 bX5uIt2kh3.exe 1 77 2->8         started        13 MSIUpdaterV202.exe 1 2->13         started        15 AdobeUpdaterV202.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 67 193.233.132.253, 49711, 49724, 50500 FREE-NET-ASFREEnetEU Russian Federation 8->67 69 ipinfo.io 34.117.186.192, 443, 49712 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->69 71 db-ip.com 104.26.5.15, 443, 49713 CLOUDFLARENETUS United States 8->71 51 C:\Users\user\...\yIdNg2RtPiy5VV494dx9.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\lumma3[1].exe, PE32 8->53 dropped 55 C:\Users\user\...\AdobeUpdaterV202.exe, PE32 8->55 dropped 57 2 other malicious files 8->57 dropped 107 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->107 109 Tries to steal Mail credentials (via file / registry access) 8->109 111 Found many strings related to Crypto-Wallets (likely being stolen) 8->111 123 2 other signatures 8->123 19 yIdNg2RtPiy5VV494dx9.exe 1 8->19         started        31 2 other processes 8->31 113 Multi AV Scanner detection for dropped file 13->113 115 Machine Learning detection for dropped file 13->115 117 Writes to foreign memory regions 13->117 22 RegAsm.exe 13->22         started        33 2 other processes 13->33 119 Allocates memory in foreign processes 15->119 121 Injects a PE file into a foreign processes 15->121 24 RegAsm.exe 15->24         started        35 2 other processes 15->35 27 RegAsm.exe 17->27         started        29 RegAsm.exe 17->29         started        37 6 other processes 17->37 file6 signatures7 process8 dnsIp9 83 Multi AV Scanner detection for dropped file 19->83 85 Machine Learning detection for dropped file 19->85 87 Contains functionality to inject code into remote processes 19->87 97 3 other signatures 19->97 39 RegAsm.exe 19->39         started        43 WerFault.exe 22 16 19->43         started        45 conhost.exe 19->45         started        89 Query firmware table information (likely to detect VMs) 22->89 91 Found many strings related to Crypto-Wallets (likely being stolen) 22->91 93 Tries to steal Crypto Currency Wallets 22->93 73 speedparticipatewo.shop 172.67.136.26, 443, 49756, 49758 CLOUDFLARENETUS United States 24->73 95 Tries to harvest and steal browser information (history, passwords, etc) 27->95 47 conhost.exe 31->47         started        49 conhost.exe 31->49         started        signatures10 process11 dnsIp12 65 birdpenallitysydw.shop 172.67.182.200, 443, 49726, 49728 CLOUDFLARENETUS United States 39->65 99 Query firmware table information (likely to detect VMs) 39->99 101 Found many strings related to Crypto-Wallets (likely being stolen) 39->101 103 Tries to steal Crypto Currency Wallets 39->103 105 LummaC encrypted strings found 39->105 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2024-04-04 09:16:13 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l74rhso6633wnt6767df3avgqts55qu3mxzek5ge5agfmvoq3skq._file
Verdict:
suspicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240404-k8ggcsbb7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
RisePro
Unpacked files
SH256 hash:
ca331c576eab42ad6a7c7e1476cd74842776af285f9fee2a324d45fc2ea07f1f
MD5 hash:
467c7eb40d1809adf447b88ecd34f41c
SHA1 hash:
1e04179fe18cf579f249acbebedfa5d58ba432e6
Link:
https://www.unpac.me/results/e6487dd3-95a1-4b66-9fd3-1052bf8c0a49/
SH256 hash:
5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95
MD5 hash:
61f68a3fe16a68260f185579bcf6d7ab
SHA1 hash:
072f761709ec6fceec17187e7caae058d3955e94
Link:
https://www.unpac.me/results/e6487dd3-95a1-4b66-9fd3-1052bf8c0a49/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ff913c9def6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 5ff913c9def6f766cfdff7c65d82a684e5dec29b65f24574c4e80c5655d0dc95

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2799183/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdipGetImageEncoders
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA

Comments