MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61405d360b3edf9d4a3c97d9fc49d0e86b4d869668e6eac3b2f3b98d3c45f325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61405d360b3edf9d4a3c97d9fc49d0e86b4d869668e6eac3b2f3b98d3c45f325
SHA3-384 hash: 9408f0bd044f112778468e0b23434b0069688bbda9419acbb46334b9909122a0be3b968bdaf5fec5b155a2433327f91c
SHA1 hash: 8d8f0aca05ce5da734ec885dc83ac40e5ac3e535
MD5 hash: 9e41d216f039340136103e18849aec2d
humanhash: eleven-quebec-monkey-ten
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:3'960'320 bytes
First seen:2024-02-06 13:53:45 UTC
Last seen:2024-02-06 17:27:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c169e238fdee28d9a75c998872df312 (2 x RiseProStealer)
ssdeep 98304:UaMWZN23Yi+HEiQOn2eOynwk8K0jezS8Z:3HP0uWOfNnwRO
TLSH T16C06D044B7459168C414D8358F4D0EF9ACE22EFED8C128153A6DB7EA7CBB420D06E5BB
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon fafabafa988aecec (2 x RiseProStealer, 1 x Amadey)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
Sample downloaded from https://vk.com/doc481075715_673472556?hash=SrRLdZtzhaAlR83c884k1YeThsIoAGCxPzFQPiYLBED&dl=TZ9pCvWvCJ1ctUZlnyGBCUsybp4gFjHJ02hrxDh7KuP&api=1&no_preview=1#retailer_rise

Intelligence

File Origin
# of uploads :
3
# of downloads :
315
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474877/
Detection(s):
SecuriteInfo.com.BScope.TrojanSpy.LClipper.19735.2087.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto lolbin packed risepro setupapi shell32
Link:
https://www.filescan.io/uploads/65c239fb4f733f8cc1c1c60b/reports/eb6bfda9-d06b-49c9-90c5-225ffeec51f9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/61405d360b3edf9d4a3c97d9fc49d0e86b4d869668e6eac3b2f3b98d3c45f325
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dab1809b-61a6-418f-b073-8ed168634fc8
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387544
Signature
Antivirus detection for URL or domain
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1387544 Sample: file.exe Startdate: 06/02/2024 Architecture: WINDOWS Score: 100 38 ipinfo.io 2->38 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Antivirus detection for URL or domain 2->50 52 5 other signatures 2->52 8 file.exe 1 78 2->8         started        13 MSIUpdaterV1.exe 2 2->13         started        15 AdobeUpdaterV1.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 40 193.233.132.67, 49729, 49732, 49734 FREE-NET-ASFREEnetEU Russian Federation 8->40 42 ipinfo.io 34.117.186.192, 443, 49730, 49736 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->42 44 195.20.16.46, 49731, 80 EITADAT-ASFI Finland 8->44 30 C:\Users\user\...\pygVOpaJ27YQCTHHSwqP.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...\RetailerRise[1].exe, PE32 8->32 dropped 34 C:\Users\user\AppData\...\AdobeUpdaterV1.exe, PE32 8->34 dropped 36 2 other malicious files 8->36 dropped 60 Tries to steal Mail credentials (via file / registry access) 8->60 62 Found stalling execution ending in API Sleep call 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Tries to harvest and steal browser information (history, passwords, etc) 8->66 19 pygVOpaJ27YQCTHHSwqP.exe 2 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 file6 signatures7 process8 signatures9 54 Multi AV Scanner detection for dropped file 19->54 56 Machine Learning detection for dropped file 19->56 58 Found stalling execution ending in API Sleep call 19->58 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/61405d360b3edf9d4a3c97d9fc49d0e86b4d869668e6eac3b2f3b98d3c45f325
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61405d360b3edf9d4a3c97d9fc49d0e86b4d869668e6eac3b2f3b98d3c45f325/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-06 13:54:05 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfaf2nqlh3pz2sr4s7m7ysoq5bvu3buwndtovq5s6o4y2pcf6msq._file
Verdict:
unknown
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240206-q7h7fsacfn/
Behaviour
RisePro
Malware Config
C2 Extraction:
193.233.132.67:50500
Unpacked files
SH256 hash:
ee3c1f3868057f2a9bcb18910735e38e772328bb97f4f624c13acc6edb3178cc
MD5 hash:
53a1a45c7ea31ef256810ce041deadbc
SHA1 hash:
2e57b46f6a18d1efe0ad38e7735da848ac39ef78
Link:
https://www.unpac.me/results/380d41c6-2d3b-4040-89b8-521a3bcaf47e/
SH256 hash:
61405d360b3edf9d4a3c97d9fc49d0e86b4d869668e6eac3b2f3b98d3c45f325
MD5 hash:
9e41d216f039340136103e18849aec2d
SHA1 hash:
8d8f0aca05ce5da734ec885dc83ac40e5ac3e535
Link:
https://www.unpac.me/results/380d41c6-2d3b-4040-89b8-521a3bcaf47e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61405d360b3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61405d360b3edf9d4a3c97d9fc49d0e86b4d869668e6eac3b2f3b98d3c45f325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2757109/
Cape
Cape
https://www.capesandbox.com/analysis/474877/

Comments