MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63883d488acc679cb4e281d5d9221b8f5551900c72be3f3b77d01749bb824612. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	63883d488acc679cb4e281d5d9221b8f5551900c72be3f3b77d01749bb824612
SHA3-384 hash:	c52904b80528f02e4908832f629f03d247ad00e09a43cfa7c18ce84e049b0290dd22ecf6ad5ce50424728148cc429471
SHA1 hash:	3666c6724a45785b32b9251890b4af7d037e29ab
MD5 hash:	86b1cd3ca4d7447fef5a150df443d097
humanhash:	cat-july-friend-mountain
File name:	file
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	2'732'544 bytes
First seen:	2023-11-30 20:42:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fe9e3404bebf8b23e1a17d6558da6aa8 (14 x RiseProStealer, 2 x RedLineStealer, 1 x DarkCloud)
ssdeep	24576:5J7izyqs209KX01q96a15RtGFM3rPgm8LuSvLMPJMWmQOK5/kZsMluX0m+OsbrpM:Jqs209UCRmRtG0MRLuaMe8k803TbCke
TLSH	T12EC59C21EC69F0A9DFF2597993FCA72B8589A4E41F1B31CF411C5ED628601E19A3DBC0
TrID	56.8% (.EXE) InstallShield setup (43053/19/16) 13.8% (.EXE) Win64 Executable (generic) (10523/12/4) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RiseProStealer

andretavare5

Sample downloaded from http://109.107.182.45/trend/home.exe

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461509/

Detection(s):

Win.Packed.Pwsx-10012424-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file in the Windows subdirectories

Сreating synchronization primitives

Modifying a system file

Creating a file

Creating a file in the %temp% subdirectories

Replacing files

Launching a service

Sending a UDP request

Forced system process termination

Blocking the Windows Defender launch

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Adding exclusions to Windows Defender

Enabling autorun by creating a file

Gathering data

Verdict:

Malicious

Labled as:

Jaik.Generic

Link:

https://www.hybrid-analysis.com/sample/63883d488acc679cb4e281d5d9221b8f5551900c72be3f3b77d01749bb824612

Result

Verdict:

MALICIOUS

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c334c69b-4c6b-4c67-abd4-07e0c9a362c9

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/63883d488acc679cb4e281d5d9221b8f5551900c72be3f3b77d01749bb824612

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63883d488acc679cb4e281d5d9221b8f5551900c72be3f3b77d01749bb824612/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2023-11-30 20:43:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 37 (37.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=moed2sekzrtzznhcqhk5siq3r5kvdeamok7d6o3x2aluto4ciyja._file

Verdict:

unknown

Result

Malware family:

risepro

Score:

10/10

Tags:

family:privateloader family:risepro loader persistence stealer

Link:

https://tria.ge/reports/231130-zhmb9ahg9s/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

RisePro

PrivateLoader

Malware Config

C2 Extraction:

194.49.94.152

Unpacked files

SH256 hash:

b43761ce35b1253b4b9dda987d6d58f0a68b1be30cc4d575e752a6712ae3723d

MD5 hash:

39eed45a2a1b6d6b7e0de271a9480942

SHA1 hash:

353e8d977e5c85c00102d2bd9573b4122c2c7d8c

Link:

https://www.unpac.me/results/f4e85b9f-7168-4f65-bf9e-64809df470de/

SH256 hash:

63883d488acc679cb4e281d5d9221b8f5551900c72be3f3b77d01749bb824612

MD5 hash:

86b1cd3ca4d7447fef5a150df443d097

SHA1 hash:

3666c6724a45785b32b9251890b4af7d037e29ab

Link:

https://www.unpac.me/results/f4e85b9f-7168-4f65-bf9e-64809df470de/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/63883d488acc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/63883d488acc679cb4e281d5d9221b8f5551900c72be3f3b77d01749bb824612

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2735202/

Cape

https://www.capesandbox.com/analysis/461509/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample