MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384
SHA3-384 hash: 5e1cecdcfc7dc350e5b492035ff69b794d4f1cf39f653b512dfda467e69b0a5c6c1ad950508ab35a0e94f958fc910f45
SHA1 hash: 672e1c2b35cd863c6bcc281604893ec78f168cc5
MD5 hash: f4e12ccaabddc9024adda74dacadb681
humanhash: california-summer-quebec-delta
File name:66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'476'544 bytes
First seen:2024-01-02 18:56:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:xLuYoz262V1lcg/2aRdbDwvDoo/LaKsc8hwwefPmynPnWiy2wf:Uz+blcg/2+dsjPq3g3P/y2s
Threatray 629 similar samples on MalwareBazaar
TLSH T108B533C357E29571C9E12770A4FB02C71935BEA3AA24571F3E80EA9408B35E1F53A739
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
RO RO
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Blocking the Windows Defender launch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm azorult CAB control explorer installer lolbin packed risepro rundll32 setupapi sfx shell32 smokeloader
Link:
https://www.filescan.io/uploads/65945c99b855eb36930d585b/reports/885d8e5e-4976-4da7-b80c-955a74f829b4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4351718d-42e9-4518-949c-1dd472bdeaab
Result
Threat name:
RisePro Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368931
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368931 Sample: KJt7XZL1vm.exe Startdate: 02/01/2024 Architecture: WINDOWS Score: 100 133 youtube-ui.l.google.com 2->133 135 www.youtube.com 2->135 137 2 other IPs or domains 2->137 151 Snort IDS alert for network traffic 2->151 153 Found malware configuration 2->153 155 Antivirus detection for URL or domain 2->155 157 12 other signatures 2->157 10 KJt7XZL1vm.exe 1 4 2->10         started        13 OfficeTrackerNMP131.exe 2->13         started        16 FANBooster131.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 115 2 other malicious files 10->115 dropped 21 Cp9iY02.exe 1 4 10->21         started        101 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 13->101 dropped 103 C:\...\1VtIcWaSWXsPLMzozfmyyjk7zkvHMXIN.zip, Zip 13->103 dropped 183 Antivirus detection for dropped file 13->183 185 Multi AV Scanner detection for dropped file 13->185 187 Detected unpacking (changes PE section rights) 13->187 203 3 other signatures 13->203 25 powershell.exe 13->25         started        27 powershell.exe 13->27         started        29 powershell.exe 13->29         started        37 9 other processes 13->37 105 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 16->105 dropped 107 C:\...\BlgoC6gBLGsk7hOy1GQfKv3OhxcwGGoc.zip, Zip 16->107 dropped 189 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->189 191 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 16->191 193 Tries to steal Mail credentials (via file / registry access) 16->193 195 Tries to harvest and steal browser information (history, passwords, etc) 16->195 31 WerFault.exe 16->31         started        139 127.0.0.1 unknown unknown 18->139 109 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->109 dropped 111 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->111 dropped 113 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->113 dropped 117 3 other malicious files 18->117 dropped 197 Machine Learning detection for dropped file 18->197 199 Modifies Windows Defender protection settings 18->199 201 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 18->201 33 powershell.exe 18->33         started        35 powershell.exe 18->35         started        39 13 other processes 18->39 file6 signatures7 process8 file9 97 C:\Users\user\AppData\Local\...\5VV5Ym9.exe, PE32 21->97 dropped 99 C:\Users\user\AppData\Local\...\2so0154.exe, PE32 21->99 dropped 159 Antivirus detection for dropped file 21->159 161 Multi AV Scanner detection for dropped file 21->161 163 Binary is likely a compiled AutoIt script file 21->163 165 Machine Learning detection for dropped file 21->165 41 5VV5Ym9.exe 21 70 21->41         started        46 2so0154.exe 12 21->46         started        48 conhost.exe 25->48         started        50 conhost.exe 27->50         started        52 conhost.exe 29->52         started        54 conhost.exe 33->54         started        56 conhost.exe 35->56         started        58 9 other processes 37->58 60 10 other processes 39->60 signatures10 process11 dnsIp12 147 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 41->147 149 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 41->149 119 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 41->119 dropped 121 C:\Users\user\AppData\...\FANBooster131.exe, PE32 41->121 dropped 123 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 41->123 dropped 125 2 other malicious files 41->125 dropped 167 Antivirus detection for dropped file 41->167 169 Multi AV Scanner detection for dropped file 41->169 171 Detected unpacking (changes PE section rights) 41->171 181 9 other signatures 41->181 62 cmd.exe 41->62         started        65 powershell.exe 41->65         started        67 cmd.exe 41->67         started        76 12 other processes 41->76 173 Binary is likely a compiled AutoIt script file 46->173 175 Machine Learning detection for dropped file 46->175 177 Found API chain indicative of sandbox detection 46->177 179 Contains functionality to modify clipboard data 46->179 69 chrome.exe 1 46->69         started        72 chrome.exe 46->72         started        74 chrome.exe 46->74         started        file13 signatures14 process15 dnsIp16 205 Uses schtasks.exe or at.exe to add and modify task schedules 62->205 89 2 other processes 62->89 207 Found many strings related to Crypto-Wallets (likely being stolen) 65->207 78 conhost.exe 65->78         started        91 2 other processes 67->91 141 192.168.2.7 unknown unknown 69->141 143 192.168.2.10 unknown unknown 69->143 145 3 other IPs or domains 69->145 80 chrome.exe 69->80         started        93 2 other processes 69->93 83 chrome.exe 72->83         started        85 chrome.exe 74->85         started        87 conhost.exe 76->87         started        95 10 other processes 76->95 signatures17 process18 dnsIp19 127 142.250.113.119 GOOGLEUS United States 80->127 129 142.250.113.132 GOOGLEUS United States 80->129 131 33 other IPs or domains 80->131
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384/
Threat name:
Win32.Trojan.GenSHCode
Create hunting rule
Status:
Malicious
First seen:
2024-01-02 09:26:38 UTC
File Type:
PE (Exe)
Extracted files:
165
AV detection:
17 of 22 (77.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mzuu67oliz6neqshd53mlc6cg3cfq5q5ek6li2bka5qf4dl32oca._file
Verdict:
malicious
Similar samples:
1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11
RiseProStealer
44d85e7e0e05ce06956da634a3f19633f1393bf7f82f1faef84e2c4e9d57af5a
RiseProStealer
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
RiseProStealer
46daf94d7a9c2eafa685ff553c11a89b3af75671cbbebbe61bfaca9be6adc815
RiseProStealer
4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1
RiseProStealer
ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9
RiseProStealer
b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd
RiseProStealer
b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
RiseProStealer
e676efee6430e704781265aaa9f98be910d8a0897ad2b4dc2cc93d8461c2851b
RiseProStealer
+ 619 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google collection discovery evasion persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/240102-23y8naecf3/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
7487b34dd8e64a330b0329dda3b7a9a8f1089ca5ddc27b4f8d395a1fa946e478
MD5 hash:
c7047b44e757445c9882f7ccba9ab329
SHA1 hash:
4ef3201b4c9c8b597f3cae656c489801566bb2ae
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/5fa4fe2c-8c3f-4aba-ac5e-3d03365fc12d/
SH256 hash:
66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384
MD5 hash:
f4e12ccaabddc9024adda74dacadb681
SHA1 hash:
672e1c2b35cd863c6bcc281604893ec78f168cc5
Link:
https://www.unpac.me/results/5fa4fe2c-8c3f-4aba-ac5e-3d03365fc12d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments