MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133
SHA3-384 hash: d1db97ffcb17b1631a2bf3927c85a099072203a458d12f6da93456f57d3880e1bc70f65a2270b07f211b55cc94e116ef
SHA1 hash: 3d3dfb6b69a1977002ec8e9f3a508dd8a9ed1e37
MD5 hash: a52e6a83c5770c4790a775be0b3c49e9
humanhash: georgia-cardinal-uncle-north
File name:SecuriteInfo.com.Win32.TrojanX-gen.26765.5950
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:3'152'896 bytes
First seen:2024-03-11 00:25:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 98304:TFiSBuQ30LQ8hm6D+yAkojJv1pLVXQkv58:3BuQERk
Threatray 132 similar samples on MalwareBazaar
TLSH T17CE56CA2B90872CFD58E1778942BCE815C5D42F94B6489D3A87CB47E7E6BCC111B6C38
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b3b2b3b2cceee7b2 (146 x RiseProStealer, 7 x CoinMiner, 1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133.exe
Verdict:
Malicious activity
Analysis date:
2024-03-11 00:31:51 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/2f6ed445-5607-48d2-8d06-2ad6ed083754

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478447/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.26765.5950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Reading critical registry keys
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Moving a file to the Program Files subdirectory
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm lolbin masquerade msbuild packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65ee4f9b757c624818a9b74c/reports/b04319dd-bc0e-41ec-accb-0930f1bb858b/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6eed9341-0873-4266-9d32-006089bbe3ac
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1406266
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1406266 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 11/03/2024 Architecture: WINDOWS Score: 100 64 ipinfo.io 2->64 66 db-ip.com 2->66 74 Snort IDS alert for network traffic 2->74 76 Antivirus detection for URL or domain 2->76 78 Antivirus detection for dropped file 2->78 80 7 other signatures 2->80 8 SecuriteInfo.com.Win32.TrojanX-gen.26765.5950.exe 3 95 2->8         started        13 MPGPH131.exe 78 2->13         started        15 MPGPH131.exe 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 68 193.233.132.62, 49705, 49706, 49711 FREE-NET-ASFREEnetEU Russian Federation 8->68 70 ipinfo.io 34.117.186.192, 443, 49707, 49708 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->70 72 2 other IPs or domains 8->72 58 15 other malicious files 8->58 dropped 96 Detected unpacking (changes PE section rights) 8->96 98 Tries to steal Mail credentials (via file / registry access) 8->98 100 Found many strings related to Crypto-Wallets (likely being stolen) 8->100 118 4 other signatures 8->118 19 gweq9sja95YPq3tuYf6L.exe 8->19         started        22 VT77FgN29Hg2ltOC3YXD.exe 8->22         started        24 schtasks.exe 1 8->24         started        34 5 other processes 8->34 46 C:\Users\user\...\w7632gwmgJqph6htKu5r.exe, PE32 13->46 dropped 48 C:\Users\user\...\mHxerCQ8Mg05oeCRfocO.exe, PE32 13->48 dropped 50 C:\Users\user\...\ZybV4wDdi7CmB2ODphP4.exe, PE32 13->50 dropped 60 4 other malicious files 13->60 dropped 102 Multi AV Scanner detection for dropped file 13->102 104 Machine Learning detection for dropped file 13->104 106 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->106 26 w7632gwmgJqph6htKu5r.exe 13->26         started        28 mHxerCQ8Mg05oeCRfocO.exe 13->28         started        52 C:\Users\user\...\FQldtt6hraSVbWyiyw_S.exe, PE32 15->52 dropped 54 C:\Users\user\...\F1VVlni3y0RSaHjZ3auD.exe, PE32 15->54 dropped 56 C:\Users\user\...\9epaa9HYbx7eanYqkXvT.exe, PE32 15->56 dropped 62 4 other malicious files 15->62 dropped 108 Tries to harvest and steal browser information (history, passwords, etc) 15->108 110 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->110 30 9epaa9HYbx7eanYqkXvT.exe 15->30         started        32 F1VVlni3y0RSaHjZ3auD.exe 15->32         started        112 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->112 114 Tries to evade debugger and weak emulator (self modifying code) 17->114 116 Tries to detect virtualization through RDTSC time measurements 17->116 120 2 other signatures 17->120 file6 signatures7 process8 signatures9 82 Antivirus detection for dropped file 19->82 84 Detected unpacking (changes PE section rights) 19->84 86 Machine Learning detection for dropped file 19->86 36 conhost.exe 24->36         started        88 Tries to evade debugger and weak emulator (self modifying code) 26->88 90 Hides threads from debuggers 26->90 92 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->92 94 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 30->94 38 conhost.exe 34->38         started        40 conhost.exe 34->40         started        42 conhost.exe 34->42         started        44 2 other processes 34->44 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-11 00:26:11 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nauadoqd6kc5yluxg6gkgalb4her47fbxe46za34oxiosydmsezq._file
Verdict:
malicious
Similar samples:
0e5159fa0db346e48ccbb3398a7e83a9e5257c3dd8ff0e4239d2ca602b77d70f
RiseProStealer
4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0
RiseProStealer
7d55d937d0f24157dcc0df03bc1f42b90ad31f483d40b7aeb4b6e4c01bed70cc
RiseProStealer
ed5853637c726919aca5628b78d11c214983b93bf267337a3b485db5efd92270
RiseProStealer
eeed7ff69fd813b5d177f9d15863c8b4de68b4f818fec0eb9f8a9c771fe436f2
RiseProStealer
fb63180c0436a686cb9a2b9049f408b5ee666be00ee2af296b014dd1c1ff0900
RiseProStealer
+ 122 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240311-aq69ysff3t/
Behaviour
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
240cccaa55703d8236927e9f5bac11d1b54ec3ca17fac7499a1ed0d175de786e
MD5 hash:
92bf9b308117451df454dcd2892d27cd
SHA1 hash:
234adffa83e274840491e7a571d868351aa200ad
Link:
https://www.unpac.me/results/21f49e72-727a-498b-8870-5bf965f08306/
SH256 hash:
51431de9b26944ffc92a880aac84224b145dad2aeb62f056408b3ec41a8b8dff
MD5 hash:
9adc221e529b76fd4d56658f8cd565ff
SHA1 hash:
c6e6017ceced8e236808963651803a81462bd94d
Link:
https://www.unpac.me/results/21f49e72-727a-498b-8870-5bf965f08306/
SH256 hash:
e282833c7afc3271098c42b85be5b343f9f6faa2c22433ef25180929c4e3d155
MD5 hash:
4c903faa35477f687f3d025735fe8d81
SHA1 hash:
2d2f98c27412d1b5a3749737ab9a4ebfbbdd94e8
Link:
https://www.unpac.me/results/21f49e72-727a-498b-8870-5bf965f08306/
SH256 hash:
682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133
MD5 hash:
a52e6a83c5770c4790a775be0b3c49e9
SHA1 hash:
3d3dfb6b69a1977002ec8e9f3a508dd8a9ed1e37
Link:
https://www.unpac.me/results/21f49e72-727a-498b-8870-5bf965f08306/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/682801ba03f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2779180/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2773532/
Cape
Cape
https://www.capesandbox.com/analysis/478447/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments