MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69302432014571ce6d454639fc471fcecd731d6f20de26c0e150a929f43adb2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69302432014571ce6d454639fc471fcecd731d6f20de26c0e150a929f43adb2a
SHA3-384 hash: 0ba2db14dd15c8e6012f0efc83082c972abb7c22f3d4befad2a39ec89145e0b9cf39e6e87cdcf367e74176c080b949ea
SHA1 hash: e0153e5871f1a67e244332de4c952dd5978d760d
MD5 hash: ce865cc1b78bc4fa16532168c74c5ea2
humanhash: purple-eleven-steak-autumn
File name:ce865cc1b78bc4fa16532168c74c5ea2
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:3'102'720 bytes
First seen:2024-03-30 10:48:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:fVQcncWFPwlR9FVb8SwHbttqGKguuLMvgWCfBrLBei2:9QccWFMR9FVbbq3qzWzV
TLSH T117E55CA2BC4872CFD8DE2BB4941FDE86695D0BB5872008CB98AC657F7D63CC115B6C24
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 86696ddce4f4d269 (91 x RiseProStealer)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
454
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
69302432014571ce6d454639fc471fcecd731d6f20de26c0e150a929f43adb2a.exe
Verdict:
Malicious activity
Analysis date:
2024-03-30 10:51:03 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/1265714a-879f-4f21-9d90-d06c822cc03c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Reading critical registry keys
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed stealer themidawinlicense
Link:
https://www.filescan.io/uploads/6607ee1eeda31927461352aa/reports/e245ea0f-d040-4903-9977-6ab8225400af/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/69302432014571ce6d454639fc471fcecd731d6f20de26c0e150a929f43adb2a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e19a2858-caf7-4edd-93ce-ed60878f6215
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417770
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417770 Sample: LHSwqldJkd.exe Startdate: 30/03/2024 Architecture: WINDOWS Score: 100 47 ipinfo.io 2->47 49 db-ip.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 6 other signatures 2->63 8 LHSwqldJkd.exe 1 63 2->8         started        13 MPGPH131.exe 56 2->13         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 51 193.233.132.74, 49704, 49705, 49706 FREE-NET-ASFREEnetEU Russian Federation 8->51 53 ipinfo.io 34.117.186.192, 443, 49708, 49710 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->53 55 db-ip.com 104.26.5.15, 443, 49709, 49712 CLOUDFLARENETUS United States 8->55 35 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->35 dropped 37 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->37 dropped 39 C:\Users\user\...\sroOzmQAGjxz3WLyYVLN4f3.zip, Zip 8->39 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Tries to steal Mail credentials (via file / registry access) 8->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 8->69 85 2 other signatures 8->85 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        41 C:\Users\user\...\5yct367IYWFJR80CRee4k5z.zip, Zip 13->41 dropped 71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 75 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->75 25 WerFault.exe 13->25         started        43 C:\Users\user\...\22eBkabPHVNjZsWRxgAcMib.zip, Zip 15->43 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 15->77 79 Tries to evade debugger and weak emulator (self modifying code) 15->79 81 Tries to detect virtualization through RDTSC time measurements 15->81 27 WerFault.exe 15->27         started        45 C:\Users\user\...\6ZHjIOLe1RC3Gc1x4FEnWHc.zip, Zip 17->45 dropped 83 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->83 29 WerFault.exe 17->29         started        file6 signatures7 process8 process9 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/69302432014571ce6d454639fc471fcecd731d6f20de26c0e150a929f43adb2a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69302432014571ce6d454639fc471fcecd731d6f20de26c0e150a929f43adb2a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-03-30 10:49:05 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=neycimqbivy443kfiy47yry7z3gxghlpedpcnqhbkcust5b23mva._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240330-mwnq1sdf21/
Behaviour
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Unpacked files
SH256 hash:
87abba174ef104e778dc9d9f77074e1078e5c151e99194721dbdafbc418517f1
MD5 hash:
51cbf96c20937feaa34253e6c91f6d4f
SHA1 hash:
9c2a0b9df498b8283f3dab02d5766a326872ff10
Link:
https://www.unpac.me/results/13c56c81-e578-4515-95c6-0cc9f93e4e1b/
SH256 hash:
13105825bef0f19c76af3c9eebb596e4593fd582f798738b801d9fbf7cb1a6b8
MD5 hash:
46d1eb9983dd5cf4d46a46a89ed2acb5
SHA1 hash:
4066b53498ea7975e0fe550537d18c986557ece0
Link:
https://www.unpac.me/results/13c56c81-e578-4515-95c6-0cc9f93e4e1b/
SH256 hash:
69302432014571ce6d454639fc471fcecd731d6f20de26c0e150a929f43adb2a
MD5 hash:
ce865cc1b78bc4fa16532168c74c5ea2
SHA1 hash:
e0153e5871f1a67e244332de4c952dd5978d760d
Link:
https://www.unpac.me/results/13c56c81-e578-4515-95c6-0cc9f93e4e1b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 69302432014571ce6d454639fc471fcecd731d6f20de26c0e150a929f43adb2a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2775398/
  
URLhaus
https://urlhaus.abuse.ch/url/2781842/
  
URLhaus
https://urlhaus.abuse.ch/url/2787746/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-03-30 10:48:54 UTC

url : hxxp://193.233.132.167/cost/lenin.exe