MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69e0255466741a6bdea3fbe4c2c83cd6af4fd274fa1f2646efcd91211f0d45d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69e0255466741a6bdea3fbe4c2c83cd6af4fd274fa1f2646efcd91211f0d45d4
SHA3-384 hash: 008dcd95b4a5c1253d1d98ea809ccc9340ac6e8010e65a8a362066ff1f7af61393b5caf700d6acaed9779e580f59e573
SHA1 hash: 2c40b588362fdaf13d60c3581e54591bf1777afb
MD5 hash: 8471d656e237482c2011472da91e9c2a
humanhash: nine-mango-seventeen-bakerloo
File name:8471d656e237482c2011472da91e9c2a
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'309'120 bytes
First seen:2024-01-31 15:23:40 UTC
Last seen:2024-01-31 17:30:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:JDdVW5iFUCZ8zezcNPLzHIEtaku21GiEDrWfyRQ44x9FGZYL8V+DUikX/LK6:ldRWNfbaTsBE/WfyK/xSYe+UikDx
Threatray 132 similar samples on MalwareBazaar
TLSH T15BB533EA2D77D1B3F89BA7BE969702860717AC0F0B3112183064F96A537EA70579CF50
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473834/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.21924.23626.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65ba6624814c2aeb14865b86/reports/be18bf10-f009-4a54-abbf-c9f5733ce516/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/69e0255466741a6bdea3fbe4c2c83cd6af4fd274fa1f2646efcd91211f0d45d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1a9dd395-ac0d-4e50-b62b-ff6db3a1fa11
Result
Threat name:
Amadey, PureLog Stealer, RedLine, RisePr
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384185
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to check for running processes (XOR)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384185 Sample: hgYZHV20UZ.exe Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 79 www.google.com 2->79 81 prod.detectportal.prod.cloudops.mozgcp.net 2->81 83 10 other IPs or domains 2->83 109 Antivirus detection for URL or domain 2->109 111 Antivirus / Scanner detection for submitted sample 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 9 other signatures 2->115 9 hgYZHV20UZ.exe 1 109 2->9         started        14 MPGPH131.exe 22 2->14         started        16 RageMP131.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 91 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->91 93 109.107.182.3, 49711, 80 TELEPORT-TV-ASRU Russian Federation 9->93 97 2 other IPs or domains 9->97 71 C:\Users\user\...\lt5ncVNvEoaNhwQZ1Aib.exe, PE32 9->71 dropped 73 C:\Users\user\...\WER36w0ypT61UZX9ceSR.exe, PE32 9->73 dropped 75 C:\Users\user\...75LAe2TExV5L4H_ORyYJ8.exe, PE32 9->75 dropped 77 10 other malicious files 9->77 dropped 143 Detected unpacking (changes PE section rights) 9->143 145 Binary is likely a compiled AutoIt script file 9->145 147 Tries to steal Mail credentials (via file / registry access) 9->147 167 3 other signatures 9->167 20 WER36w0ypT61UZX9ceSR.exe 9->20         started        23 lt5ncVNvEoaNhwQZ1Aib.exe 9->23         started        25 MogRIYZdYyCVGwdYDJHR.exe 9->25         started        36 4 other processes 9->36 149 Antivirus detection for dropped file 14->149 151 Multi AV Scanner detection for dropped file 14->151 153 Machine Learning detection for dropped file 14->153 155 Tries to detect sandboxes and other dynamic analysis tools (window names) 16->155 157 Tries to evade debugger and weak emulator (self modifying code) 16->157 159 Hides threads from debuggers 16->159 95 127.0.0.1 unknown unknown 18->95 161 Tries to harvest and steal browser information (history, passwords, etc) 18->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->163 165 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->165 27 firefox.exe 18->27         started        30 msedge.exe 18->30         started        32 firefox.exe 18->32         started        34 firefox.exe 18->34         started        file6 signatures7 process8 dnsIp9 117 Detected unpacking (changes PE section rights) 20->117 119 Contains functionality to check for running processes (XOR) 20->119 121 Contains functionality to inject threads in other processes 20->121 123 Contains functionality to detect sleep reduction / modifications 20->123 125 Tries to evade debugger and weak emulator (self modifying code) 23->125 127 Hides threads from debuggers 23->127 129 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->129 131 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 23->131 133 Modifies windows update settings 25->133 135 Disables Windows Defender Tamper protection 25->135 137 Disable Windows Defender notifications (registry) 25->137 139 Disable Windows Defender real time protection (registry) 25->139 99 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 27->99 39 firefox.exe 27->39         started        41 firefox.exe 27->41         started        43 firefox.exe 27->43         started        52 3 other processes 27->52 101 20.96.153.111 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->101 103 ssl.bingadsedgeextension-prod-eastus.azurewebsites.net 40.71.99.188 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->103 105 16 other IPs or domains 30->105 69 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 36->69 dropped 141 Binary is likely a compiled AutoIt script file 36->141 45 chrome.exe 36->45         started        48 chrome.exe 36->48         started        50 chrome.exe 36->50         started        54 11 other processes 36->54 file10 signatures11 process12 dnsIp13 107 239.255.255.250 unknown Reserved 45->107 56 chrome.exe 45->56         started        59 chrome.exe 48->59         started        61 chrome.exe 50->61         started        63 msedge.exe 54->63         started        65 msedge.exe 54->65         started        67 msedge.exe 54->67         started        process14 dnsIp15 85 www3.l.google.com 142.250.9.100 GOOGLEUS United States 56->85 87 accounts.google.com 142.250.9.84, 443, 49715, 49717 GOOGLEUS United States 56->87 89 13 other IPs or domains 56->89
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/69e0255466741a6bdea3fbe4c2c83cd6af4fd274fa1f2646efcd91211f0d45d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69e0255466741a6bdea3fbe4c2c83cd6af4fd274fa1f2646efcd91211f0d45d4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 15:24:07 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhqckvdgoqngxxvd7psmfsb422xu7utu7ipsmrxpzwischynixka._file
Verdict:
malicious
Similar samples:
127320b6f35c9014ba3fd5f97ba6e8317c444fb0d907c8cc5b2fad053d9fa51a
RiseProStealer
2d26c9addd870990575938be5423a5f5ba6b67a63f90f8af322f848808a96142
RiseProStealer
36ddaa76140991a7ac1a8b0400715d8d1f4f17598722097d3f859a7843b8810b
RiseProStealer
4627c39174d9e902993cadc68aaa3a9feb7addabc77277eee6d88cd989b5472f
RiseProStealer
5239eb589ac4d96a633db9d7031f4e04b3d07268aa42822a228a0eaa6d94c1bf
RiseProStealer
5cf41546232059b45ae02f5aacccf38e7efd99e122414dbeceea2a85b16a38c1
RiseProStealer
98d57e3ac4cde0cc27eb00b7fa1be7d1a826f1fb94d9f99da5460ed486c979c5
RiseProStealer
9bf2c1249f73920b734b831350d0310ccedbea5f926e4a582067a7621701aa08
RiseProStealer
cb9c4d1d3bdec4066ee2ab596cbbe4846a28130e42ffae0b0a336b26e29a8a37
RiseProStealer
+ 122 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240131-ss2flafad4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
4a3cc3bacf553f428d0b6847ed730155b3db3463067665f49f6afe8695bf2d6c
MD5 hash:
c6404eb04b738aa3352a8babd78438f1
SHA1 hash:
5fa0b838e97768f19c9e28a7a5a6f29ecb4c9c66
Link:
https://www.unpac.me/results/ea97bada-8b7c-42b0-bd58-dd599305a962/
SH256 hash:
69e0255466741a6bdea3fbe4c2c83cd6af4fd274fa1f2646efcd91211f0d45d4
MD5 hash:
8471d656e237482c2011472da91e9c2a
SHA1 hash:
2c40b588362fdaf13d60c3581e54591bf1777afb
Link:
https://www.unpac.me/results/ea97bada-8b7c-42b0-bd58-dd599305a962/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69e025546674/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69e0255466741a6bdea3fbe4c2c83cd6af4fd274fa1f2646efcd91211f0d45d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 69e0255466741a6bdea3fbe4c2c83cd6af4fd274fa1f2646efcd91211f0d45d4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2754196/
Cape
Cape
https://www.capesandbox.com/analysis/473834/

Comments


Avatar
zbet commented on 2024-01-31 15:23:41 UTC

url : hxxp://109.107.182.38/vape/hram.exe