MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a1a4a9562aea2b5214499156a68e0128d34688b76e541bd30940f873a4323ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a1a4a9562aea2b5214499156a68e0128d34688b76e541bd30940f873a4323ec
SHA3-384 hash: ef1d8dc7cca77105d93a145842926269a9d31780f3689b91db8cb5ab4ad4d1739a4c9e586c3a5451914b37a6525259c6
SHA1 hash: 84e30f5a488ce3be3d87e645bddd6378e96ebc67
MD5 hash: ffe137503d32dd02e50dd192f02f1329
humanhash: lactose-bluebird-double-nevada
File name:SecuriteInfo.com.Win32.TrojanX-gen.304.20057
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:3'117'056 bytes
First seen:2024-02-20 08:25:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59aeb10eab81e92b5597d86d6e338bce (10 x RiseProStealer, 1 x Worm.Ramnit)
ssdeep 49152:qUs74IdmeJORDYcKML8Zo0tXIU4pexeaW19Gh2+b/4an5GUMJ8nrYee91LoLIzFY:Y74+gldSowIU4p2WQFb7n5RMJkrY/noJ
Threatray 150 similar samples on MalwareBazaar
TLSH T10DE533DD4C064553E7443B7125C2FABD401FECA1EE9990CD6CFCBB5BB136A294A224AC
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476985/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.304.20057.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Searching for analyzing tools
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto enigma lolbin packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/65d4622f26f1ddc579a1ae87/reports/8143c655-d287-4a41-9228-09ede9a53f34/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6a1a4a9562aea2b5214499156a68e0128d34688b76e541bd30940f873a4323ec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/82704fa1-3f9a-4478-8d97-a92cc8ce947d
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1395105
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1395105 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 20/02/2024 Architecture: WINDOWS Score: 100 110 Multi AV Scanner detection for domain / URL 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for URL or domain 2->114 116 6 other signatures 2->116 8 SecuriteInfo.com.Win32.TrojanX-gen.304.20057.exe 1 111 2->8         started        13 MPGPH131.exe 1 110 2->13         started        15 MPGPH131.exe 2->15         started        17 7 other processes 2->17 process3 dnsIp4 98 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 8->98 100 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->100 102 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 8->102 76 C:\Users\user\...\voxes5B7vgtrZlJz3q7Q.exe, PE32 8->76 dropped 78 C:\Users\user\...\exfrfCmTHNzRAeSpgWgW.exe, PE32 8->78 dropped 80 C:\Users\user\...\esoGab0x4hE5xMx8sw1s.exe, PE32 8->80 dropped 88 10 other malicious files 8->88 dropped 140 Detected unpacking (changes PE section rights) 8->140 142 Contains functionality to check for running processes (XOR) 8->142 144 Binary is likely a compiled AutoIt script file 8->144 158 4 other signatures 8->158 19 esoGab0x4hE5xMx8sw1s.exe 8->19         started        22 Pi6PtVA5bgtyPn9rlMyT.exe 8->22         started        24 L_QMbF21slPPE10WqfXx.exe 8->24         started        32 3 other processes 8->32 82 C:\Users\user\...\irR2RgKVtIkvzXMBlRvV.exe, PE32 13->82 dropped 84 C:\Users\user\...\WMoor8qhHMPWi5H1jK9G.exe, PE32 13->84 dropped 86 C:\Users\user\...\VghwrLaTUn9Qe__WNXHk.exe, PE32 13->86 dropped 90 11 other malicious files 13->90 dropped 146 Multi AV Scanner detection for dropped file 13->146 148 Tries to steal Mail credentials (via file / registry access) 13->148 150 Machine Learning detection for dropped file 13->150 152 Found stalling execution ending in API Sleep call 13->152 26 WMoor8qhHMPWi5H1jK9G.exe 13->26         started        34 3 other processes 13->34 92 11 other malicious files 15->92 dropped 154 Tries to harvest and steal browser information (history, passwords, etc) 15->154 156 Hides threads from debuggers 15->156 28 sxNC37gaFlCtfdN9MTtw.exe 15->28         started        30 sUAh2zZrT2rL6MDvDBrC.exe 15->30         started        36 24 other processes 17->36 file5 signatures6 process7 dnsIp8 118 Detected unpacking (changes PE section rights) 19->118 120 Modifies windows update settings 19->120 122 Disables Windows Defender Tamper protection 19->122 138 2 other signatures 19->138 124 Binary is likely a compiled AutoIt script file 24->124 39 chrome.exe 24->39         started        48 7 other processes 24->48 126 Tries to evade debugger and weak emulator (self modifying code) 26->126 128 Tries to detect virtualization through RDTSC time measurements 26->128 130 Hides threads from debuggers 26->130 132 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->132 134 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->134 136 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 28->136 41 chrome.exe 30->41         started        50 3 other processes 30->50 52 2 other processes 32->52 43 chrome.exe 34->43         started        54 6 other processes 34->54 94 192.168.2.4 unknown unknown 36->94 96 239.255.255.250 unknown Reserved 36->96 45 chrome.exe 36->45         started        56 14 other processes 36->56 signatures9 process10 dnsIp11 58 chrome.exe 39->58         started        60 chrome.exe 41->60         started        62 chrome.exe 43->62         started        104 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->104 106 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->106 108 32 other IPs or domains 45->108 64 chrome.exe 48->64         started        70 4 other processes 48->70 66 chrome.exe 50->66         started        72 2 other processes 50->72 68 chrome.exe 54->68         started        74 2 other processes 54->74 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6a1a4a9562aea2b5214499156a68e0128d34688b76e541bd30940f873a4323ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a1a4a9562aea2b5214499156a68e0128d34688b76e541bd30940f873a4323ec/
Threat name:
Win32.Trojan.Bulta
Create hunting rule
Status:
Malicious
First seen:
2024-02-20 06:17:55 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ninevflcv2rlkiketekwu2hackgti2elo3sudpjqsqhyoosdepwa._file
Verdict:
malicious
Similar samples:
05cee19e393591f4e1ccd40c525a5a6032d8eebbb44fd6da28f2e28e5e1df733
RiseProStealer
3ce192ad0c7beb490b91094507f1a1a4d36c3ec3f3fe02d5fb76b173e955958f
RiseProStealer
4d6892357278591e0365c59ea6482d4155a2e3c38814ff868c539a8e9dda5157
RiseProStealer
9d06a37de434378a4fee4162ff4fff0df03aef0ba732788ad6966dd1d4090ae6
RiseProStealer
a155d022a79c1de510108b2d58984f70678a80c665709538bb64b3411791b2d0
RiseProStealer
a4d80f65f20be99a10c993c142707560c140269c676c02ee34e62235b3531466
RiseProStealer
b8c8754edec5d5802f505cc4fc3bd42c76571e6a8b1c6190df6cdcd6dbaacbc4
RiseProStealer
bbfb393c5f06bc1dc6a74d098c06c88409c361b6041bc9553f7efd28122f4f36
RiseProStealer
d9bd09c0cd6d38d20bc8a56d920b9c8cde800fe079837b11e953b5c6a3823208
RiseProStealer
+ 140 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240220-kbyz5sed82/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
6a1a4a9562aea2b5214499156a68e0128d34688b76e541bd30940f873a4323ec
MD5 hash:
ffe137503d32dd02e50dd192f02f1329
SHA1 hash:
84e30f5a488ce3be3d87e645bddd6378e96ebc67
Link:
https://www.unpac.me/results/8bc26624-fbf9-4506-b52e-db239e3353cc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a1a4a9562ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a1a4a9562aea2b5214499156a68e0128d34688b76e541bd30940f873a4323ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 6a1a4a9562aea2b5214499156a68e0128d34688b76e541bd30940f873a4323ec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757384/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2760920/
Cape
Cape
https://www.capesandbox.com/analysis/476985/

Comments