MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64
SHA3-384 hash: 5ab023b1fba8aa80c2af10e26357fbb2d9dadf774870ff0498fe0fca372eed6302a5e2921c1ceffd5202b2b625f0ccbb
SHA1 hash: 5330b8d4851b737c08dc30fb9cf7bcb2f20ca667
MD5 hash: a80ab2bb015e85a9f481b4fcff487428
humanhash: nebraska-pizza-east-alabama
File name:a80ab2bb015e85a9f481b4fcff487428
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'389'056 bytes
First seen:2023-12-25 11:07:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:oyTGjA6WzX3g4+HOe5J5fN4iFoVh+en1qo6wivzxeyNrXyYh6t0k:vTG3WLQVuej5fNFFoVwenp6Rz4yNbyDt
Threatray 807 similar samples on MalwareBazaar
TLSH T152552353A3E89036E8B6A7B058F6129722317CB1DD70835F27642D5A08B35C5BE317BB
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469302/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Behavior that indicates a threat
Searching for the browser window
DNS request
Sending a custom TCP request
Searching for the window
Creating a file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65896295439457868c07e04b/reports/7ff3ac02-83d6-4945-807e-710a58a73eb4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f03b5b0-58bd-4e20-9c08-96c7f01ba327
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366868
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to many IPs within the same subnet mask (likely port scanning)
Contains functionality to modify clipboard data
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366868 Sample: 07sNmeo9iZ.exe Startdate: 25/12/2023 Architecture: WINDOWS Score: 100 123 stun.l.google.com 2->123 125 ipinfo.io 2->125 135 Snort IDS alert for network traffic 2->135 137 Found malware configuration 2->137 139 Antivirus detection for dropped file 2->139 141 14 other signatures 2->141 11 07sNmeo9iZ.exe 1 4 2->11         started        14 FANBooster131.exe 2->14         started        17 MaxLoonaFest131.exe 2->17         started        19 7 other processes 2->19 signatures3 process4 file5 113 2 other malicious files 11->113 dropped 21 gA3dq63.exe 1 4 11->21         started        99 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 14->99 dropped 101 C:\...\JHxHHr8jL7MNNU7dCzqKWu6IKNHi8JX6.zip, Zip 14->101 dropped 167 Multi AV Scanner detection for dropped file 14->167 169 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->169 171 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 14->171 173 Tries to harvest and steal browser information (history, passwords, etc) 14->173 25 WerFault.exe 14->25         started        103 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->103 dropped 105 C:\...\gU6TzyM5mVsHfoW3dikQi17gpj2Fu7lo.zip, Zip 17->105 dropped 175 Tries to steal Mail credentials (via file / registry access) 17->175 177 Machine Learning detection for dropped file 17->177 179 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 17->179 27 WerFault.exe 17->27         started        107 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->107 dropped 109 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->109 dropped 111 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->111 dropped 115 2 other malicious files 19->115 dropped 181 Found many strings related to Crypto-Wallets (likely being stolen) 19->181 183 Queries memory information (via WMI often done to detect virtual machines) 19->183 29 WerFault.exe 19->29         started        31 WerFault.exe 19->31         started        33 WerFault.exe 19->33         started        35 chrome.exe 19->35         started        signatures6 process7 file8 83 C:\Users\user\AppData\Local\...\Ro5gH06.exe, PE32 21->83 dropped 85 C:\Users\user\AppData\Local\...\6Xn6SA8.exe, PE32 21->85 dropped 143 Antivirus detection for dropped file 21->143 145 Multi AV Scanner detection for dropped file 21->145 147 Machine Learning detection for dropped file 21->147 37 Ro5gH06.exe 1 4 21->37         started        signatures9 process10 file11 87 C:\Users\user\AppData\Local\...\4DF871ov.exe, PE32 37->87 dropped 89 C:\Users\user\AppData\Local\...\1Uh68te3.exe, PE32 37->89 dropped 149 Multi AV Scanner detection for dropped file 37->149 151 Binary is likely a compiled AutoIt script file 37->151 153 Machine Learning detection for dropped file 37->153 41 4DF871ov.exe 16 29 37->41         started        46 1Uh68te3.exe 12 37->46         started        signatures12 process13 dnsIp14 129 193.233.132.74 FREE-NET-ASFREEnetEU Russian Federation 41->129 131 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 41->131 91 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 41->91 dropped 93 C:\Users\user\AppData\...\FANBooster131.exe, PE32 41->93 dropped 95 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 41->95 dropped 97 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 41->97 dropped 155 Multi AV Scanner detection for dropped file 41->155 157 Machine Learning detection for dropped file 41->157 159 Found many strings related to Crypto-Wallets (likely being stolen) 41->159 48 cmd.exe 41->48         started        51 cmd.exe 41->51         started        53 WerFault.exe 41->53         started        161 Binary is likely a compiled AutoIt script file 46->161 163 Found API chain indicative of sandbox detection 46->163 165 Contains functionality to modify clipboard data 46->165 55 chrome.exe 1 46->55         started        58 chrome.exe 46->58         started        60 chrome.exe 46->60         started        62 6 other processes 46->62 file15 signatures16 process17 dnsIp18 133 Uses schtasks.exe or at.exe to add and modify task schedules 48->133 75 2 other processes 48->75 77 2 other processes 51->77 127 239.255.255.250 unknown Reserved 55->127 64 chrome.exe 55->64         started        79 2 other processes 55->79 67 chrome.exe 58->67         started        69 chrome.exe 60->69         started        71 chrome.exe 62->71         started        73 chrome.exe 62->73         started        81 4 other processes 62->81 signatures19 process20 dnsIp21 117 192.168.2.4 unknown unknown 64->117 119 tpop-api.twitter.com 104.244.42.130 TWITTERUS United States 64->119 121 121 other IPs or domains 64->121
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64/
Threat name:
ByteCode-MSIL.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-25 11:08:07 UTC
File Type:
PE (Exe)
Extracted files:
202
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nymmbkwilzbv5twshgellqbwlzjiidzej6i3bk5ekigqupcc5jsa._file
Verdict:
malicious
Similar samples:
42d5c8af3500e1d4979045b84efe4fe7f901e8b5bcdb46a0a8ef9e2fcb7320ef
RiseProStealer
5a7aedf2a49e497fbf101d56d931e996f4145deb73a0d9a398a8c5e96556b2fc
RiseProStealer
70d432aaae6f900cb7d7e8cc0d4b78551d905d1ac9e208d4c73c4ead3b4f97a4
RiseProStealer
93bb322e419ca964ae2a6340febd60d216ce342706ca4efe9c6df1fec38d238e
RiseProStealer
949edc5ede31cf9316dedc155d8d4ca93f8da0464d2ef0d8bff52dfddcac8e41
RiseProStealer
aa6109131f311c7ec4cbd993ac6fb997dda5beefee5863895e36608288fcac8a
RiseProStealer
b3193fd6b06a6a466c077456ba004201be106d617aae73498c3f518b3f7f57f2
RiseProStealer
be71f36ddea88c4ba342394e20352d60fa7cd61cba70454eba270f9f4996b293
RiseProStealer
d9ad55fb79af764ef60e3508973f162266bc8a2db17155612c6b5b7155e12c1d
RiseProStealer
f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
RiseProStealer
+ 797 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader family:zgrat botnet:666 botnet:livetraffic botnet:up3 backdoor brand:google collection discovery evasion infostealer persistence phishing rat spyware stealer trojan
Link:
https://tria.ge/reports/231225-m8jmtscca7/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
NSIS installer
Enumerates physical storage devices
Program crash
AutoIT Executable
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Windows Firewall
Detect Lumma Stealer payload V4
Detect ZGRat V1
Detected google phishing page
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
77.105.132.87:22221
195.20.16.103:18305
http://host-file-host6.com/
http://host-host-file8.com/
http://soupinterestoe.fun/api
Unpacked files
SH256 hash:
e3c83ad6d2ac42df511537e24d406c3af4102c0c112b81809b92b21cd3b88b07
MD5 hash:
6abc9edfd742d10429c6a6ba5bb73232
SHA1 hash:
e6f06c33a82687d71f1f807cdfcc1c53e82ae60b
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/0817c089-4193-4d71-9de2-ae8697aae9e6/
Parent samples :
059b4c4f4e698f682bddbaecb0c94ac2b856d65a2c5c7943a3869c507c08d556
c21cfe990b2202b1d2cc45e60ad7c5085513f5c7b44c8c267759b056771d5765
44ae5bcd4f1efbb30cf46e88b8fe6ff722c38d7101aeb2cb381b9f108312978c
6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64
b87531a1fbc40e8ada603a797fde0ce06ba4d86e984cd9c7fb03a2635dfd6803
233fdd885db94f2bf61ecf71049c5bce72378edcec5e65f824422052922f394c
b9f69c03f5d2f0190f98375d442160b4bf00071f5f4845a1152299c0430f8744
2fe1c7f6fd2a372cbee37cea22872936df4fe02d94cbf75f0115167b2ee14982
fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a
9d5a3aba415f4bbdf2490d85a206125ab9ff69b1d0898e852dae701d02138815
SH256 hash:
1b37f2e968b48b389787b3743ae7b720e68f631f602f43aafa672dfd1b436116
MD5 hash:
b31b6a35e0c99aa27ad556449b7d6e2e
SHA1 hash:
604c138aebc1f0d4333a5217a03ec3cd9d15043d
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/0817c089-4193-4d71-9de2-ae8697aae9e6/
SH256 hash:
888e84dd89dfc4ba5e494a719fdf858ba8260aa03c5fef69401bbc2d7e8e1e51
MD5 hash:
8113767d6fa0f2f8a67a7999b17f2026
SHA1 hash:
dd2b2086e2d4f824af3d09fd26533dfe9abe5852
Link:
https://www.unpac.me/results/0817c089-4193-4d71-9de2-ae8697aae9e6/
SH256 hash:
ff848d40e679744e4fe284b0e5466c60e5a7198d5098fc23c235fe88b67013d5
MD5 hash:
b1f4c636d98decfbb3b442f86359ed94
SHA1 hash:
6bcf58148f3b2afcbf23dc41580f27fe4c67972d
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/0817c089-4193-4d71-9de2-ae8697aae9e6/
SH256 hash:
6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64
MD5 hash:
a80ab2bb015e85a9f481b4fcff487428
SHA1 hash:
5330b8d4851b737c08dc30fb9cf7bcb2f20ca667
Link:
https://www.unpac.me/results/0817c089-4193-4d71-9de2-ae8697aae9e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2744342/
Cape
Cape
https://www.capesandbox.com/analysis/469302/

Comments


Avatar
zbet commented on 2023-12-25 11:07:53 UTC

url : hxxp://77.91.68.21/red/line.exe