MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2
SHA3-384 hash: 05edfd048a862630aa4c2be79ad51237f85430e5f26604e73624b5e2bfdae74d0d340ab05d647f5c145f06cb93362c76
SHA1 hash: c8328ddd69dec8072c4fbfbacfcde0a174824202
MD5 hash: 7b91afefb37ecb337669d23e0cbad138
humanhash: carbon-angel-monkey-ack
File name:7b91afefb37ecb337669d23e0cbad138
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'302'016 bytes
First seen:2024-03-20 15:28:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 25bd1649e75855dcadd9e9ac5c5a14b7 (1 x RiseProStealer)
ssdeep 24576:9wvqRG67Mok0jQOtKl5yUHgbRruHYPtzZTznOl/mG:JG6RxHtuctzZTal/mG
Threatray 529 similar samples on MalwareBazaar
TLSH T185558C71A652C075D1C102F1726E6FE046ACBA3157A18CCBB3C01E79A9B11E3757AF2B
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0fd6b2b29abbb90f (26 x RiseProStealer)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2.exe
Verdict:
Malicious activity
Analysis date:
2024-03-20 15:31:43 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/fe92e98e-652d-4094-b824-e00c05a740eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Mikey-10019377-0
Create hunting rule

Win.Malware.Generic-10023941-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto fingerprint fingerprint lolbin setupapi shell32
Link:
https://www.filescan.io/uploads/65fb00c187137159d44b9877/reports/761c11cd-b6ba-4765-93a2-6b912b0c5b8a/overview
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91ffeb03-fea2-48be-b0eb-4fc8f5dd138a
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1412559
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1412559 Sample: BRqa0fbGK2.exe Startdate: 20/03/2024 Architecture: WINDOWS Score: 100 66 ipinfo.io 2->66 68 db-ip.com 2->68 76 Snort IDS alert for network traffic 2->76 78 Antivirus detection for URL or domain 2->78 80 Antivirus detection for dropped file 2->80 82 7 other signatures 2->82 8 BRqa0fbGK2.exe 3 93 2->8         started        13 MPGPH131.exe 73 2->13         started        15 AdobeUpdaterV131.exe 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 70 193.233.132.62, 49714, 49725, 49726 FREE-NET-ASFREEnetEU Russian Federation 8->70 72 193.233.132.74, 49704, 49707, 49711 FREE-NET-ASFREEnetEU Russian Federation 8->72 74 3 other IPs or domains 8->74 50 C:\Users\user\...\w03Eetg2_aEqrvJk3mLy.exe, PE32 8->50 dropped 52 C:\Users\user\...\OZ_h6omoy744rDUBYnYT.exe, PE32 8->52 dropped 54 C:\Users\user\AppData\Local\...dgeMS131.exe, PE32 8->54 dropped 62 10 other malicious files 8->62 dropped 108 Contains functionality to check for running processes (XOR) 8->108 110 Tries to steal Mail credentials (via file / registry access) 8->110 112 Found stalling execution ending in API Sleep call 8->112 128 4 other signatures 8->128 19 w03Eetg2_aEqrvJk3mLy.exe 8->19         started        23 OZ_h6omoy744rDUBYnYT.exe 8->23         started        25 schtasks.exe 1 8->25         started        33 5 other processes 8->33 56 C:\Users\user\...\s7Reqifh6a2pj2D21soB.exe, PE32 13->56 dropped 58 C:\Users\user\...YFimVpBbUayal05kYfp.exe, PE32 13->58 dropped 60 C:\Users\user\AppData\Local\...\amadka[1].exe, PE32 13->60 dropped 64 2 other malicious files 13->64 dropped 114 Multi AV Scanner detection for dropped file 13->114 116 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->116 118 Found API chain indicative of sandbox detection 13->118 27 s7Reqifh6a2pj2D21soB.exe 13->27         started        29 EYFimVpBbUayal05kYfp.exe 13->29         started        120 Antivirus detection for dropped file 15->120 122 Detected unpacking (changes PE section rights) 15->122 124 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->124 130 3 other signatures 15->130 31 explorha.exe 15->31         started        126 Machine Learning detection for dropped file 17->126 132 2 other signatures 17->132 file6 signatures7 process8 file9 48 C:\Users\user\AppData\Local\...\explorha.exe, PE32 19->48 dropped 92 Antivirus detection for dropped file 19->92 94 Detected unpacking (changes PE section rights) 19->94 96 Machine Learning detection for dropped file 19->96 35 explorha.exe 19->35         started        98 Tries to detect virtualization through RDTSC time measurements 23->98 38 conhost.exe 25->38         started        100 Tries to evade debugger and weak emulator (self modifying code) 27->100 102 Hides threads from debuggers 27->102 104 Tries to detect sandboxes / dynamic malware analysis system (registry check) 27->104 106 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 31->106 40 conhost.exe 33->40         started        42 conhost.exe 33->42         started        44 conhost.exe 33->44         started        46 2 other processes 33->46 signatures10 process11 signatures12 84 Antivirus detection for dropped file 35->84 86 Detected unpacking (changes PE section rights) 35->86 88 Machine Learning detection for dropped file 35->88 90 4 other signatures 35->90
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-03-19 23:04:27 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ok67zp3pippwbtt7nh6si3hiqd3oqjpvmmrgy4rizylshfnld3za._file
Verdict:
malicious
Similar samples:
2fcebac1912faa5703f9b2a3522b9e504366ce73df8ac5a5d494849fa6f8bac5
RiseProStealer
55b9e104fe2e170a98ab5d030757182188fd56cdf04c292f05f5a3d9d9c9b669
RiseProStealer
88d23f795957458a75f1ebff36ad0b04dc26b66067cb3efa6341290a629080ab
RiseProStealer
974ea2606152e58a818dfc7c5a547173ce0e6b9d939512d69a87f8e393ab64fe
RiseProStealer
a33f13b9105c77b6428d4ddf54b97e35c8191b3d6be05a53e1997f73ebbaad82
RiseProStealer
a4b866254a138ba8916229f5d90c9e406f64d8ed63906e22c1269e54df88427e
RiseProStealer
a7f095e49a35dd1f037ed9309d33e2b346bd750b612912aa7673cbbab609aebb
RiseProStealer
ab33831dd84e804e59ed54dee0bb2a806047e3e41185179f3cf6c3f277bfcc2f
RiseProStealer
+ 519 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro
Link:
https://tria.ge/reports/240320-swwphsbg32/
Malware Config
C2 Extraction:
193.233.132.74:58709
Unpacked files
SH256 hash:
72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2
MD5 hash:
7b91afefb37ecb337669d23e0cbad138
SHA1 hash:
c8328ddd69dec8072c4fbfbacfcde0a174824202
Link:
https://www.unpac.me/results/7325d611-78c4-46ce-a37d-cc64b86697ab/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72bdfcbf6f43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 72bdfcbf6f43df60ce7f69fd246ce880f6e825f563226c7228ce172395ab1ef2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2787747/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipGetImageEncodersSize
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::GetUserNameA
WIN_CRED_APICan Manipute Windows CredentialsADVAPI32.dll::CredEnumerateA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegGetValueA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments


Avatar
zbet commented on 2024-03-20 15:28:45 UTC

url : hxxp://193.233.132.167/cost/ohara.exe