MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72ce7e97ea68b817452d8e25f7070623450828230a1c21d640b6f888d3cf29fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72ce7e97ea68b817452d8e25f7070623450828230a1c21d640b6f888d3cf29fc
SHA3-384 hash: 08552e39c9e8113ad3f7f1aee95f4939f9d4f2326f438a451b5df007c8e48a4f8f8924f75dde81da13944bea51cfe26d
SHA1 hash: 83628f7bb5b2bd7076353e244d74dee2f2a10005
MD5 hash: 6f0515d79e954d07174ce168dc1a63ed
humanhash: leopard-black-oregon-freddie
File name:72ce7e97ea68b817452d8e25f7070623450828230a1c21d640b6f888d3cf29fc.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'366'976 bytes
First seen:2024-01-08 19:45:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:mh37AYyO5msPJOXZtime3pEjNe+vGOkMtFFmgfWbdX:I7A45DJwixpEjNed3c2OWbdX
Threatray 620 similar samples on MalwareBazaar
TLSH T1A2B533898AF5C836CDE91F7008F61183127ABCE05E39437A2356BDD56C672E067A077B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RiseProStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469918/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Behavior that indicates a threat
Searching for the browser window
DNS request
Sending a custom TCP request
Searching for the window
Сreating synchronization primitives
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm autoit CAB control crypto explorer greyware installer keylogger lolbin lolbin obfuscated packed redcap risepro rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/659c50fcfd5068bbc3cbdc99/reports/50d09c7f-6798-4c3c-8d5e-f26f5c9d741c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/72ce7e97ea68b817452d8e25f7070623450828230a1c21d640b6f888d3cf29fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17e208bf-18ec-45dc-bc42-c2625b6d0c9c
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1371445
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1371445 Sample: Mvpb9enyV6.exe Startdate: 08/01/2024 Architecture: WINDOWS Score: 100 88 stun.l.google.com 2->88 90 play.google.com 2->90 92 ipinfo.io 2->92 110 Snort IDS alert for network traffic 2->110 112 Antivirus / Scanner detection for submitted sample 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 4 other signatures 2->116 11 Mvpb9enyV6.exe 1 4 2->11         started        15 RageMP131.exe 2->15         started        17 MPGPH131.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 80 C:\Users\user\AppData\Local\...\2wG0695.exe, PE32 11->80 dropped 82 C:\Users\user\AppData\Local\...\1eh52da7.exe, PE32 11->82 dropped 138 Binary is likely a compiled AutoIt script file 11->138 21 2wG0695.exe 1 76 11->21         started        26 1eh52da7.exe 12 11->26         started        84 C:\...\4HG3_5NY33P3eyIrFbzMWUgdB6xZ2cyL.zip, Zip 15->84 dropped 140 Antivirus detection for dropped file 15->140 142 Multi AV Scanner detection for dropped file 15->142 144 Detected unpacking (changes PE section rights) 15->144 146 Tries to harvest and steal browser information (history, passwords, etc) 15->146 28 WerFault.exe 15->28         started        86 C:\...\bFOalrRc4RTfg5ZGKwTriIorT7MYmWw_.zip, Zip 17->86 dropped 148 Tries to steal Mail credentials (via file / registry access) 17->148 150 Machine Learning detection for dropped file 17->150 152 Hides threads from debuggers 17->152 30 WerFault.exe 17->30         started        signatures6 process7 dnsIp8 100 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 21->100 102 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->102 74 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 21->74 dropped 76 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 21->76 dropped 78 C:\...\9DX8LVVg4iY_jCqoO8xTuDw4t9tXWIlq.zip, Zip 21->78 dropped 124 Antivirus detection for dropped file 21->124 126 Multi AV Scanner detection for dropped file 21->126 128 Detected unpacking (changes PE section rights) 21->128 136 7 other signatures 21->136 32 schtasks.exe 21->32         started        34 schtasks.exe 21->34         started        36 WerFault.exe 21->36         started        130 Binary is likely a compiled AutoIt script file 26->130 132 Machine Learning detection for dropped file 26->132 134 Found API chain indicative of sandbox detection 26->134 38 chrome.exe 1 26->38         started        41 chrome.exe 26->41         started        43 chrome.exe 26->43         started        45 7 other processes 26->45 file9 signatures10 process11 dnsIp12 47 conhost.exe 32->47         started        49 conhost.exe 34->49         started        104 192.168.2.6 unknown unknown 38->104 106 192.168.2.7 unknown unknown 38->106 108 2 other IPs or domains 38->108 51 chrome.exe 38->51         started        62 2 other processes 38->62 54 chrome.exe 41->54         started        56 chrome.exe 43->56         started        58 chrome.exe 45->58         started        60 chrome.exe 45->60         started        64 5 other processes 45->64 process13 dnsIp14 66 MPGPH131.exe 47->66         started        94 104.244.42.130 TWITTERUS United States 51->94 96 t.co 104.244.42.197 TWITTERUS United States 51->96 98 111 other IPs or domains 51->98 process15 file16 72 C:\...behaviorgraphluNtuP68BNnAWs0nij7ASkkqA64y8NF.zip, Zip 66->72 dropped 118 Tries to steal Mail credentials (via file / registry access) 66->118 120 Found many strings related to Crypto-Wallets (likely being stolen) 66->120 122 Hides threads from debuggers 66->122 70 WerFault.exe 66->70         started        signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72ce7e97ea68b817452d8e25f7070623450828230a1c21d640b6f888d3cf29fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72ce7e97ea68b817452d8e25f7070623450828230a1c21d640b6f888d3cf29fc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-08 02:06:12 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
17 of 37 (45.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=olhh5f7knc4borjnrys7obygencqqkbdbiocdvsaw34iru6pfh6a._file
Verdict:
unknown
Similar samples:
0bc90706defe0f5defbc5be90ea4d4c14ec01ad3b85ac35baa4db1b9906bcad6
RiseProStealer
1208eb5fcec2b7c18202685bd7d17706583d6b207bc15242c316cb27a2de2691
RiseProStealer
1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11
RiseProStealer
6b362b2e24b31baf1345b1510806cdd4ac3af1ad704881421ceae5360312eed8
RiseProStealer
6f490f3430e51eabccc5ae73df35e0d2193da083f1760b562fa2ed7309a30490
RiseProStealer
7011baaee0cf94f06cf89fd2672f6d3e0a304abd72324532cc4e871326395391
RiseProStealer
71334cb3df06b322134688d24e5b8620d691a38ac42d72c5c0071b3de563fcb4
RiseProStealer
d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba
RiseProStealer
e8ca98e34dd9b89697bdbb1ad24e6d8928d844c431c9cab14ecb3d86551846e3
RiseProStealer
f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e
RiseProStealer
+ 610 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240108-ygyhfsghg3/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
983abd739e7d020b819c9bc6a3183173a87489eb52abf7a5ace9a4c3c144c628
MD5 hash:
4661fee0bc1a40d30df35df7d0e9e4bb
SHA1 hash:
4826c119e8ad8d699168968a2cba0f13db2d9547
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/11fff4b0-7c41-4515-b247-8836ed1c021c/
SH256 hash:
72ce7e97ea68b817452d8e25f7070623450828230a1c21d640b6f888d3cf29fc
MD5 hash:
6f0515d79e954d07174ce168dc1a63ed
SHA1 hash:
83628f7bb5b2bd7076353e244d74dee2f2a10005
Link:
https://www.unpac.me/results/11fff4b0-7c41-4515-b247-8836ed1c021c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72ce7e97ea68b817452d8e25f7070623450828230a1c21d640b6f888d3cf29fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469918/

Comments