MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b
SHA3-384 hash: 9308e874012f67486692423515a39559db152528d7f04d0a8da35dbe5176ac2047deb77d46b614fdea210bb2e4f5e5a3
SHA1 hash: 7d3b5ee5dcd56676c1ac39c63493e863e6e52d9b
MD5 hash: 611af5f1dbaa7a54dad2be40198d8367
humanhash: shade-jupiter-arizona-equal
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'099'264 bytes
First seen:2023-08-17 06:04:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3b57adebbc15f3730d2f6b295ed9fe14 (1 x RiseProStealer)
ssdeep 24576:FupljDEVT1nl55RectmTXzv8T1RvMeosrgswbeHo1wYwfJlTSa6P:CDEVT1nl55RectmT+y3dzbeHo2YwfJlQ
Threatray 17 similar samples on MalwareBazaar
TLSH T1EA358C22D3417073E4A31070A34EDBF315B77131AB9A98A7EFC11A6A59B25D0B320F67
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe RiseProStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc647736509_665757324?hash=6DVULZFMlDSIY1xAVVh1H091fi8qtiXtIU8b8tJem0o&dl=1NKKWcRywSmBSxB9ERGkFpjO9tJzsjQEQeEhI25A0DH&api=1&no_preview=1#kisrise

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-08-17 06:08:09 UTC
Tags:
evasion risepro stealer
Link:
https://app.any.run/tasks/58bad06c-65bf-4c3c-ada3-d6d1fbee075a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443144/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.32686.21476.21543.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/103025/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d91de229-07cf-4acd-9df7-f39cc7a5645b
Result
Threat name:
Clipboard Hijacker, PrivateLoader, RiseP
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292596
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected PrivateLoader
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1292596 Sample: file.exe Startdate: 17/08/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 6 other signatures 2->53 8 file.exe 37 2->8         started        13 oobeldr.exe 2->13         started        process3 dnsIp4 33 194.169.175.123, 49706, 50500 CLOUDCOMPUTINGDE Germany 8->33 35 ipinfo.io 34.117.59.81, 443, 49707 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->35 37 cdn.discordapp.com 162.159.135.233, 443, 49708, 49709 CLOUDFLARENETUS United States 8->37 27 C:\Users\user\...\h0HQ8GH1DLH39isTU8lR.exe, MS-DOS 8->27 dropped 29 C:\Users\user\AppData\Local\...\KLIPE[1].exe, MS-DOS 8->29 dropped 55 May check the online IP address of the machine 8->55 57 Tries to steal Mail credentials (via file / registry access) 8->57 59 Tries to harvest and steal browser information (history, passwords, etc) 8->59 15 h0HQ8GH1DLH39isTU8lR.exe 1 8->15         started        61 Antivirus detection for dropped file 13->61 63 Multi AV Scanner detection for dropped file 13->63 65 Detected unpacking (changes PE section rights) 13->65 19 schtasks.exe 1 13->19         started        file5 signatures6 process7 file8 31 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 15->31 dropped 39 Antivirus detection for dropped file 15->39 41 Multi AV Scanner detection for dropped file 15->41 43 Detected unpacking (changes PE section rights) 15->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 15->45 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-17 06:05:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omd3ikq6ewz2ny3wxpzenelobny6e7bmbh665ukpu6r4pntxq2fq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2963d6270648f4b95969eaecae93ae0dc9505dd2e9a99bc80016da6e46cc4b11
RiseProStealer
523563334517ca2addf839752117f30fb0f741ca996e2a1dea48ef719ef2c4ff
RiseProStealer
6eb58443e4186740619e7fb0e391a47517ce63ba4db0bd1fb4ce007c543db2be
RiseProStealer
80f8be7669ca52aec4c9f42385328b94069d6bbee35ce6352aa46216452f0d75
RiseProStealer
9777ac78ef7b256887f447ff395e8c43c04a20aebd290629f18bb4288065cfad
RiseProStealer
b9458e5ccb3e716b7970988b9d2fdd2ecd3c77f57be0bae9e6ec9948f427ece8
RiseProStealer
de37e38d15933b163d7b104af7ac4392af4a5663f500f5567efc40c8c01e9968
RiseProStealer
e2cd080304d92494e731ad88d60f1ba38670ba4a751cd8df1e09d6702345999b
RiseProStealer
f767afef9083aed521760649129fae272dfe30f66c9922ca4529533bb81d0612
RiseProStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader spyware stealer
Link:
https://tria.ge/reports/230817-gs66asfg75/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Malware Config
C2 Extraction:
1.1.1.1
Unpacked files
SH256 hash:
7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b
MD5 hash:
611af5f1dbaa7a54dad2be40198d8367
SHA1 hash:
7d3b5ee5dcd56676c1ac39c63493e863e6e52d9b
Detections:
RiseProXorStr
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/026c2fb7-11f2-48bb-afe8-a3d2d9999935/
Parent samples :
6eb58443e4186740619e7fb0e391a47517ce63ba4db0bd1fb4ce007c543db2be
7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b
142aee3c05b5023b306aa9983c67e7168df45509882940470d5fa5d9b0a95eb9
77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76
53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7307b42a1e25/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:win_privateloader
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/443144/

Comments