MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7315021a14a55639cc22757933a92e14928acbf8ea37dc4140786347a7849431. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7315021a14a55639cc22757933a92e14928acbf8ea37dc4140786347a7849431
SHA3-384 hash: aaee7d70525958a89369e452acfee453f5b30392bfc5920dd21a6ff8df3c4bb1487da935e01e5137c669f324eebe855c
SHA1 hash: dbbb153fda08c76d723128634578bc33a3d79eb6
MD5 hash: 128e24d5ef841397092851ed86ac08d6
humanhash: nuts-fanta-johnny-nevada
File name:128e24d5ef841397092851ed86ac08d6
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'400'256 bytes
First seen:2024-02-09 12:34:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:FGYvKD9o0FURImBRWHMU/pOS7m4x1CngcMkO4sewtUR7GliQ:DS9o0FUpRWHnkS7m4zCng94Tw6C
TLSH T186B523CEAE404467EA807A754CD4F6B8026FED44AD9244CD6CCC7A67FE77C192C27868
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
4363463463464363463463463.bin
Verdict:
Malicious activity
Analysis date:
2024-02-09 12:07:15 UTC
Tags:
opendir hausbomber loader gcleaner rhadamanthys stealer azorult rat njrat bladabindi remote keylogger remcos purplefox backdoor phorpiex trojan kelihos amadey botnet dcrat redline metastealer asyncrat evasion gh0stcringe gh0st arechclient2 stealc
Link:
https://app.any.run/tasks/8a1f7f6a-d75d-4587-8ead-90c97e4c7dde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475568/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c61bf7dd5f280012674236/reports/7bc23b23-f78d-4758-8f81-03bd2dd485c9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7315021a14a55639cc22757933a92e14928acbf8ea37dc4140786347a7849431
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/12ba1ce6-6042-4f59-a54c-4e5e3edd9e29
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1389721
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1389721 Sample: 3uWTnBmPg5.exe Startdate: 09/02/2024 Architecture: WINDOWS Score: 100 99 youtube-ui.l.google.com 2->99 101 www3.l.google.com 2->101 103 39 other IPs or domains 2->103 133 Snort IDS alert for network traffic 2->133 135 Multi AV Scanner detection for domain / URL 2->135 137 Antivirus detection for URL or domain 2->137 139 7 other signatures 2->139 9 3uWTnBmPg5.exe 2 109 2->9         started        14 MPGPH131.exe 107 2->14         started        16 RageMP131.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 105 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 9->105 107 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 9->107 109 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 9->109 83 C:\Users\user\...\uBpkGdo34Mx03NDCQ9U4.exe, PE32 9->83 dropped 85 C:\Users\user\...\n220pRoS12Qhzf8WmwX2.exe, PE32 9->85 dropped 87 C:\Users\user\...\j5v44xMUfnq3sLTle2CB.exe, PE32 9->87 dropped 95 12 other malicious files 9->95 dropped 165 Detected unpacking (changes PE section rights) 9->165 167 Binary is likely a compiled AutoIt script file 9->167 169 Tries to steal Mail credentials (via file / registry access) 9->169 187 4 other signatures 9->187 20 uBpkGdo34Mx03NDCQ9U4.exe 9->20         started        23 AugS3aXcB7mH0p8BFgGb.exe 9->23         started        25 n220pRoS12Qhzf8WmwX2.exe 9->25         started        35 4 other processes 9->35 89 C:\Users\user\...\xH196PiAOMyvCliWabcw.exe, PE32 14->89 dropped 91 C:\Users\user\...\lQTtCMowvTURZPXZ20YP.exe, PE32 14->91 dropped 93 C:\Users\user\...\bQ5B03iT6QPvJwqQE4L3.exe, PE32 14->93 dropped 97 8 other malicious files 14->97 dropped 171 Multi AV Scanner detection for dropped file 14->171 173 Machine Learning detection for dropped file 14->173 175 Found many strings related to Crypto-Wallets (likely being stolen) 14->175 177 Found stalling execution ending in API Sleep call 14->177 179 Tries to evade debugger and weak emulator (self modifying code) 16->179 189 2 other signatures 16->189 181 Tries to harvest and steal browser information (history, passwords, etc) 18->181 183 Maps a DLL or memory area into another process 18->183 185 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->185 28 firefox.exe 18->28         started        31 firefox.exe 18->31         started        33 msedge.exe 18->33         started        37 4 other processes 18->37 file6 signatures7 process8 dnsIp9 141 Detected unpacking (changes PE section rights) 20->141 143 Modifies windows update settings 20->143 145 Disables Windows Defender Tamper protection 20->145 163 2 other signatures 20->163 147 Multi AV Scanner detection for dropped file 23->147 149 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->149 151 Tries to evade debugger and weak emulator (self modifying code) 23->151 73 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 25->73 dropped 153 Hides threads from debuggers 25->153 155 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->155 157 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 25->157 121 mitmdetection.services.mozilla.com 18.160.60.35 MIT-GATEWAYSUS United States 28->121 123 108.177.122.84 GOOGLEUS United States 28->123 129 16 other IPs or domains 28->129 75 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 28->75 dropped 77 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 28->77 dropped 79 FE1F5B94E735CF25E43C634E82ECB06C772BE012, COM 28->79 dropped 81 C:\Users\user\AppData\...\places.sqlite, SQLite 28->81 dropped 39 firefox.exe 28->39         started        52 2 other processes 28->52 159 Found many strings related to Crypto-Wallets (likely being stolen) 31->159 41 firefox.exe 31->41         started        125 bzib.nelreports.net 33->125 127 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->127 131 33 other IPs or domains 33->131 161 Binary is likely a compiled AutoIt script file 35->161 43 chrome.exe 35->43         started        46 chrome.exe 35->46         started        48 chrome.exe 35->48         started        54 12 other processes 35->54 50 chrome.exe 37->50         started        56 3 other processes 37->56 file10 signatures11 process12 dnsIp13 117 192.168.2.6 unknown unknown 43->117 119 239.255.255.250 unknown Reserved 43->119 58 chrome.exe 43->58         started        61 chrome.exe 46->61         started        63 chrome.exe 48->63         started        65 chrome.exe 54->65         started        67 msedge.exe 54->67         started        69 msedge.exe 54->69         started        71 msedge.exe 54->71         started        process14 dnsIp15 111 www3.l.google.com 142.250.9.102 GOOGLEUS United States 58->111 113 www.google.com 142.250.9.99 GOOGLEUS United States 58->113 115 19 other IPs or domains 58->115
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7315021a14a55639cc22757933a92e14928acbf8ea37dc4140786347a7849431
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7315021a14a55639cc22757933a92e14928acbf8ea37dc4140786347a7849431/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-09 12:35:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omkqegquuvldttbcov4thkjocsjivs7y5i35yqkapbrupj4esqyq._file
Verdict:
unknown
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240209-psby6aba9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
b8ef4e4c1958b04389b1586ede220bf36741e2314ed97b0fcd733734a4438d9c
MD5 hash:
f098da1e8933ab4c1f8e4ca6e81fe793
SHA1 hash:
3cd67a00d2d7cf4781b7fd031596ff6523aee37a
Link:
https://www.unpac.me/results/fc87b4ab-1865-4914-aba7-3b2e302dd352/
SH256 hash:
7315021a14a55639cc22757933a92e14928acbf8ea37dc4140786347a7849431
MD5 hash:
128e24d5ef841397092851ed86ac08d6
SHA1 hash:
dbbb153fda08c76d723128634578bc33a3d79eb6
Link:
https://www.unpac.me/results/fc87b4ab-1865-4914-aba7-3b2e302dd352/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7315021a14a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7315021a14a55639cc22757933a92e14928acbf8ea37dc4140786347a7849431

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 7315021a14a55639cc22757933a92e14928acbf8ea37dc4140786347a7849431

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/475568/
  
URLhaus
https://urlhaus.abuse.ch/url/2758782/

Comments


Avatar
zbet commented on 2024-02-09 12:34:06 UTC

url : hxxp://109.107.182.38/dalas/hunta.exe