MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496
SHA3-384 hash: ec340786c5a3bfd0eb1a85d03bb9e40afe303bc27748c0765a40c0f3a3c0ef2a134db741b5b25e827db973fe5d594bba
SHA1 hash: d9d86f9ab26ba94bab3e6a177052da3b85cf83eb
MD5 hash: 9ef9fd66d9c8c901da4251f4a6693b81
humanhash: autumn-purple-zebra-kentucky
File name:9ef9fd66d9c8c901da4251f4a6693b81
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'421'248 bytes
First seen:2024-02-15 21:29:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:p9wPLvMONMzLGYBfZv8UeVmpLCA7xohLEoyhAKODFo09k+r:pWPAsMzLdpZOS7QLGfOD6a
Threatray 213 similar samples on MalwareBazaar
TLSH T118B523CEFE4255ABDA547AB460E2F37C062EFC91E94664CD2CCC7B63B7739190212489
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476386/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file in the Windows subdirectories
Modifying a system file
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Replacing files
Launching a service
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Sending an HTTP GET request
Reading critical registry keys
Creating a process from a recently created file
Creating a window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65ce825c03a1c3a7aeee59b7/reports/2c5e6b05-de6c-46c7-9549-6dd9320bc2b7/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e350329a-8217-4e48-aba4-daad82259a45
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1393126
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Disables Windows Defender Tamper protection
Exclude list of file types from scheduled, custom, and real-time scanning
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies windows update settings
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1393126 Sample: SxoBZ4iTXS.exe Startdate: 15/02/2024 Architecture: WINDOWS Score: 100 116 Antivirus detection for URL or domain 2->116 118 Yara detected RisePro Stealer 2->118 120 Machine Learning detection for sample 2->120 122 2 other signatures 2->122 8 SxoBZ4iTXS.exe 11 116 2->8         started        13 MPGPH131.exe 10 109 2->13         started        15 MPGPH131.exe 10 107 2->15         started        17 6 other processes 2->17 process3 dnsIp4 98 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 8->98 100 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->100 102 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 8->102 68 C:\Users\user\...\zvOleXnZOyMK1r07L5lF.exe, PE32 8->68 dropped 70 C:\Users\user\...\wlTzIOBPo5xuHuQZPzg8.exe, PE32 8->70 dropped 72 C:\Users\user\...\uibPRzLxsEXzVItymEMZ.exe, PE32 8->72 dropped 80 11 other malicious files 8->80 dropped 140 Detected unpacking (changes PE section rights) 8->140 142 Binary is likely a compiled AutoIt script file 8->142 144 Tries to steal Mail credentials (via file / registry access) 8->144 164 8 other signatures 8->164 19 9RCOBGY7p8THlL_zv2gU.exe 8->19         started        22 pR0mdShkELJbrGvYh9gO.exe 8->22         started        24 zvOleXnZOyMK1r07L5lF.exe 8->24         started        34 3 other processes 8->34 82 11 other malicious files 13->82 dropped 146 Multi AV Scanner detection for dropped file 13->146 148 Machine Learning detection for dropped file 13->148 150 Disables Windows Defender (deletes autostart) 13->150 74 C:\Users\user\...\oxFJLidYhzjpUFiG1AnE.exe, PE32 15->74 dropped 76 C:\Users\user\...\ia2mwss9rlbq2AdkUssg.exe, PE32 15->76 dropped 78 C:\Users\user\...\drgw2AELSF8zxKssqvif.exe, PE32 15->78 dropped 84 8 other malicious files 15->84 dropped 152 Tries to harvest and steal browser information (history, passwords, etc) 15->152 154 Exclude list of file types from scheduled, custom, and real-time scanning 15->154 156 Adds extensions / path to Windows Defender exclusion list (Registry) 15->156 158 Creates multiple autostart registry keys 17->158 160 Tries to evade debugger and weak emulator (self modifying code) 17->160 162 Maps a DLL or memory area into another process 17->162 26 firefox.exe 17->26         started        30 msedge.exe 17->30         started        32 msedge.exe 17->32         started        36 3 other processes 17->36 file5 signatures6 process7 dnsIp8 124 Detected unpacking (changes PE section rights) 19->124 126 Modifies windows update settings 19->126 128 Disables Windows Defender Tamper protection 19->128 138 4 other signatures 19->138 130 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->130 132 Tries to evade debugger and weak emulator (self modifying code) 22->132 134 Hides threads from debuggers 22->134 136 Binary is likely a compiled AutoIt script file 24->136 38 chrome.exe 24->38         started        41 chrome.exe 24->41         started        43 chrome.exe 24->43         started        51 10 other processes 24->51 104 142.251.167.84 GOOGLEUS United States 26->104 106 34.107.221.82 GOOGLEUS United States 26->106 112 13 other IPs or domains 26->112 86 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 26->86 dropped 88 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 26->88 dropped 45 firefox.exe 26->45         started        108 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->108 110 13.107.213.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->110 114 27 other IPs or domains 30->114 47 conhost.exe 34->47         started        49 conhost.exe 34->49         started        file9 signatures10 process11 dnsIp12 96 239.255.255.250 unknown Reserved 38->96 53 chrome.exe 38->53         started        56 chrome.exe 41->56         started        58 chrome.exe 43->58         started        60 chrome.exe 51->60         started        62 msedge.exe 51->62         started        64 msedge.exe 51->64         started        66 msedge.exe 51->66         started        process13 dnsIp14 90 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->90 92 144.2.9.1 LINKEDINUS Netherlands 53->92 94 46 other IPs or domains 53->94
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-15 21:30:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqokyh64zz6lxqixae2ncbkq2phki7fvw7iqkpuhyqrlbszi2sla._file
Verdict:
malicious
Similar samples:
127320b6f35c9014ba3fd5f97ba6e8317c444fb0d907c8cc5b2fad053d9fa51a
RiseProStealer
6dea9fc1e5d5095cc57f27cf523e82b518225ca8b3f71cc4afdef9370fed56eb
RiseProStealer
98d57e3ac4cde0cc27eb00b7fa1be7d1a826f1fb94d9f99da5460ed486c979c5
RiseProStealer
b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7
RiseProStealer
c3b743cb733580b6e77345601ab6f4a8360be6ee001b89197da764e0c5dd9a06
RiseProStealer
cb9c4d1d3bdec4066ee2ab596cbbe4846a28130e42ffae0b0a336b26e29a8a37
RiseProStealer
e5b544bfecc90168093fca4e129c59d8676ae5f6220d537d3b7c46a2c985a765
RiseProStealer
f3cf23ba078950da05d1083572898338a9a8cb7dbf149dd89cea0d6f52e8849d
RiseProStealer
+ 203 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240215-1cf4qahf77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
25cbfc9d16e2e3d9dbde15e49a2191f7ff475b01886f33217f8be840344be4fc
MD5 hash:
6246d2dc8c5015640a007b7a6ddaf680
SHA1 hash:
6faf1f632b55afa2f2f118fcefb129c701628563
Link:
https://www.unpac.me/results/88b0280b-d5c9-4e21-9b45-1deeb39e857d/
SH256 hash:
9865a0b00d3afa7b060eac6685ed36f1d2214cbf904ff451ec63b223bf6b1410
MD5 hash:
d0edea8daf8db93725c715e1b42ad082
SHA1 hash:
fecfc468a311b79253b35e1d7316b9d8a6e0f205
Link:
https://www.unpac.me/results/88b0280b-d5c9-4e21-9b45-1deeb39e857d/
SH256 hash:
4bf1109d02442e73198138d0f9d0fccd52caaccf5ee5bbc89c4c583b505e8dbf
MD5 hash:
3f459b435d74cbc77fcae6c1971e2f2e
SHA1 hash:
73b48dc81d87c7d29b9fc15a8c47e755e7dafdc4
Link:
https://www.unpac.me/results/88b0280b-d5c9-4e21-9b45-1deeb39e857d/
SH256 hash:
453407dfab82fb8aa57edfa217f2540429deebb71fcf22711aa8e20087f4f7c6
MD5 hash:
5e1470ac6e1eb2c912b0c1ab177f5f94
SHA1 hash:
3719809784f71b02fbd4c7d749390d4d24dcf0fd
Link:
https://www.unpac.me/results/88b0280b-d5c9-4e21-9b45-1deeb39e857d/
SH256 hash:
741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496
MD5 hash:
9ef9fd66d9c8c901da4251f4a6693b81
SHA1 hash:
d9d86f9ab26ba94bab3e6a177052da3b85cf83eb
Link:
https://www.unpac.me/results/88b0280b-d5c9-4e21-9b45-1deeb39e857d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/741cac1fdcce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/476386/
  
URLhaus
https://urlhaus.abuse.ch/url/2761990/

Comments


Avatar
zbet commented on 2024-02-15 21:29:11 UTC

url : hxxp://147.45.47.93:33758/misha/bugai.exe