MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 11 File information Comments

SHA256 hash:	77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76
SHA3-384 hash:	ad02008c1966c70c8c9c0aeb4c410570c615113748f5c64b70a022573f93d8be0da26a6388b92520e40340f17a416c3e
SHA1 hash:	aefe40e968786224b8e2d8f2f62947e9305c5f49
MD5 hash:	c37239a418175ad29ccd58d4d24528bd
humanhash:	london-ink-ink-sierra
File name:	file
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	2'024'448 bytes
First seen:	2023-08-20 00:28:45 UTC
Last seen:	2023-08-22 00:36:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	49152:X8aWek/UAk1aIKyRYNyHNGyL7AbKB4JZLcln/PHci:MQk/UAa2str94cZci
Threatray	19 similar samples on MalwareBazaar
TLSH	T1199501117BA58600F4E62A33C9FF81280776B9163E52C75F7999335D4D32362EE04BAB
TrID	47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	e6e6e4e6eeeee4e4 (1 x RiseProStealer)
Reporter	andretavare5
Tags:	exe RiseProStealer

andretavare5

Sample downloaded from https://vk.com/doc647736509_665872016?hash=7059jUQBx2vIqz2YIMjJzojZOtZYjIdWl07LFMMpRo0&dl=DF20U40yvuygHAS6nZzS0sniSFg62oZkieIRQafuiXg&api=1&no_preview=1#kisrise

Intelligence

File Origin

# of uploads :

# of downloads :

305

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-08-20 00:30:14 UTC

Tags:

risepro stealer evasion

Link:

https://app.any.run/tasks/0cbd4518-1f92-4805-bb82-a0e931b7c78a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/443721/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Forced shutdown of a system process

Sending a TCP request to an infection source

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b0f5925f-706c-48a8-84bb-c119a7b830be

Result

Threat name:

Clipboard Hijacker, PrivateLoader, RiseP

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1293922

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Clipboard Hijacker

Yara detected PrivateLoader

Yara detected RisePro Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o64ebpf43jzvu7rlm74rl7p6xb7lyuzex73xn3ttsotf2gtn353a._file

Verdict:

malicious

RiseProStealer

7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b

RiseProStealer

80f8be7669ca52aec4c9f42385328b94069d6bbee35ce6352aa46216452f0d75

RiseProStealer

96e49850a66d17e4952c6753db1f3da67f8c49c23a2297891954df55b144d1a8

RiseProStealer

e2cd080304d92494e731ad88d60f1ba38670ba4a751cd8df1e09d6702345999b

RiseProStealer

f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

RiseProStealer

f767afef9083aed521760649129fae272dfe30f66c9922ca4529533bb81d0612

RiseProStealer

fc9fa1695c11f2c3a8019b64b414137c47d1b2f57b8593f44eda1237e4b3293b

RiseProStealer

+ 9 additional samples on MalwareBazaar

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader

Link:

https://tria.ge/reports/230820-asw7rsed3z/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

PrivateLoader

Malware Config

C2 Extraction:

1.1.1.1

Unpacked files

SH256 hash:

aee0f09f2e44453f973464551a32973b414dd7549774b63984db93ed3e3b4585

MD5 hash:

4e9fc723d4ffcdaf5b2e2a9188b0f737

SHA1 hash:

d67f4a1e053b23ef14f07df9730d67f3843cbfff

Link:

https://www.unpac.me/results/cf72b78b-bc40-454e-b1c4-23a46ac2d802/

SH256 hash:

7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b

MD5 hash:

611af5f1dbaa7a54dad2be40198d8367

SHA1 hash:

7d3b5ee5dcd56676c1ac39c63493e863e6e52d9b

Detections:

RiseProXorStr

win_privateloader_w0

Link:

https://www.unpac.me/results/cf72b78b-bc40-454e-b1c4-23a46ac2d802/

Parent samples :

6eb58443e4186740619e7fb0e391a47517ce63ba4db0bd1fb4ce007c543db2be
7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b
142aee3c05b5023b306aa9983c67e7168df45509882940470d5fa5d9b0a95eb9
77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76
53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b

SH256 hash:

65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3

MD5 hash:

848b847cd19805d19235b5acb8ef2bef

SHA1 hash:

38100751a4ae45a143232cbacf9bb441b31fb211

Link:

https://www.unpac.me/results/cf72b78b-bc40-454e-b1c4-23a46ac2d802/

SH256 hash:

77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76

MD5 hash:

c37239a418175ad29ccd58d4d24528bd

SHA1 hash:

aefe40e968786224b8e2d8f2f62947e9305c5f49

Link:

https://www.unpac.me/results/cf72b78b-bc40-454e-b1c4-23a46ac2d802/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/77b840bcbcda/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	privateloader Create hunting rule
Author:	andretavare5
Description:	PrivateLoader pay-per-install malware

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_privateloader Create hunting rule
Author:	andretavare5
Reference:	https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

Rule name:	win_privateloader_w0 Create hunting rule
Author:	andretavare5
Reference:	https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/443721/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample