MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c
SHA3-384 hash: c238370c9a0779ac1faa68847d3585d42e3cd38b662a9dda6193460bcda1ea421e12130cdd729e0c70859d379a5a99a9
SHA1 hash: 23c4ea260ab26e5d30422749b048055ddac18405
MD5 hash: eda78f518cd0a5fd88c694c21f2eb473
humanhash: double-thirteen-tennessee-saturn
File name:7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'040'320 bytes
First seen:2024-01-02 18:56:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:qy5z1o02R2cFNGLoygKtsbEMZV1rvX50VeV4mhQ:jE03yNFRbEMR5cea
TLSH T152952343EEE85131E9F95BB498BD038B17347CA06E3493272B50CB5B0CA39D5686636F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
RO RO
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Сreating synchronization primitives
Searching for the browser window
Searching for the window
DNS request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Blocking the Windows Defender launch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin lolbin obfuscated packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65945c98b4e856b72831a927/reports/1d949005-f22f-4e92-a9d1-a9b10ad1938c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff632327-6bde-4d25-9c8c-40c55ff9640a
Result
Threat name:
RisePro Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368932
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Phishing site detected (based on logo match)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368932 Sample: Ux9qiar4lG.exe Startdate: 02/01/2024 Architecture: WINDOWS Score: 100 106 ipinfo.io 2->106 124 Snort IDS alert for network traffic 2->124 126 Antivirus detection for URL or domain 2->126 128 Antivirus / Scanner detection for submitted sample 2->128 130 8 other signatures 2->130 9 Ux9qiar4lG.exe 1 4 2->9         started        13 FANBooster131.exe 2->13         started        15 OfficeTrackerNMP131.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 86 C:\Users\user\AppData\Local\...\5Pu5kI0.exe, PE32 9->86 dropped 88 C:\Users\user\AppData\Local\...\3fi35jj.exe, PE32 9->88 dropped 152 Binary is likely a compiled AutoIt script file 9->152 20 5Pu5kI0.exe 21 40 9->20         started        25 3fi35jj.exe 12 9->25         started        90 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 13->90 dropped 92 C:\...\fovtKvFKwEfENu7e0px5OY9yYRcKylAh.zip, Zip 13->92 dropped 154 Antivirus detection for dropped file 13->154 156 Multi AV Scanner detection for dropped file 13->156 158 Detected unpacking (changes PE section rights) 13->158 172 4 other signatures 13->172 94 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 15->94 dropped 96 C:\...\CXGdgk37BJbt5cVKrpgIH0VDvlB5Zwxg.zip, Zip 15->96 dropped 160 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->160 162 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 15->162 164 Machine Learning detection for dropped file 15->164 27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        31 powershell.exe 15->31         started        37 10 other processes 15->37 104 127.0.0.1 unknown unknown 17->104 98 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->98 dropped 100 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->100 dropped 102 2 other malicious files 17->102 dropped 166 Tries to steal Mail credentials (via file / registry access) 17->166 168 Modifies Windows Defender protection settings 17->168 170 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 17->170 33 powershell.exe 17->33         started        35 powershell.exe 17->35         started        39 12 other processes 17->39 file6 signatures7 process8 dnsIp9 114 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 20->114 116 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->116 78 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->78 dropped 80 C:\Users\user\AppData\...\FANBooster131.exe, PE32 20->80 dropped 82 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 20->82 dropped 84 2 other malicious files 20->84 dropped 136 Antivirus detection for dropped file 20->136 138 Multi AV Scanner detection for dropped file 20->138 140 Detected unpacking (changes PE section rights) 20->140 150 9 other signatures 20->150 51 15 other processes 20->51 142 Binary is likely a compiled AutoIt script file 25->142 144 Machine Learning detection for dropped file 25->144 146 Found API chain indicative of sandbox detection 25->146 148 Contains functionality to modify clipboard data 25->148 54 3 other processes 25->54 41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        57 9 other processes 37->57 59 10 other processes 39->59 file10 signatures11 process12 dnsIp13 132 Found many strings related to Crypto-Wallets (likely being stolen) 51->132 134 Uses schtasks.exe or at.exe to add and modify task schedules 51->134 61 conhost.exe 51->61         started        63 conhost.exe 51->63         started        65 conhost.exe 51->65         started        74 13 other processes 51->74 118 192.168.2.4 unknown unknown 54->118 120 192.168.2.16 unknown unknown 54->120 122 239.255.255.250 unknown Reserved 54->122 67 chrome.exe 54->67         started        70 chrome.exe 54->70         started        72 chrome.exe 54->72         started        76 2 other processes 54->76 signatures14 process15 dnsIp16 108 play.google.com 142.250.113.102 GOOGLEUS United States 67->108 110 142.250.113.113 GOOGLEUS United States 67->110 112 35 other IPs or domains 67->112
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-02 08:48:24 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
20 of 36 (55.56%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6jbkjsetfrvlgurdx76wp77ds57uzg5gge22nwzxeoesxudirwa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/240102-23y8naecf2/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
1f7ce6d65604ed4f41bb8e641a0f006150c06d37ccf5381037526789c4bdc037
MD5 hash:
0b6fa8f02ebfd7b704aae3699233ae93
SHA1 hash:
388faef89a79d16be6e982305a3dbbcc6ffac719
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/7376a98b-142b-4de3-a306-5e70e7936b1a/
SH256 hash:
7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c
MD5 hash:
eda78f518cd0a5fd88c694c21f2eb473
SHA1 hash:
23c4ea260ab26e5d30422749b048055ddac18405
Link:
https://www.unpac.me/results/7376a98b-142b-4de3-a306-5e70e7936b1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744566/
  
Delivery method
Distributed via web download

Comments