MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81e84d994a378c0fc9b4a4567e75bfa84ea2fff2299119586ebe982f9c4b013f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81e84d994a378c0fc9b4a4567e75bfa84ea2fff2299119586ebe982f9c4b013f
SHA3-384 hash: e06acd224a3c409e6d6beec874f70ff37a36fc6b64e60a7b35d4630bf32c70df6d2616c25bc891b3068c19aaf2195d3c
SHA1 hash: bf4b0813f248a81a012fb1ddce27fb9027c3192a
MD5 hash: a2ffb2aed259adf22d9132ec0e75b457
humanhash: fifteen-moon-blue-missouri
File name:a2ffb2aed259adf22d9132ec0e75b457.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'330'624 bytes
First seen:2024-02-03 17:13:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:mFTApzz9YJSMOllTbB026/ht3C9YxSApnxmr:yTdJSMoS/H3zpx
TLSH T159B533F29AB13270F347AFBE63354A0562A74F7B055A809C9221F7551FBD078930BE29
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter abuse_ch
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474400/
Detection(s):
Win.Packed.Trojanx-10020211-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65be745e1a072d565264d133/reports/1bd03faf-0878-4839-be60-82565e35b0c9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/81e84d994a378c0fc9b4a4567e75bfa84ea2fff2299119586ebe982f9c4b013f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7482aba7-d693-457f-b39b-6547c2670b40
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386157
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386157 Sample: qKb6v44ZmC.exe Startdate: 03/02/2024 Architecture: WINDOWS Score: 100 86 youtube-ui.l.google.com 2->86 88 www.youtube.com 2->88 90 40 other IPs or domains 2->90 120 Snort IDS alert for network traffic 2->120 122 Multi AV Scanner detection for domain / URL 2->122 124 Antivirus detection for URL or domain 2->124 126 10 other signatures 2->126 9 qKb6v44ZmC.exe 2 123 2->9         started        14 MPGPH131.exe 106 2->14         started        16 MPGPH131.exe 13 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 102 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->102 104 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->104 110 2 other IPs or domains 9->110 68 C:\Users\user\...\r7qs4MVhfPP6IXA2Gddu.exe, PE32 9->68 dropped 80 15 other malicious files 9->80 dropped 140 Detected unpacking (changes PE section rights) 9->140 142 Binary is likely a compiled AutoIt script file 9->142 144 Tries to steal Mail credentials (via file / registry access) 9->144 162 3 other signatures 9->162 20 lzn1kItyX3GOthyYfSvC.exe 9->20         started        23 0Uz9PaBT3oqhH1MS9Zcc.exe 9->23         started        25 C9nFVy4x0JvlbD8pQZEr.exe 9->25         started        36 4 other processes 9->36 70 C:\Users\user\...\ljWi51wrz6LA3c5JzD2k.exe, PE32 14->70 dropped 72 C:\Users\user\...\AM2cQhaL1YySdIGT8R4K.exe, PE32 14->72 dropped 74 C:\Users\user\...\83e1OLMOHSWWES0FwNKP.exe, PE32 14->74 dropped 82 8 other malicious files 14->82 dropped 146 Tries to harvest and steal browser information (history, passwords, etc) 14->146 164 2 other signatures 14->164 148 Antivirus detection for dropped file 16->148 150 Multi AV Scanner detection for dropped file 16->150 152 Machine Learning detection for dropped file 16->152 154 Potentially malicious time measurement code found 16->154 106 142.250.9.91 GOOGLEUS United States 18->106 108 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 18->108 112 9 other IPs or domains 18->112 76 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 18->76 dropped 78 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 18->78 dropped 84 6 other malicious files 18->84 dropped 156 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->156 158 Tries to evade debugger and weak emulator (self modifying code) 18->158 160 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->160 27 msedge.exe 18->27         started        30 firefox.exe 18->30         started        32 firefox.exe 18->32         started        34 firefox.exe 18->34         started        file6 signatures7 process8 dnsIp9 128 Multi AV Scanner detection for dropped file 20->128 130 Detected unpacking (changes PE section rights) 20->130 132 Detected unpacking (overwrites its own PE header) 20->132 138 4 other signatures 20->138 134 Binary is likely a compiled AutoIt script file 23->134 38 chrome.exe 23->38         started        41 chrome.exe 23->41         started        43 chrome.exe 23->43         started        53 9 other processes 23->53 136 Hides threads from debuggers 25->136 114 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->114 116 20.96.153.111 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->116 118 25 other IPs or domains 27->118 45 conhost.exe 36->45         started        47 conhost.exe 36->47         started        49 conhost.exe 36->49         started        51 conhost.exe 36->51         started        signatures10 process11 dnsIp12 92 192.168.2.9 unknown unknown 38->92 94 239.255.255.250 unknown Reserved 38->94 55 chrome.exe 38->55         started        58 chrome.exe 41->58         started        60 chrome.exe 43->60         started        62 msedge.exe 53->62         started        64 msedge.exe 53->64         started        66 msedge.exe 53->66         started        process13 dnsIp14 96 accounts.google.com 108.177.122.84 GOOGLEUS United States 55->96 98 142.250.105.100 GOOGLEUS United States 55->98 100 19 other IPs or domains 55->100
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/81e84d994a378c0fc9b4a4567e75bfa84ea2fff2299119586ebe982f9c4b013f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81e84d994a378c0fc9b4a4567e75bfa84ea2fff2299119586ebe982f9c4b013f/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2024-02-03 14:46:34 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qhue3gkkg6ga7snuurlh45n7vbhkf77sfgirswdox2mc7hclae7q._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240203-vrzxgsech3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
cd53854390075b1bde53b0f485b7a7f75cfd94ecb4d815b99e7fcfe40bd260da
MD5 hash:
c4a6414c79784ba3e2584df231652ff0
SHA1 hash:
537eb96f0b25daeab930d41d1fe1705ee3e5c810
Link:
https://www.unpac.me/results/42995a76-90f8-4fa1-8bd8-dca596527478/
SH256 hash:
81e84d994a378c0fc9b4a4567e75bfa84ea2fff2299119586ebe982f9c4b013f
MD5 hash:
a2ffb2aed259adf22d9132ec0e75b457
SHA1 hash:
bf4b0813f248a81a012fb1ddce27fb9027c3192a
Link:
https://www.unpac.me/results/42995a76-90f8-4fa1-8bd8-dca596527478/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/81e84d994a37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81e84d994a378c0fc9b4a4567e75bfa84ea2fff2299119586ebe982f9c4b013f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 81e84d994a378c0fc9b4a4567e75bfa84ea2fff2299119586ebe982f9c4b013f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2752716/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474400/

Comments