MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9
SHA3-384 hash: 0868a375b1057ebe0bac01b07b823fce342a0aec77a01c8e632c6515bdc2bdc5fa829b3887f1dd647ec60add3f5eec75
SHA1 hash: 3faf87169ec97a6a4500d858ce44b586c85673d6
MD5 hash: 451f4eeaec602b55d2b46166cc9255dc
humanhash: tennessee-sixteen-utah-fruit
File name:8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:4'983'808 bytes
First seen:2024-04-04 13:10:08 UTC
Last seen:2024-04-04 13:24:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 448b6888b26145ced7ce018aab459303 (4 x PrivateLoader, 2 x RiseProStealer, 2 x Stealc)
ssdeep 98304:HG6jwxwlOaz05U+YDKztJsG08079LCEIvBAMV0N869Jo7xDXz:H6wMazb+qK68MLCEVm0G69mFX
TLSH T1BF3623A1B5C799F8C891C77491422CBD72FABF51C8914C3676CA3A041E67E209EF836D
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 98b8b8b8989cd8d0 (1 x RiseProStealer)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
193.233.132.253:50500

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04.exe
Verdict:
Malicious activity
Analysis date:
2024-04-04 13:07:03 UTC
Tags:
loader gcleaner evasion stealer stealc neoreklami adware trojan glupteba privateloader
Link:
https://app.any.run/tasks/b90e334d-f8d5-4e99-8951-d51222eaf091

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Modifying a system file
Using the Windows Management Instrumentation requests
DNS request
Replacing files
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Creating a process from a recently created file
Blocking the Windows Defender launch
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/660ea6e8bb285b5db056be30/reports/e7949cb8-6565-4d5f-b22b-a88036ff1e02/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9d51e90-ab81-47d6-8dea-22de62889d5a
Result
Threat name:
GCleaner, Mars Stealer, Meduza Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1420170
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected GCleaner
Yara detected Mars stealer
Yara detected Meduza Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1420170 Sample: 8b3ee970a1b172952a665247aa5... Startdate: 04/04/2024 Architecture: WINDOWS Score: 100 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for dropped file 2->125 127 Multi AV Scanner detection for dropped file 2->127 129 15 other signatures 2->129 8 8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe 11 56 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 111 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->111 113 87.240.190.89 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->113 115 23 other IPs or domains 8->115 91 C:\Users\...\tZIYKGxUEqkmc1jQwbKI5hZl.exe, PE32 8->91 dropped 93 C:\Users\...\smQlWWgJX0P9RGnACDIiQRgJ.exe, PE32 8->93 dropped 95 C:\Users\...\rhYXo5HGOMsU2PCuhX9Mg0RX.exe, PE32 8->95 dropped 97 30 other malicious files 8->97 dropped 175 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->175 177 Drops PE files to the document folder of the user 8->177 179 Creates HTML files with .exe extension (expired dropper behavior) 8->179 181 6 other signatures 8->181 19 U9EC9OI444ATDJUcfE6DLO9O.exe 8->19         started        22 20AT1mlIPpE6TV31xHlreaZY.exe 8->22         started        24 44eizmXEiPtL4IDraSM64jMy.exe 1 79 8->24         started        31 15 other processes 8->31 27 WerFault.exe 13->27         started        29 WerFault.exe 13->29         started        file5 signatures6 process7 dnsIp8 131 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->131 133 Writes to foreign memory regions 19->133 135 Allocates memory in foreign processes 19->135 34 RegAsm.exe 19->34         started        39 conhost.exe 19->39         started        137 Modifies the context of a thread in another process (thread injection) 22->137 139 Sample uses process hollowing technique 22->139 141 Injects a PE file into a foreign processes 22->141 41 wmplayer.exe 22->41         started        43 conhost.exe 22->43         started        75 C:\Users\user\...\rmXmvIdLggbzzDDhfSZS.exe, PE32 24->75 dropped 77 C:\Users\user\AppData\Local\...\lumma3[2].exe, PE32 24->77 dropped 79 C:\Users\user\...\AdobeUpdaterV202.exe, PE32 24->79 dropped 87 2 other malicious files 24->87 dropped 143 Multi AV Scanner detection for dropped file 24->143 145 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->145 147 Tries to steal Mail credentials (via file / registry access) 24->147 117 185.172.128.26 NADYMSS-ASRU Russian Federation 31->117 119 185.172.128.90 NADYMSS-ASRU Russian Federation 31->119 121 4 other IPs or domains 31->121 81 C:\Users\...\tZIYKGxUEqkmc1jQwbKI5hZl.tmp, PE32 31->81 dropped 83 C:\Users\user\...\T6lanuaO60STCOIPkkif.exe, PE32 31->83 dropped 85 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 31->85 dropped 89 25 other files (21 malicious) 31->89 dropped 149 Detected unpacking (changes PE section rights) 31->149 151 Detected unpacking (overwrites its own PE header) 31->151 153 Creates multiple autostart registry keys 31->153 155 10 other signatures 31->155 45 tZIYKGxUEqkmc1jQwbKI5hZl.tmp 31->45         started        47 RegAsm.exe 31->47         started        49 RegAsm.exe 31->49         started        51 9 other processes 31->51 file9 signatures10 process11 dnsIp12 99 95.216.179.73 HETZNER-ASDE Germany 34->99 101 23.194.234.100 AKAMAI-ASUS United States 34->101 59 C:\Users\user\AppData\Local\...\sqln[1].dll, PE32 34->59 dropped 61 C:\Users\user\AppData\...\softokn3[1].dll, PE32 34->61 dropped 63 C:\Users\user\AppData\...\mozglue[1].dll, PE32 34->63 dropped 71 3 other files (2 malicious) 34->71 dropped 157 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->157 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->161 163 Tries to harvest and steal ftp login credentials 34->163 103 5.182.86.229 TRIPLEAES Russian Federation 41->103 105 172.67.74.152 CLOUDFLARENETUS United States 41->105 165 Tries to steal Mail credentials (via file / registry access) 41->165 167 Tries to harvest and steal browser information (history, passwords, etc) 41->167 169 Tries to harvest and steal Bitcoin Wallet information 41->169 65 C:\Users\user\AppData\...\whitetigeraudio.exe, PE32 45->65 dropped 67 C:\Users\user\AppData\...\unins000.exe (copy), PE32 45->67 dropped 69 C:\Users\user\AppData\Local\...\is-9OLC5.tmp, PE32 45->69 dropped 73 5 other files (4 malicious) 45->73 dropped 107 5.42.65.0 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 47->107 171 Tries to steal Crypto Currency Wallets 47->171 109 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->109 173 Installs new ROOT certificates 51->173 53 conhost.exe 51->53         started        55 conhost.exe 51->55         started        57 conhost.exe 51->57         started        file13 signatures14 process15
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9/
Threat name:
Win64.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-04-04 12:49:48 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rm7os4fbwfzjkktgkjd2ux7vsdis3d2lgpahovltarczlx3dqpeq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/240404-qeyfnshd54/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Modifies firewall policy service
Unpacked files
SH256 hash:
8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9
MD5 hash:
451f4eeaec602b55d2b46166cc9255dc
SHA1 hash:
3faf87169ec97a6a4500d858ce44b586c85673d6
Link:
https://www.unpac.me/results/31f4cbb6-5729-4cc1-9c14-ae6a1298a24d/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b3ee970a1b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments