MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
SHA3-384 hash: c1c5bd2659c52566df775ba0d049f50e35b72218f5f81e5b00a3ad80b20d40fca71e366daec578c8a591cebdb4791900
SHA1 hash: 39d7168a7d04ee53ea044f7e05602e4cece0e3f3
MD5 hash: a9998579e42978348ad87e473d97484a
humanhash: twelve-michigan-freddie-lima
File name:a9998579e42978348ad87e473d97484a.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:239'616 bytes
First seen:2024-03-08 01:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c019a063cc3cc46e117f4489fdd8fb9 (1 x RiseProStealer)
ssdeep 3072:y7FrVake2Z6XSn9ptBakFtswnmdObkyIyzwhd5XsAPep7FhGZ:gFYO6XYvtxvs8mkAsjp7y
Threatray 2'080 similar samples on MalwareBazaar
TLSH T1F934CF2136A0C0B2D56BC63495A4DAB4ABBBF8725761C14F37581B7ECE307D09A3A313
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1024604080a04800 (1 x RiseProStealer)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
147.45.47.116:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
386
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78.exe
Verdict:
Malicious activity
Analysis date:
2024-03-08 01:33:13 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/d0eb7cfd-83f6-4117-9268-7b8ef8feb028

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Moving a file to the %temp% directory
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint lolbin packed shell32
Link:
https://www.filescan.io/uploads/65ea6a59757c624818a5f139/reports/95cfc959-80ce-485c-b539-0296837456f6/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0f90a6d-b30e-4fae-b859-e1868b169fe2
Result
Threat name:
LummaC, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1405199
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Bypass UAC via Fodhelper.exe
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1405199 Sample: sgullhIiBr.exe Startdate: 08/03/2024 Architecture: WINDOWS Score: 100 127 valowaves.com 2->127 129 trypokemon.com 2->129 131 12 other IPs or domains 2->131 189 Snort IDS alert for network traffic 2->189 191 Multi AV Scanner detection for domain / URL 2->191 193 Found malware configuration 2->193 195 23 other signatures 2->195 15 sgullhIiBr.exe 2->15         started        18 sidatbu 2->18         started        20 A9DE.exe 2->20         started        22 mstsca.exe 2->22         started        signatures3 process4 signatures5 215 Detected unpacking (changes PE section rights) 15->215 217 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->217 219 Maps a DLL or memory area into another process 15->219 221 Creates a thread in another existing process (thread injection) 15->221 24 explorer.exe 37 18 15->24 injected 223 Multi AV Scanner detection for dropped file 18->223 225 Machine Learning detection for dropped file 18->225 227 Checks if the current machine is a virtual machine (disk enumeration) 18->227 229 Detected unpacking (overwrites its own PE header) 20->229 231 Writes a notice file (html or txt) to demand a ransom 20->231 233 Injects a PE file into a foreign processes 20->233 29 A9DE.exe 20->29         started        235 Antivirus detection for dropped file 22->235 31 mstsca.exe 22->31         started        process6 dnsIp7 135 m2reg.ulm.ac.id 103.23.232.80, 49778, 80 UNLAM-AS-IDUniversitasLambungMangkuratID Indonesia 24->135 137 sdfjhuz.com 186.182.55.44, 49745, 49756, 80 TechtelLMDSComunicacionesInteractivasSAAR Argentina 24->137 139 6 other IPs or domains 24->139 101 C:\Users\user\AppData\Roaming\sidatbu, PE32 24->101 dropped 103 C:\Users\user\AppData\Local\Temp\A9DE.exe, PE32 24->103 dropped 105 C:\Users\user\AppData\Local\Temp\A07D.exe, PE32+ 24->105 dropped 111 4 other malicious files 24->111 dropped 197 System process connects to network (likely due to code injection or exploit) 24->197 199 Benign windows process drops PE files 24->199 201 Deletes itself after installation 24->201 203 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->203 33 A9DE.exe 24->33         started        36 4F27.exe 24->36         started        39 625F.exe 24->39         started        43 5 other processes 24->43 107 C:\Users\user\_README.txt, ASCII 29->107 dropped 109 C:\Users\user\AppData\Local\...\_README.txt, ASCII 29->109 dropped 41 schtasks.exe 31->41         started        file8 signatures9 process10 dnsIp11 149 Detected unpacking (changes PE section rights) 33->149 151 Detected unpacking (overwrites its own PE header) 33->151 153 Machine Learning detection for dropped file 33->153 169 3 other signatures 33->169 45 A9DE.exe 1 16 33->45         started        133 resergvearyinitiani.shop 104.21.94.2, 443, 49786, 49790 CLOUDFLARENETUS United States 36->133 155 Multi AV Scanner detection for dropped file 36->155 157 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 36->157 159 Query firmware table information (likely to detect VMs) 36->159 171 5 other signatures 36->171 161 UAC bypass detected (Fodhelper) 39->161 163 Found Tor onion address 39->163 165 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->165 49 cmd.exe 39->49         started        51 conhost.exe 41->51         started        167 Antivirus detection for dropped file 43->167 173 3 other signatures 43->173 53 conhost.exe 43->53         started        55 reg.exe 1 1 43->55         started        57 A9DE.exe 43->57         started        59 3 other processes 43->59 signatures12 process13 dnsIp14 147 api.2ip.ua 104.21.65.24, 443, 49747, 49752 CLOUDFLARENETUS United States 45->147 125 C:\Users\user\AppData\Local\...\A9DE.exe, PE32 45->125 dropped 61 A9DE.exe 45->61         started        64 icacls.exe 45->64         started        66 fodhelper.exe 49->66         started        68 conhost.exe 49->68         started        70 fodhelper.exe 49->70         started        72 fodhelper.exe 49->72         started        file15 process16 signatures17 213 Injects a PE file into a foreign processes 61->213 74 A9DE.exe 1 26 61->74         started        79 625F.exe 66->79         started        process18 dnsIp19 145 sajdfue.com 211.119.84.111, 49761, 49762, 49767 LGDACOMLGDACOMCorporationKR Korea Republic of 74->145 117 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 74->117 dropped 119 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 74->119 dropped 121 C:\Users\user\AppData\Local\...\build3.exe, PE32 74->121 dropped 123 7 other malicious files 74->123 dropped 209 Modifies existing user documents (likely ransomware behavior) 74->209 81 build2.exe 74->81         started        84 build3.exe 74->84         started        211 Found Tor onion address 79->211 86 powershell.exe 79->86         started        file20 signatures21 process22 signatures23 175 Antivirus detection for dropped file 81->175 177 Multi AV Scanner detection for dropped file 81->177 179 Detected unpacking (changes PE section rights) 81->179 181 Injects a PE file into a foreign processes 81->181 88 build2.exe 81->88         started        183 Detected unpacking (overwrites its own PE header) 84->183 185 Machine Learning detection for dropped file 84->185 187 Uses schtasks.exe or at.exe to add and modify task schedules 84->187 93 build3.exe 84->93         started        95 conhost.exe 86->95         started        process24 dnsIp25 141 steamcommunity.com 104.119.64.169, 443, 49777 XO-AS15US United States 88->141 143 88.99.127.167, 49779, 49780, 49781 HETZNER-ASDE Germany 88->143 113 C:\Users\user\AppData\Local\...\sqlm[1].dll, PE32 88->113 dropped 205 Found many strings related to Crypto-Wallets (likely being stolen) 88->205 207 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 88->207 115 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 93->115 dropped 97 schtasks.exe 93->97         started        file26 signatures27 process28 process29 99 conhost.exe 97->99         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-03 19:45:44 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rpbzsdyajmrflcjuvy45bcgvfzbvsue7lv56qvbnxxemybpopz4a._file
Verdict:
malicious
Similar samples:
02eb002f33af51183396e8406bc7518c01c4b2f3b326d227fef6bc7e3c8fd1a6
RiseProStealer
247eb6cc11d0a92ac985fb99c19dcfe4779878f4989764b8ced06727820ff57c
RiseProStealer
50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73
RiseProStealer
5c88a340b3b0502c9777fe6159f01d66875341dc739e23a56a21ee18479890f2
RiseProStealer
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
RiseProStealer
e629fcf41de2187cafd4c8c38b1e9408a5c521d29459971bb96fae5da26fa9d5
RiseProStealer
f518307808486c2718cd6b83e4e5f012e3531c8d352abd6d51b7311fcfa2c28c
RiseProStealer
f662b3ef913a9bfb62cb970e6f8f8e81ad75b21deaccffc01cbc1390f34e776e
RiseProStealer
f7b3ea13abebeb99ddfd4319457ff2d8a8473b8a46963de047cce295abadd2eb
RiseProStealer
+ 2'070 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:djvu family:smokeloader botnet:tfd5 backdoor discovery infostealer persistence ransomware rat trojan
Link:
https://tria.ge/reports/240308-bxdfwsbe95/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
DcRat
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://sajdfue.com/test1/get.php
Unpacked files
SH256 hash:
8920c744aebda5cd6304ea1aa88b1a051a5e34a3d5d7d2dab182ef9cb0aec361
MD5 hash:
9f6f0abfef1cad87fbdd302b790ab0be
SHA1 hash:
1e93fbaadbd9d880dd0dde3623b6f16233aa7811
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/1eddbffa-157e-4331-afe6-29780171c446/
Parent samples :
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
b1f57f9e13e75717674eeca314a042ac3e0816f17e7743c361e0be7f45bf9897
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
SH256 hash:
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
MD5 hash:
a9998579e42978348ad87e473d97484a
SHA1 hash:
39d7168a7d04ee53ea044f7e05602e4cece0e3f3
Link:
https://www.unpac.me/results/1eddbffa-157e-4331-afe6-29780171c446/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bc3990f004b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaGDI32.dll::StretchDIBits
SHELL_APIManipulates System ShellSHELL32.dll::FindExecutableA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeMountPointW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AddConsoleAliasW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::ReadConsoleInputW
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::RemoveDirectoryA
KERNEL32.dll::GetTempFileNameA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpOpen

Comments