MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9033b9abad982d94ad4172788694b6d365c7917cd3a9d5532a7507dc48b2df2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9033b9abad982d94ad4172788694b6d365c7917cd3a9d5532a7507dc48b2df2a
SHA3-384 hash: b98aae32da7c1ec7e46b05152b94d5f26b5eb12de9aadbe0269a9d6eaf52c6b2f49bb177ef5802fc39e2e4021e0c5cd3
SHA1 hash: 86de07d39cab03968bc7ae3655bea3d0720b899c
MD5 hash: eb6d6cef8220b8f9106feb996a5c470d
humanhash: eleven-monkey-princess-minnesota
File name:SecuriteInfo.com.Win32.TrojanX-gen.10044.64
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'328'064 bytes
First seen:2024-02-21 14:21:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:d9BiN4rnEO6qFFUFy6lCAro2Qac0vIyKQOxrWlYDRmMI7tnG:sQEHqwyihOOv98W0RUVG
TLSH T1BEB533A9335A6C0EE6599173214D8693F1B2EDA755F9CA357CC1BF047FA3870E268203
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b3b2b3b2cceee7b2 (146 x RiseProStealer, 7 x CoinMiner, 1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
358
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477317/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.10044.64.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a process from a recently created file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer lolbin masquerade msbuild packed
Link:
https://www.filescan.io/uploads/65d60712c5e1a083fbf3fd2c/reports/62d2c098-37f2-43d8-ab71-0fdc5ded8c96/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9033b9abad982d94ad4172788694b6d365c7917cd3a9d5532a7507dc48b2df2a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34268734-469a-4dc6-a39b-2edbfed9fb51
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1396221
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1396221 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 21/02/2024 Architecture: WINDOWS Score: 100 110 Antivirus detection for URL or domain 2->110 112 Antivirus detection for dropped file 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 7 other signatures 2->116 8 SecuriteInfo.com.Win32.TrojanX-gen.10044.64.exe 2 92 2->8         started        13 MPGPH131.exe 80 2->13         started        15 MPGPH131.exe 2->15         started        17 8 other processes 2->17 process3 dnsIp4 86 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 8->86 88 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->88 90 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 8->90 62 C:\Users\user\...\zLiqiyIvvsfG8DbC3geb.exe, PE32 8->62 dropped 64 C:\Users\user\...\_TANU7rh7ajaPgErJbMq.exe, PE32 8->64 dropped 66 C:\Users\user\...\F0Pjh94lqdg8kUTxprjX.exe, PE32 8->66 dropped 72 13 other malicious files 8->72 dropped 138 Detected unpacking (changes PE section rights) 8->138 140 Binary is likely a compiled AutoIt script file 8->140 142 Tries to steal Mail credentials (via file / registry access) 8->142 160 4 other signatures 8->160 19 F0Pjh94lqdg8kUTxprjX.exe 8->19         started        22 DZocx8TzJ7ILa4Fo3SHq.exe 8->22         started        24 zLiqiyIvvsfG8DbC3geb.exe 8->24         started        34 6 other processes 8->34 74 11 other malicious files 13->74 dropped 144 Multi AV Scanner detection for dropped file 13->144 146 Machine Learning detection for dropped file 13->146 148 Found many strings related to Crypto-Wallets (likely being stolen) 13->148 76 10 other malicious files 15->76 dropped 150 Tries to harvest and steal browser information (history, passwords, etc) 15->150 162 2 other signatures 15->162 92 142.251.35.174 GOOGLEUS United States 17->92 94 172.253.122.84 GOOGLEUS United States 17->94 96 14 other IPs or domains 17->96 68 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 17->68 dropped 70 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 17->70 dropped 78 4 other malicious files 17->78 dropped 152 Antivirus detection for dropped file 17->152 154 Creates multiple autostart registry keys 17->154 156 Tries to evade debugger and weak emulator (self modifying code) 17->156 158 Maps a DLL or memory area into another process 17->158 27 msedge.exe 17->27         started        30 firefox.exe 17->30         started        32 firefox.exe 17->32         started        36 3 other processes 17->36 file5 signatures6 process7 dnsIp8 118 Detected unpacking (changes PE section rights) 19->118 120 Modifies windows update settings 19->120 122 Disables Windows Defender Tamper protection 19->122 136 2 other signatures 19->136 124 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->124 126 Tries to evade debugger and weak emulator (self modifying code) 22->126 128 Hides threads from debuggers 22->128 60 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 24->60 dropped 130 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->130 132 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 24->132 98 13.107.21.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->98 100 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->100 102 24 other IPs or domains 27->102 134 Binary is likely a compiled AutoIt script file 34->134 38 chrome.exe 34->38         started        41 chrome.exe 34->41         started        43 chrome.exe 34->43         started        45 14 other processes 34->45 file9 signatures10 process11 dnsIp12 80 192.168.2.16 unknown unknown 38->80 82 192.168.2.17 unknown unknown 38->82 84 2 other IPs or domains 38->84 47 chrome.exe 38->47         started        50 chrome.exe 41->50         started        52 chrome.exe 43->52         started        54 chrome.exe 45->54         started        56 msedge.exe 45->56         started        58 msedge.exe 45->58         started        process13 dnsIp14 104 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 47->104 106 144.2.9.1 LINKEDINUS Netherlands 47->106 108 49 other IPs or domains 47->108
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9033b9abad982d94ad4172788694b6d365c7917cd3a9d5532a7507dc48b2df2a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9033b9abad982d94ad4172788694b6d365c7917cd3a9d5532a7507dc48b2df2a/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-21 14:22:10 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=saz3tk5ntawzjlkboj4inffw2ns4pel42ou5kuzkoud5ysfs34va._file
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240221-rpj7gahd82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
eb7d5bedc98b64bc115c4113f5097f92de783a676f7ba5721d0f329d0400396e
MD5 hash:
1ded40354ab8b54c1d5171928069c183
SHA1 hash:
7ff6045b482f6bcd1a748246f693f9a9762f46de
Link:
https://www.unpac.me/results/dacde873-097c-4469-835a-d6c7410a2092/
SH256 hash:
9033b9abad982d94ad4172788694b6d365c7917cd3a9d5532a7507dc48b2df2a
MD5 hash:
eb6d6cef8220b8f9106feb996a5c470d
SHA1 hash:
86de07d39cab03968bc7ae3655bea3d0720b899c
Link:
https://www.unpac.me/results/dacde873-097c-4469-835a-d6c7410a2092/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9033b9abad98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9033b9abad982d94ad4172788694b6d365c7917cd3a9d5532a7507dc48b2df2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 9033b9abad982d94ad4172788694b6d365c7917cd3a9d5532a7507dc48b2df2a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2766691/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/477317/

Comments