MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9518bc3f3049b98afe86b1d2b349938682cd218c98c3a13d8954794f8f7c0435. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 8 File information Comments

SHA256 hash:	9518bc3f3049b98afe86b1d2b349938682cd218c98c3a13d8954794f8f7c0435
SHA3-384 hash:	e380ca848c7d26b4523b1b0ea2592d72e5ae172edbd5d90ad58154c66ad5be6f56b11a8802186609fc187da5a5a205fd
SHA1 hash:	73c615b3aacf9dc63f558e9c0f9c4259fe7d4e84
MD5 hash:	05777a5356e31ca0261c06d2b6080b2a
humanhash:	fillet-white-charlie-cold
File name:	file
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	2'732'032 bytes
First seen:	2023-12-01 01:07:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fe9e3404bebf8b23e1a17d6558da6aa8 (14 x RiseProStealer, 2 x RedLineStealer, 1 x DarkCloud)
ssdeep	24576:H3ryj7++6rsI9of8esr7NgtuOGVT0gPk/rrjjvPTI45IRyxx3LmFRpugljwvAeAf:+++6rsIw8jZgtOIgMjLPLtmFR1jwI/
TLSH	T193C5AD3822E3E860E94BD43595E86633B26E5EF50360A1FB6D4807FD59933D3E1B2163
TrID	56.8% (.EXE) InstallShield setup (43053/19/16) 13.8% (.EXE) Win64 Executable (generic) (10523/12/4) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RiseProStealer

andretavare5

Sample downloaded from http://109.107.182.45/trend/home.exe

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461535/

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file in the Windows subdirectories

Сreating synchronization primitives

Modifying a system file

Creating a file

Creating a file in the %temp% subdirectories

Replacing files

Launching a service

Sending a UDP request

Forced system process termination

Blocking the Windows Defender launch

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Adding exclusions to Windows Defender

Enabling autorun by creating a file

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/9518bc3f3049b98afe86b1d2b349938682cd218c98c3a13d8954794f8f7c0435

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c9bc87a7-58f3-4da1-8cf8-74ee7931adf9

Result

Threat name:

PrivateLoader, RisePro Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1350998

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9518bc3f3049b98afe86b1d2b349938682cd218c98c3a13d8954794f8f7c0435

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9518bc3f3049b98afe86b1d2b349938682cd218c98c3a13d8954794f8f7c0435/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2023-12-01 01:08:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 23 (65.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sumlypzqjg4yv7ugwhjlgsmtq2bm2immtdb2cpmjkr4u7d34aq2q._file

Verdict:

unknown

Result

Malware family:

risepro

Score:

10/10

Tags:

family:privateloader family:risepro loader persistence stealer

Link:

https://tria.ge/reports/231201-bhg6jade6t/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

PrivateLoader

RisePro

Malware Config

C2 Extraction:

194.49.94.152

Unpacked files

SH256 hash:

b43761ce35b1253b4b9dda987d6d58f0a68b1be30cc4d575e752a6712ae3723d

MD5 hash:

39eed45a2a1b6d6b7e0de271a9480942

SHA1 hash:

353e8d977e5c85c00102d2bd9573b4122c2c7d8c

Link:

https://www.unpac.me/results/5cddac1a-891a-47c4-b538-98d3f8016a4e/

SH256 hash:

9518bc3f3049b98afe86b1d2b349938682cd218c98c3a13d8954794f8f7c0435

MD5 hash:

05777a5356e31ca0261c06d2b6080b2a

SHA1 hash:

73c615b3aacf9dc63f558e9c0f9c4259fe7d4e84

Link:

https://www.unpac.me/results/5cddac1a-891a-47c4-b538-98d3f8016a4e/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9518bc3f3049/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9518bc3f3049b98afe86b1d2b349938682cd218c98c3a13d8954794f8f7c0435

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/461535/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample