MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9771ccf8d55d3a22f639d8e3aa72c57b76b6e652e602a6a1ae965c9a80c72bb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9771ccf8d55d3a22f639d8e3aa72c57b76b6e652e602a6a1ae965c9a80c72bb5
SHA3-384 hash: 8e22a80dd8f00d30f31429abce50d2d9adde94f156243456dbbffcee2a5699686e0b694a08f6bf26c4e047e7c465ed82
SHA1 hash: 014ddad595248016dbbd54a3241257d56f2d43ae
MD5 hash: 633d6469f234818097172f5b9b8ad772
humanhash: fanta-montana-nebraska-coffee
File name:633d6469f234818097172f5b9b8ad772
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'421'248 bytes
First seen:2024-02-15 20:41:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:tjjoOYIlUk3yijDn6OREHvwQ+9QDZSJmrZpGxdn1:tjj1FlUk3XjDn6sE7+2+mZo1
Threatray 82 similar samples on MalwareBazaar
TLSH T145B5238DBD1045A3D3943B7949E2FABE4368FCD47A1650C63CD837AB7673A285A2604C
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476384/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file in the Windows subdirectories
Modifying a system file
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Replacing files
Launching a service
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Sending an HTTP GET request
Reading critical registry keys
Forced system process termination
Creating a process from a recently created file
Creating a window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65ce771bc5e1a083fbed3aed/reports/0a5c8e4e-2df5-4990-a0fa-954cd79dfb3c/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/9771ccf8d55d3a22f639d8e3aa72c57b76b6e652e602a6a1ae965c9a80c72bb5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/914db1e9-5d25-41a9-bc43-e86c149c2fbf
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1393110
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Connects to many IPs within the same subnet mask (likely port scanning)
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Exclude list of file types from scheduled, custom, and real-time scanning
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1393110 Sample: 5ws86kuyyj.exe Startdate: 15/02/2024 Architecture: WINDOWS Score: 100 93 yt3.ggpht.com 2->93 95 youtube-ui.l.google.com 2->95 97 60 other IPs or domains 2->97 127 Snort IDS alert for network traffic 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 Antivirus detection for URL or domain 2->131 133 7 other signatures 2->133 9 5ws86kuyyj.exe 11 116 2->9         started        14 MPGPH131.exe 10 102 2->14         started        16 MPGPH131.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 109 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 9->109 111 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 9->111 113 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 9->113 71 C:\Users\user\...\xwERuoTARGX5q0h8SV5V.exe, PE32 9->71 dropped 73 C:\Users\user\...\rpkkQNdREE65MORaBFLN.exe, PE32 9->73 dropped 81 12 other malicious files 9->81 dropped 151 Detected unpacking (changes PE section rights) 9->151 153 Binary is likely a compiled AutoIt script file 9->153 155 Tries to steal Mail credentials (via file / registry access) 9->155 175 7 other signatures 9->175 20 xwERuoTARGX5q0h8SV5V.exe 9->20         started        23 0D5wyRVYAbXcskqRbBEm.exe 9->23         started        25 eElzBpf7uvX_i62PyFDb.exe 9->25         started        37 3 other processes 9->37 75 C:\Users\user\...\qO72YNJnbClF1aUtmv56.exe, PE32 14->75 dropped 77 C:\Users\user\...\lrRnSWAA7uf6NzpF83zM.exe, PE32 14->77 dropped 79 C:\Users\user\...\aQVHs7tNHkdHKkZbrBEP.exe, PE32 14->79 dropped 83 8 other malicious files 14->83 dropped 157 Multi AV Scanner detection for dropped file 14->157 159 Machine Learning detection for dropped file 14->159 161 Found stalling execution ending in API Sleep call 14->161 85 8 other malicious files 16->85 dropped 163 Disables Windows Defender (deletes autostart) 16->163 165 Tries to harvest and steal browser information (history, passwords, etc) 16->165 167 Exclude list of file types from scheduled, custom, and real-time scanning 16->167 87 4 other malicious files 18->87 dropped 169 Tries to evade debugger and weak emulator (self modifying code) 18->169 171 Hides threads from debuggers 18->171 173 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->173 27 firefox.exe 18->27         started        31 msedge.exe 18->31         started        33 firefox.exe 18->33         started        35 firefox.exe 18->35         started        file6 signatures7 process8 dnsIp9 135 Detected unpacking (changes PE section rights) 20->135 137 Modifies windows update settings 20->137 139 Disables Windows Defender Tamper protection 20->139 149 4 other signatures 20->149 141 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->141 143 Tries to evade debugger and weak emulator (self modifying code) 23->143 145 Hides threads from debuggers 23->145 147 Binary is likely a compiled AutoIt script file 25->147 39 chrome.exe 25->39         started        42 chrome.exe 25->42         started        44 chrome.exe 25->44         started        54 10 other processes 25->54 115 142.250.31.84 GOOGLEUS United States 27->115 117 172.217.165.142 GOOGLEUS United States 27->117 123 15 other IPs or domains 27->123 89 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 27->89 dropped 91 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 27->91 dropped 46 firefox.exe 27->46         started        48 firefox.exe 27->48         started        119 13.107.21.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->119 121 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->121 125 32 other IPs or domains 31->125 50 conhost.exe 37->50         started        52 conhost.exe 37->52         started        file10 signatures11 process12 dnsIp13 99 192.168.2.4 unknown unknown 39->99 101 239.255.255.250 unknown Reserved 39->101 56 chrome.exe 39->56         started        59 chrome.exe 42->59         started        61 chrome.exe 44->61         started        63 chrome.exe 54->63         started        65 msedge.exe 54->65         started        67 msedge.exe 54->67         started        69 msedge.exe 54->69         started        process14 dnsIp15 103 192.168.2.5 unknown unknown 56->103 105 i.ytimg.com 142.250.64.86 GOOGLEUS United States 56->105 107 25 other IPs or domains 56->107
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9771ccf8d55d3a22f639d8e3aa72c57b76b6e652e602a6a1ae965c9a80c72bb5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9771ccf8d55d3a22f639d8e3aa72c57b76b6e652e602a6a1ae965c9a80c72bb5/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-15 20:42:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5y4z6gvlu5cf5rz3dr2u4wfpn3lnzss4ybkninoszojvaghfo2q._file
Verdict:
malicious
Similar samples:
244f83eb73141f35b9b4e44d10cc285a66af6f06ecac378e446ed3f6f3ad9ba1
RiseProStealer
4673e26a480f6687f1401d09d30ec74629f2075d0c4ef036aed088ec5592e5d0
RiseProStealer
7d55d937d0f24157dcc0df03bc1f42b90ad31f483d40b7aeb4b6e4c01bed70cc
RiseProStealer
c4d4e753b728a7a677b76270cd1a8c16e47fcc7fbf69575185e1c4e288ea43a3
RiseProStealer
c714577cc08df82a0894aa58aa968fa3b9761c198581bd99fce150fa488248e3
RiseProStealer
e41a64823764cf4bd61d4925f6c11fd939803c30f3c9d9b117ae63fc67b7c3e4
RiseProStealer
eeed7ff69fd813b5d177f9d15863c8b4de68b4f818fec0eb9f8a9c771fe436f2
RiseProStealer
+ 72 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240215-zgzwysgf67/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
a88fa8309cf07dc95be8d2d5bbe56059aae8b58460ec528f831687fd413e8596
MD5 hash:
c504025434ba04efb73d71c86ac64a78
SHA1 hash:
923d66556a5b772197bd288c05d8ce34ad228e05
Link:
https://www.unpac.me/results/a71f7d1e-bca1-4cac-b60a-a78f02515148/
SH256 hash:
9865a0b00d3afa7b060eac6685ed36f1d2214cbf904ff451ec63b223bf6b1410
MD5 hash:
d0edea8daf8db93725c715e1b42ad082
SHA1 hash:
fecfc468a311b79253b35e1d7316b9d8a6e0f205
Link:
https://www.unpac.me/results/a71f7d1e-bca1-4cac-b60a-a78f02515148/
SH256 hash:
4bf1109d02442e73198138d0f9d0fccd52caaccf5ee5bbc89c4c583b505e8dbf
MD5 hash:
3f459b435d74cbc77fcae6c1971e2f2e
SHA1 hash:
73b48dc81d87c7d29b9fc15a8c47e755e7dafdc4
Link:
https://www.unpac.me/results/a71f7d1e-bca1-4cac-b60a-a78f02515148/
SH256 hash:
751d11b066d4cf8c9aff45bb9e295453a46e26e6e667113f9ddfc1eb7ea30305
MD5 hash:
a5a2bbbaf983c2091b699cb625908d96
SHA1 hash:
96d25e769ca68bcef8cf5239c6da260e4510a6e0
Link:
https://www.unpac.me/results/a71f7d1e-bca1-4cac-b60a-a78f02515148/
SH256 hash:
9771ccf8d55d3a22f639d8e3aa72c57b76b6e652e602a6a1ae965c9a80c72bb5
MD5 hash:
633d6469f234818097172f5b9b8ad772
SHA1 hash:
014ddad595248016dbbd54a3241257d56f2d43ae
Link:
https://www.unpac.me/results/a71f7d1e-bca1-4cac-b60a-a78f02515148/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9771ccf8d55d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9771ccf8d55d3a22f639d8e3aa72c57b76b6e652e602a6a1ae965c9a80c72bb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 9771ccf8d55d3a22f639d8e3aa72c57b76b6e652e602a6a1ae965c9a80c72bb5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2761990/
Cape
Cape
https://www.capesandbox.com/analysis/476384/

Comments


Avatar
zbet commented on 2024-02-15 20:41:50 UTC

url : hxxp://147.45.47.93:33758/misha/bugai.exe