MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2
SHA3-384 hash: 96153365fcf70e7515d961266367bb378252edf7b4b6e04d4e09420b994f50b6e43b25ec50f6464772f4e692d89f3fd8
SHA1 hash: f2aad6da13ea96d84d7761341af18c7582bf9497
MD5 hash: 9fa5ded8ca4719acf565b75133e10224
humanhash: floor-potato-timing-september
File name:9fa5ded8ca4719acf565b75133e10224.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:462'848 bytes
First seen:2023-12-15 13:10:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 6144:Kxy+bnr+Up0yN90QEncmZVyKalT4/wye6Kzmba5hYpKy1+EylETFM42BdUEUKVHb:TMrcy90nwPMw5msL/42BpUKVc2
Threatray 33 similar samples on MalwareBazaar
TLSH T172A4025B62E89473D8B51BB05CFB13D30B367C816978836F6784994E0CB39A4A93533B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
91.92.249.253:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467547/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Running batch commands
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB confuserex control explorer installer lolbin lolbin packed packed replace rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657c5067439457868c03e3f6/reports/5f906d17-d81c-455d-be9f-753514b92422/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a2d90ce8-544c-4a0a-b5c5-b89cfeb0026f
Result
Threat name:
LummaC Stealer, RedLine, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362643
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362643 Sample: loFrHbSmwp.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 128 soupinterestoe.fun 2->128 130 reviveincapablewew.pw 2->130 132 13 other IPs or domains 2->132 156 Snort IDS alert for network traffic 2->156 158 Multi AV Scanner detection for domain / URL 2->158 160 Found malware configuration 2->160 162 18 other signatures 2->162 10 loFrHbSmwp.exe 1 4 2->10         started        13 MaxLoonaFest131.exe 2->13         started        17 OfficeTrackerNMP131.exe 60 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 114 C:\Users\user\AppData\Local\...\5fw4Xa5.exe, PE32 10->114 dropped 116 C:\Users\user\AppData\Local\...\2Pj3669.exe, PE32 10->116 dropped 21 5fw4Xa5.exe 10->21         started        24 2Pj3669.exe 16 69 10->24         started        154 34.117.186.192, 443, 49723, 49724 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 13->154 118 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 13->118 dropped 120 C:\...\d4eCZmj3pCaEtdE6FSJgZ4EGmf5aHP7I.zip, Zip 13->120 dropped 212 Multi AV Scanner detection for dropped file 13->212 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->214 216 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 13->216 28 WerFault.exe 13->28         started        122 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->122 dropped 124 C:\...\JBdfkW27BmjVt1zOfORJVUJXNnP5G2Z3.zip, Zip 17->124 dropped 218 Tries to steal Mail credentials (via file / registry access) 17->218 220 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 17->220 222 Queries memory information (via WMI often done to detect virtual machines) 17->222 30 WerFault.exe 17->30         started        126 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->126 dropped 32 WerFault.exe 19->32         started        34 WerFault.exe 19->34         started        36 WerFault.exe 19->36         started        38 6 other processes 19->38 file6 signatures7 process8 dnsIp9 184 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->184 186 Maps a DLL or memory area into another process 21->186 188 Checks if the current machine is a virtual machine (disk enumeration) 21->188 190 Creates a thread in another existing process (thread injection) 21->190 40 explorer.exe 21->40 injected 136 91.92.249.253, 49704, 49705, 49706 THEZONEBG Bulgaria 24->136 138 ipinfo.io 34.117.59.81, 443, 49707, 49708 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 24->138 98 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 24->98 dropped 100 C:\Users\user\AppData\...\FANBooster131.exe, PE32 24->100 dropped 102 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 24->102 dropped 104 2 other malicious files 24->104 dropped 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->192 194 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 24->194 196 Found many strings related to Crypto-Wallets (likely being stolen) 24->196 198 2 other signatures 24->198 45 cmd.exe 1 24->45         started        47 cmd.exe 1 24->47         started        49 WerFault.exe 24->49         started        file10 signatures11 process12 dnsIp13 140 185.215.113.68, 49729, 80 WHOLESALECONNECTIONSNL Portugal 40->140 142 5.42.65.125, 49742, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 40->142 144 2 other IPs or domains 40->144 106 C:\Users\user\AppData\Local\Temp\84B9.exe, PE32 40->106 dropped 108 C:\Users\user\AppData\Local\Temp\5423.exe, PE32 40->108 dropped 110 C:\Users\user\AppData\Local\Temp\431A.exe, PE32 40->110 dropped 112 4 other malicious files 40->112 dropped 206 System process connects to network (likely due to code injection or exploit) 40->206 208 Benign windows process drops PE files 40->208 51 5423.exe 40->51         started        55 FANBooster131.exe 40->55         started        57 3731.exe 40->57         started        68 5 other processes 40->68 210 Uses schtasks.exe or at.exe to add and modify task schedules 45->210 60 conhost.exe 45->60         started        62 schtasks.exe 1 45->62         started        64 conhost.exe 47->64         started        66 schtasks.exe 1 47->66         started        file14 signatures15 process16 dnsIp17 84 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 51->84 dropped 164 Multi AV Scanner detection for dropped file 51->164 166 Found many strings related to Crypto-Wallets (likely being stolen) 51->166 168 Sample uses process hollowing technique 51->168 70 RegSvcs.exe 51->70         started        86 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 55->86 dropped 88 C:\...\l9K7tcMQao5wNvle20gHyiTRwyMsdx0N.zip, Zip 55->88 dropped 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->170 172 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 55->172 174 Tries to steal Mail credentials (via file / registry access) 55->174 182 3 other signatures 55->182 74 WerFault.exe 55->74         started        146 176.123.7.190, 32927, 49733 ALEXHOSTMD Moldova Republic of 57->146 176 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 57->176 148 ratefacilityframw.fun 104.21.74.182, 49736, 80 CLOUDFLARENETUS United States 68->148 150 neighborhoodfeelsa.fun 104.21.87.137, 49734, 80 CLOUDFLARENETUS United States 68->150 152 4 other IPs or domains 68->152 90 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 68->90 dropped 92 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 68->92 dropped 94 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 68->94 dropped 96 3 other malicious files 68->96 dropped 178 Detected unpacking (changes PE section rights) 68->178 180 Detected unpacking (overwrites its own PE header) 68->180 76 WerFault.exe 68->76         started        78 conhost.exe 68->78         started        80 WerFault.exe 68->80         started        82 WerFault.exe 68->82         started        file18 signatures19 process20 dnsIp21 134 195.20.16.103, 18305 EITADAT-ASFI Finland 70->134 200 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->200 202 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 70->202 204 Tries to harvest and steal browser information (history, passwords, etc) 70->204 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 13:11:06 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmiv2tm5e7gkke4dnobcf6on3u3jpstr5qsfmzc3vmb2pcgpgdra._file
Verdict:
malicious
Similar samples:
0e1f89b121df17eae4916d33f4d5bf13de8a95bb0344e42a5b8204e1fff2b82f
RiseProStealer
139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
RiseProStealer
2c1c344c0b0ba8c38994c6dbc5d35000e83bd5e6719116144216b76071c365fc
RiseProStealer
4e39fb3fcbcd2a8c6063cd905142601cba90d7b657fe9cfce55641ffad87cb5c
RiseProStealer
77957c241a2dad6130911d48593a27519dac01f3064825ace25662026ee308de
RiseProStealer
ba7f4474a334d79dd16cfb8a082987000764ff24c8a882c696e4c214b0e5e9cf
RiseProStealer
e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13
RiseProStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader botnet:@oleh_ps backdoor collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/231215-qex5xaebb8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detect Lumma Stealer payload V4
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
Unpacked files
SH256 hash:
ef78c319265a84eb1a18be4f48b71f17f1384bff6e87f2ad78359ab4d4e261f3
MD5 hash:
0bdc10efc294e5ec071226b7a88b2298
SHA1 hash:
2ab7545e592533991d5195a23e853fedae33a3b8
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/67f19195-2667-4bac-9eb1-87797fba136d/
SH256 hash:
eae829fa646f084afe6691ebcefa1e02722a2cd358f85d7190d93d25475e6a36
MD5 hash:
0d65161f24b94c692c1dcfd789b20405
SHA1 hash:
2039c83c852861e0d8c310a028fa79a3218cf054
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/67f19195-2667-4bac-9eb1-87797fba136d/
Parent samples :
9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2
678850b820d703f0827a3e25e75003e742318f6b4722190686f541e23fc61a70
38b996babe91a3ea4fac1e349e0723d40621107dfd34f14bd2d4764fbb695b31
ada55b3992eec712e70558797f967f29de65052612874b3455b9230d847ed219
SH256 hash:
9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2
MD5 hash:
9fa5ded8ca4719acf565b75133e10224
SHA1 hash:
f2aad6da13ea96d84d7761341af18c7582bf9497
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/67f19195-2667-4bac-9eb1-87797fba136d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467547/

Comments