MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070
SHA3-384 hash: 0757bcc5839b0b331117af2d0b8a710cf761738882d773ad46da6e75eb5a3828f393a1eb808dca54b91993dc038a11a7
SHA1 hash: b9ec12b977b9ee6ecdcb74c7e718ad4018755625
MD5 hash: a815d2d73a30dfcab21000b326b29c13
humanhash: neptune-snake-bulldog-kansas
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:952'832 bytes
First seen:2024-04-20 18:03:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash deee2f3ec985195fc99175dfed532c7c (2 x LummaStealer, 1 x RiseProStealer)
ssdeep 24576:3IwoFmXsR3sf1viW1V6T/uKWZUtH6z1o:YuosfYWH6zuKd6z
Threatray 32 similar samples on MalwareBazaar
TLSH T17A15E00372E1BC64E66607329FAE95EC772EF8324E16BB2B32046E1F14B51B1C627751
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0802145090320000 (1 x RiseProStealer)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
url: http://193.233.132.139/talka/linda.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
522
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070.exe
Verdict:
Malicious activity
Analysis date:
2024-04-20 18:05:57 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/62c690b2-4e1a-4651-bc17-86dea037a2cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Creating a file in the %temp% directory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/6624039354bafb7d21d582b6/reports/a271e42c-0e8f-440e-b9fb-31006cbe7315/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/541741b9-7823-470a-9afe-2645f2b215ff
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1429092
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429092 Sample: file.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 49 ipinfo.io 2->49 51 db-ip.com 2->51 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 6 other signatures 2->65 8 MPGPH131.exe 55 2->8         started        12 file.exe 1 62 2->12         started        15 MPGPH131.exe 2->15         started        signatures3 process4 dnsIp5 39 C:\Users\user\...\rTXApvaKL9yw6N5oqHITZ9U.zip, Zip 8->39 dropped 67 Multi AV Scanner detection for dropped file 8->67 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 83 6 other signatures 8->83 17 WerFault.exe 8->17         started        19 WerFault.exe 8->19         started        29 3 other processes 8->29 53 147.45.47.93, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 12->53 55 ipinfo.io 34.117.186.192, 443, 49733, 49735 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->55 57 db-ip.com 104.26.4.15, 443, 49734, 49737 CLOUDFLARENETUS United States 12->57 41 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 12->41 dropped 43 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 12->43 dropped 45 C:\Users\user\...\HZqMYfpyMfdfHfQja15Vpq6.zip, Zip 12->45 dropped 73 Found evasive API chain (may stop execution after checking mutex) 12->73 75 Tries to steal Mail credentials (via file / registry access) 12->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 12->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 12->79 21 schtasks.exe 1 12->21         started        23 schtasks.exe 1 12->23         started        25 WerFault.exe 19 16 12->25         started        31 6 other processes 12->31 47 C:\Users\user\...\ax62Lo_zBXq90uwBqgwbr3X.zip, Zip 15->47 dropped 81 Tries to harvest and steal browser information (history, passwords, etc) 15->81 27 WerFault.exe 15->27         started        33 4 other processes 15->33 file6 signatures7 process8 process9 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-04-20 18:04:06 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=toujuwkbldok2rzbtup77sknkthkwcfksng7v6aktcap57j6gbya._file
Verdict:
malicious
Similar samples:
09c9e09ef1371e9bc9292abce47d8bd0fdae9cb9fecc42ccfd51f983f43e2bdf
RiseProStealer
205524412abf2bbaeb37cdb73e6f70e59e74fdaa45f2eb68653a78c0f1098fb5
RiseProStealer
baf757d4426a783292c3d0e78885969d6dde83fbe6334865c888895a6d10023b
RiseProStealer
d74a5f1212ec46a6dda8e0330cdd3f6b9e642b33e6280c715eb2ca92b02b0ca6
RiseProStealer
dd597382fa2346db39334557fd3eb8adba3abde583ce12d6ee496be7fd8774ef
RiseProStealer
fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6
RiseProStealer
fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3
RiseProStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240420-wnkttseb93/
Behaviour
Program crash
RisePro
Malware Config
C2 Extraction:
147.45.47.93:58709
Unpacked files
SH256 hash:
0a6628d1fbc52fece48c67e6ae4e04b77c7d3635c7d95dbd1c0c0c50fdd2ffae
MD5 hash:
42cb764e6408ac38ea34622398ffcc7b
SHA1 hash:
17ac7c72ff5dfd4cc4532648266ff8644c1de8f0
Link:
https://www.unpac.me/results/e867c991-5954-4df9-a00b-1c8ea72b5151/
SH256 hash:
9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070
MD5 hash:
a815d2d73a30dfcab21000b326b29c13
SHA1 hash:
b9ec12b977b9ee6ecdcb74c7e718ad4018755625
Link:
https://www.unpac.me/results/e867c991-5954-4df9-a00b-1c8ea72b5151/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EXE_Stealer_StealC_Feb2024
Create hunting rule
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Generic_2993e5a5
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2819722/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AddConsoleAliasW
KERNEL32.dll::AddConsoleAliasA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::ReadConsoleInputA
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateHardLinkA
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::RemoveDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpConnect

Comments