MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d12457378d6e1429b48c215965868b1721584a0468e9cdfe6c796eb1989b4ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d12457378d6e1429b48c215965868b1721584a0468e9cdfe6c796eb1989b4ec
SHA3-384 hash: a74bcb3e304dbf7d3e648c3acc33c328cb70427438a8af3b8f90194ccc75b13bdca9bc5557964b9e83a5e6c979e806e4
SHA1 hash: 704a278e894f72b43656b4b0ba96fa07d9d7f1bb
MD5 hash: d17fb27e92939b026b4320f741429cb5
humanhash: purple-beer-six-mountain
File name:SecuriteInfo.com.Win32.TrojanX-gen.6275.15915
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'360'832 bytes
First seen:2024-02-02 20:29:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:XQy3jZHFmQT5Cu1mRmNa7MM9TG0aCaSlIMV4LSwPnpp:X3zZlrT5C1g4n9T6S3iSwz
Threatray 25 similar samples on MalwareBazaar
TLSH T19EB533E69FB09E8FD14B4BF69126374205777CEB821251BA9B24FE55DBBE1304A42C80
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474240/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.6275.15915.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65bd50cf1a072d5652642817/reports/1b2a6745-0eb8-4ddd-a2cb-d27c0e3a7328/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/9d12457378d6e1429b48c215965868b1721584a0468e9cdfe6c796eb1989b4ec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c20450fc-beec-493b-8cc9-affc0284824b
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385831
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385831 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 02/02/2024 Architecture: WINDOWS Score: 100 82 youtube-ui.l.google.com 2->82 84 www.youtube.com 2->84 86 33 other IPs or domains 2->86 116 Snort IDS alert for network traffic 2->116 118 Antivirus detection for URL or domain 2->118 120 Antivirus / Scanner detection for submitted sample 2->120 122 5 other signatures 2->122 9 SecuriteInfo.com.Win32.TrojanX-gen.6275.15915.exe 2 124 2->9         started        14 MPGPH131.exe 12 2->14         started        16 RageMP131.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 98 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->98 100 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->100 106 2 other IPs or domains 9->106 68 C:\Users\user\...\XD2G3JtF1QVVVT2v0pm2.exe, PE32 9->68 dropped 70 C:\Users\user\...\R0r9P07E7BFCUNJc7sXX.exe, PE32 9->70 dropped 72 C:\Users\user\...72AKgcW3Js6YWi9re8FVW.exe, PE32 9->72 dropped 80 13 other malicious files 9->80 dropped 142 Detected unpacking (changes PE section rights) 9->142 144 Binary is likely a compiled AutoIt script file 9->144 146 Tries to steal Mail credentials (via file / registry access) 9->146 164 4 other signatures 9->164 20 R0r9P07E7BFCUNJc7sXX.exe 9->20         started        23 NAKgcW3Js6YWi9re8FVW.exe 9->23         started        25 8xqnLOUrgCWeSCeSzXCs.exe 9->25         started        34 5 other processes 9->34 148 Antivirus detection for dropped file 14->148 150 Multi AV Scanner detection for dropped file 14->150 152 Machine Learning detection for dropped file 14->152 154 Tries to evade debugger and weak emulator (self modifying code) 16->154 156 Hides threads from debuggers 16->156 158 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->158 102 mitmdetection.services.mozilla.com 18.160.60.75 MIT-GATEWAYSUS United States 18->102 104 172.217.215.93 GOOGLEUS United States 18->104 108 10 other IPs or domains 18->108 74 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 18->74 dropped 76 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 18->76 dropped 78 97AE667565B6120DDEBF42730CC21468FE5AC36E, DOS 18->78 dropped 160 Tries to harvest and steal browser information (history, passwords, etc) 18->160 162 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->162 27 msedge.exe 18->27         started        30 firefox.exe 18->30         started        32 msedge.exe 18->32         started        36 3 other processes 18->36 file6 signatures7 process8 dnsIp9 124 Detected unpacking (changes PE section rights) 20->124 126 Detected unpacking (overwrites its own PE header) 20->126 128 Modifies windows update settings 20->128 138 3 other signatures 20->138 130 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->130 132 Tries to evade debugger and weak emulator (self modifying code) 23->132 134 Hides threads from debuggers 23->134 140 2 other signatures 23->140 136 Binary is likely a compiled AutoIt script file 25->136 38 chrome.exe 25->38         started        41 chrome.exe 25->41         started        43 chrome.exe 25->43         started        53 9 other processes 25->53 110 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->110 112 20.96.153.111 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->112 114 21 other IPs or domains 27->114 45 conhost.exe 34->45         started        47 conhost.exe 34->47         started        49 conhost.exe 34->49         started        51 conhost.exe 34->51         started        signatures10 process11 dnsIp12 88 192.168.2.5 unknown unknown 38->88 90 239.255.255.250 unknown Reserved 38->90 55 chrome.exe 38->55         started        58 chrome.exe 41->58         started        60 chrome.exe 43->60         started        62 msedge.exe 53->62         started        64 msedge.exe 53->64         started        66 msedge.exe 53->66         started        process13 dnsIp14 92 www.google.com 142.251.15.147 GOOGLEUS United States 55->92 94 play.google.com 172.217.215.100 GOOGLEUS United States 55->94 96 15 other IPs or domains 55->96
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9d12457378d6e1429b48c215965868b1721584a0468e9cdfe6c796eb1989b4ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d12457378d6e1429b48c215965868b1721584a0468e9cdfe6c796eb1989b4ec/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-02 18:23:54 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tujek43y23qufg2iyikzmwdiwfzblbfai2hjzx7gy6lowgmjwtwa._file
Verdict:
malicious
Similar samples:
06ccb8e6100fd654b89367b2c6ea6be48dfc91c404656b4020516fcf1350179f
RiseProStealer
3a649fa91a13523a86b7bd178fb4ccf28970d1627bfb4ece042a42f020262697
RiseProStealer
9e0fdb12f3c1424fc1835a3f2fa330c876299cc072ada7a7ab265ac7207cccab
RiseProStealer
d0147494ca9687e1035bb977a4d3dd8381358603bcafa4adfb98b629e060bf32
RiseProStealer
ed5853637c726919aca5628b78d11c214983b93bf267337a3b485db5efd92270
RiseProStealer
ff974573fdd859395f3e9fd808105a38390d1f99d4bb7655771c8ba7f8de3288
RiseProStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240202-y95r8segh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
22f297ff6660800d2a6fe403175a600d057a8986881cec388ede5c960d25c1a8
MD5 hash:
a20e64e0e46343185b9c55b55d1511fb
SHA1 hash:
87c462f88522338ff61313e9c11bfbc90afc9631
Link:
https://www.unpac.me/results/19bb3977-36c4-499a-b201-c7168425e537/
SH256 hash:
9d12457378d6e1429b48c215965868b1721584a0468e9cdfe6c796eb1989b4ec
MD5 hash:
d17fb27e92939b026b4320f741429cb5
SHA1 hash:
704a278e894f72b43656b4b0ba96fa07d9d7f1bb
Link:
https://www.unpac.me/results/19bb3977-36c4-499a-b201-c7168425e537/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d12457378d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d12457378d6e1429b48c215965868b1721584a0468e9cdfe6c796eb1989b4ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 9d12457378d6e1429b48c215965868b1721584a0468e9cdfe6c796eb1989b4ec

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/474240/
  
URLhaus
https://urlhaus.abuse.ch/url/2755484/
  
Delivery method
Distributed via web download

Comments