MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b
SHA3-384 hash: 701b28e50ec5200d065e4ff5b7e7ca8e66e61c19d6b0858b89795d03f3b0b5c06a90faaf05491cb921e0e0cfe905fb92
SHA1 hash: 57066b081670b153ff20ed89d6c8c7394a8fa2cf
MD5 hash: b38fe213704c50c252032bdee6ee365d
humanhash: eleven-jersey-ten-victor
File name:b38fe213704c50c252032bdee6ee365d.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:811'008 bytes
First seen:2024-02-03 15:45:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7515ecf8c0dfa4d230ad835fe0acb57f (18 x Amadey, 4 x RedLineStealer, 2 x RiseProStealer)
ssdeep 24576:KjL7Ymvzb2nlwQDsiK32YsP/rYmnt5pt:6b2nllE32Ysnrz
Threatray 185 similar samples on MalwareBazaar
TLSH T18F05234A4B1BB204E079F4B065E627D98AFC26B4476E4B10350F99BFC97C1DDBB0B242
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
88.210.9.117:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b.exe
Verdict:
Malicious activity
Analysis date:
2024-02-03 15:46:55 UTC
Tags:
amadey botnet stealer loader risepro miner evasion redline smoke smokeloader stealc
Link:
https://app.any.run/tasks/e306dc70-d3e2-4cbe-a9c0-3df600378256

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474367/
Detection(s):
PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm enigma lolbin obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/65be5fbc4f733f8cc1be66f2/reports/ec522060-c6e2-4be1-af8b-fc22e07e3b9c/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ee70e2e-53c4-4113-840b-03666c0efdfb
Result
Threat name:
Amadey, Glupteba, PureLog Stealer, RedLi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386110
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386110 Sample: aXv0VxfPWu.exe Startdate: 03/02/2024 Architecture: WINDOWS Score: 100 134 secretionsuitcasenioise.shop 2->134 136 mealroomrallpassiveer.shop 2->136 138 5 other IPs or domains 2->138 186 Snort IDS alert for network traffic 2->186 188 Multi AV Scanner detection for domain / URL 2->188 190 Found malware configuration 2->190 192 24 other signatures 2->192 12 aXv0VxfPWu.exe 1 5 2->12         started        16 iojmibhyhiws.exe 2->16         started        18 uwgxswmtctao.exe 1 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 114 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 12->114 dropped 234 Detected unpacking (changes PE section rights) 12->234 236 Contains functionality to detect sleep reduction / modifications 12->236 22 explorhe.exe 44 12->22         started        116 C:\Windows\Temp\zamrbllfjgdb.sys, PE32+ 16->116 dropped 238 Antivirus detection for dropped file 16->238 240 Multi AV Scanner detection for dropped file 16->240 242 Modifies the context of a thread in another process (thread injection) 16->242 244 Tries to evade debugger and weak emulator (self modifying code) 16->244 27 conhost.exe 16->27         started        29 conhost.exe 16->29         started        118 C:\Windows\Temp\rljxappkaarw.sys, PE32+ 18->118 dropped 246 Injects code into the Windows Explorer (explorer.exe) 18->246 248 Sample is not signed and drops a device driver 18->248 31 explorer.exe 18->31         started        33 conhost.exe 20->33         started        signatures6 process7 dnsIp8 142 185.215.113.68, 49729, 49730, 49732 WHOLESALECONNECTIONSNL Portugal 22->142 144 109.107.182.3, 49731, 49734, 49737 TELEPORT-TV-ASRU Russian Federation 22->144 146 185.172.128.19, 49742, 80 NADYMSS-ASRU Russian Federation 22->146 106 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 22->106 dropped 108 C:\Users\user\AppData\Local\...\crypted.exe, PE32 22->108 dropped 110 C:\Users\user\AppData\Local\Temp\...\alex.exe, PE32 22->110 dropped 112 17 other malicious files 22->112 dropped 220 Multi AV Scanner detection for dropped file 22->220 222 Detected unpacking (changes PE section rights) 22->222 224 Creates an undocumented autostart registry key 22->224 232 4 other signatures 22->232 35 dayroc.exe 22->35         started        39 goldklassd.exe 22->39         started        41 crypted.exe 22->41         started        43 8 other processes 22->43 226 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->226 148 142.202.242.45, 49735, 80 1GSERVERSUS Reserved 31->148 228 System process connects to network (likely due to code injection or exploit) 31->228 230 Query firmware table information (likely to detect VMs) 31->230 file9 signatures10 process11 dnsIp12 88 C:\Users\user\AppData\Local\...\toolspub1.exe, PE32 35->88 dropped 90 C:\...\d21cbe21e38b385a41a68c5e6dd32f4c.exe, PE32 35->90 dropped 92 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 35->92 dropped 194 Multi AV Scanner detection for dropped file 35->194 46 InstallSetup9.exe 35->46         started        51 toolspub1.exe 35->51         started        53 d21cbe21e38b385a41a68c5e6dd32f4c.exe 35->53         started        196 Writes to foreign memory regions 39->196 198 Allocates memory in foreign processes 39->198 200 Injects a PE file into a foreign processes 39->200 55 RegAsm.exe 39->55         started        57 conhost.exe 39->57         started        59 RegAsm.exe 41->59         started        150 80.79.4.61 SISTEMEMD Moldova Republic of 43->150 152 45.15.156.209 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 43->152 94 C:\ProgramData\...\uwgxswmtctao.exe, PE32+ 43->94 dropped 96 C:\ProgramData\...\iojmibhyhiws.exe, PE32+ 43->96 dropped 202 System process connects to network (likely due to code injection or exploit) 43->202 204 Detected unpacking (changes PE section rights) 43->204 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->206 208 2 other signatures 43->208 61 RegAsm.exe 43->61         started        63 RegAsm.exe 43->63         started        65 11 other processes 43->65 file13 signatures14 process15 dnsIp16 154 185.172.128.90 NADYMSS-ASRU Russian Federation 46->154 156 185.172.128.127 NADYMSS-ASRU Russian Federation 46->156 120 C:\Users\user\AppData\Local\...\nst36EF.tmp, PE32 46->120 dropped 122 C:\Users\user\AppData\Local\...\INetC.dll, PE32 46->122 dropped 124 C:\Users\user\AppData\...\BroomSetup.exe, PE32 46->124 dropped 126 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 46->126 dropped 168 Multi AV Scanner detection for dropped file 46->168 67 nst36EF.tmp 46->67         started        72 BroomSetup.exe 46->72         started        170 Detected unpacking (changes PE section rights) 51->170 172 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->172 174 Maps a DLL or memory area into another process 51->174 184 2 other signatures 51->184 176 Detected unpacking (overwrites its own PE header) 53->176 158 20.79.30.95, 33223, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 55->158 178 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->178 180 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 55->180 160 144.76.1.85 HETZNER-ASDE Germany 59->160 128 C:\Users\user\AppData\Local\...\qemu-ga.exe, PE32 59->128 dropped 182 Tries to harvest and steal browser information (history, passwords, etc) 59->182 130 C:\Users\user\AppData\Roaming\...\olehps.exe, PE32 61->130 dropped 132 C:\Users\user\AppData\Roaming\...\Logs.exe, PE32 61->132 dropped 162 secretionsuitcasenioise.shop 104.21.16.152 CLOUDFLARENETUS United States 63->162 164 mealroomrallpassiveer.shop 104.21.47.178 CLOUDFLARENETUS United States 63->164 166 3 other IPs or domains 63->166 74 conhost.exe 65->74         started        76 conhost.exe 65->76         started        78 conhost.exe 65->78         started        80 6 other processes 65->80 file17 signatures18 process19 dnsIp20 140 185.172.128.79 NADYMSS-ASRU Russian Federation 67->140 98 C:\Users\user\AppData\...\softokn3[1].dll, PE32 67->98 dropped 100 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 67->100 dropped 102 C:\Users\user\AppData\...\mozglue[1].dll, PE32 67->102 dropped 104 9 other files (5 malicious) 67->104 dropped 210 Detected unpacking (changes PE section rights) 67->210 212 Detected unpacking (overwrites its own PE header) 67->212 214 Tries to steal Mail credentials (via file / registry access) 67->214 218 2 other signatures 67->218 216 Multi AV Scanner detection for dropped file 72->216 82 cmd.exe 72->82         started        file21 signatures22 process23 process24 84 conhost.exe 82->84         started        86 chcp.com 82->86         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-02-03 15:46:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=un4r7grt3zro37h3ws5nsgpnjx67qg4rjtt26ujaem55earioznq._file
Verdict:
malicious
Similar samples:
36b5114f8d3e120537f0410c4e706133442ac35364a52f6fb59d2a563862d721
RiseProStealer
5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608
RiseProStealer
cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
RiseProStealer
cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
RiseProStealer
f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
RiseProStealer
f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e
RiseProStealer
fea21c72ee724e5bbfc7578f1165be0262f9f4be470d72e48461195a947911f3
RiseProStealer
+ 175 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:risepro family:xmrig botnet:2024 botnet:@oni912 botnet:@pixelscloud botnet:livetrafic discovery evasion infostealer miner persistence stealer trojan upx
Link:
https://tria.ge/reports/240203-s7l98afbfn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
UPX packed file
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
XMRig Miner payload
Amadey
RedLine
RedLine payload
RisePro
xmrig
Malware Config
C2 Extraction:
http://185.215.113.68
195.20.16.103:20440
193.233.132.62:50500
94.156.67.230:13781
20.79.30.95:33223
http://193.233.132.167
45.15.156.209:40481
Unpacked files
SH256 hash:
a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b
MD5 hash:
b38fe213704c50c252032bdee6ee365d
SHA1 hash:
57066b081670b153ff20ed89d6c8c7394a8fa2cf
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/ce0bd616-70a7-4504-9d2e-d44d748c64f6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a3791f9a33de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Generic_Threat_d331d190
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2751874/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474367/

Comments