MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
SHA3-384 hash: 6bd146c729476d3ee12cf7b6e7ea9938db5b8ce334af62509ac27f2e3feb0635556b6707cf1b7040f11476eafbf6b8e4
SHA1 hash: 51a936428711d9bd1307ffd3e75436a0e4568eb2
MD5 hash: c49a9a589af8da0d09c69670b2579ab9
humanhash: stairway-virginia-virginia-earth
File name:c49a9a589af8da0d09c69670b2579ab9
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:8'976'008 bytes
First seen:2024-04-26 03:42:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f93cd80e5dfeca07d7e8b0f35545fb5 (7 x RiseProStealer)
ssdeep 196608:aOVNWi1IoE6S5MBjgluihHc4+oueCxQ/sfA84JmQGOVDm2:aOVwim8S5MykihHcYueCxQIA84JfLDm2
Threatray 9 similar samples on MalwareBazaar
TLSH T12A9633CF2143B631C627D1F65721C64D3A348912BC9436F9300CED69BFAAE76A5E22C5
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b4b4b09c8c84c4c4 (1 x RiseProStealer)
Reporter zbetcheckin
Tags:32 exe RiseProStealer signed

Code Signing Certificate

Organisation:SIMENS FINLAND
Issuer:SIMENS FINLAND
Algorithm:sha512WithRSAEncryption
Valid from:2024-04-24T10:45:57Z
Valid to:2027-06-16T00:00:00Z
Serial number: 46dbeb2987ecf44a9608bda808ccf164
Thumbprint Algorithm:SHA256
Thumbprint: 38481c37ee46ccbdc1a689ff78dd71bca0a504e9511f7281f257a0060eb488aa
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
561
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f.exe
Verdict:
Malicious activity
Analysis date:
2024-04-26 03:43:39 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/f3d5d6ad-bf94-4453-a4fb-1d23115866ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto lolbin overlay packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/662b22c83137a4e0f3c0393c/reports/79d3e67f-c376-429c-b45b-d20439c9cf76/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ca64421-38b1-4ed6-87c6-299733192e3c
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1431969
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-04-25 13:55:15 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqi7pfdgyw4r72xifto7ft7tzuqbgdhmtfk36uad6dhb726vcq7q._file
Verdict:
malicious
Similar samples:
1b09e1ef7e44680e2fdd5909dbae73c46ad9d4d007f9ef077acfa102a613f908
RiseProStealer
a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
RiseProStealer
b89a4e530394910333e48f5aec879e916a15034635e03927a3dd00c5eef5a189
RiseProStealer
c07572117f9dda3d61518694a205940da38d6d0baef87df01deacdefefe6fd81
RiseProStealer
d988258d31978932b5ee5f6fa1882e23734b0ca4fcfa671c4df190509a44ffc5
RiseProStealer
ebd556dfd817dc60ad8ed99fd844ea47f591c620be43b3b0f5d287ee7c919599
RiseProStealer
fee54efb01bab4e542a5ba366f53eaf6d4494bdf3b0051384569b2235ac164cc
RiseProStealer
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer trojan
Link:
https://tria.ge/reports/240426-d9xfmshf2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.226:50500
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/c65530b6-67ff-4156-b108-270c20d9f4cd/
SH256 hash:
f7077dc6d89b0d1851c5d5efcb6036087903d234b36ac0eb63f141a50ef40905
MD5 hash:
6900f79325b85b59aaa5354000ae5e12
SHA1 hash:
185221512497b1959da3390ece69778476610702
Link:
https://www.unpac.me/results/c65530b6-67ff-4156-b108-270c20d9f4cd/
SH256 hash:
6b0421be461f059948abf228abde119ae8e0ee1def413cc7c34c9a08b2e4020a
MD5 hash:
05b78413aa1dd3ef37e68185b6f16762
SHA1 hash:
00c92881bdaab5e1be265bcf64a77848a55aaa3e
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/c65530b6-67ff-4156-b108-270c20d9f4cd/
SH256 hash:
a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
MD5 hash:
c49a9a589af8da0d09c69670b2579ab9
SHA1 hash:
51a936428711d9bd1307ffd3e75436a0e4568eb2
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/c65530b6-67ff-4156-b108-270c20d9f4cd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a411f79466c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:mpress_2_xx_x86
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX x86 - no .NET
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2799182/
  
URLhaus
https://urlhaus.abuse.ch/url/2803455/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdipGetImageEncoders
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegQueryValueExA

Comments


Avatar
zbet commented on 2024-04-26 03:42:39 UTC

url : hxxp://5.42.66.10/download/th/Retailer_prog.exe