MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92
SHA3-384 hash: b6b948ff5b5a8117c2d33f262b3ef1d079ef56dd26150a49173bf89615d876704484ef938bfd3185ba7764318c187b6b
SHA1 hash: 3bebc615f1d8777a7e64411d80adaa38b975df2b
MD5 hash: c7fffbee15d5fb4fafd44c29466adeae
humanhash: delta-black-item-beer
File name:c7fffbee15d5fb4fafd44c29466adeae
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'027'520 bytes
First seen:2023-11-26 09:02:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:0lX35jJPx/Geea4gCofpcglLRDzfnryHF2BM:w3fPx/D3cILRXPmHF2BM
TLSH T1CC953342A1DD8021E5BD2B7098F6266317763CE2FEB4924B171E992B5E13A40D4F273F
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460252/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer greyware installer installer lolbin lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/656309c7fb43e835e6b5c9e9/reports/2acbd47b-7224-43be-82b7-8d5a1141d46b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d67aa9a5-f9e4-49e9-b299-47acc6a04930
Result
Threat name:
PrivateLoader, RedLine, RisePro Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347904
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1347904 Sample: ysKDuWy5kS.exe Startdate: 26/11/2023 Architecture: WINDOWS Score: 100 85 ipinfo.io 2->85 109 Snort IDS alert for network traffic 2->109 111 Multi AV Scanner detection for domain / URL 2->111 113 Found malware configuration 2->113 115 14 other signatures 2->115 12 ysKDuWy5kS.exe 1 4 2->12         started        15 OfficeTrackerNMP131.exe 501 2->15         started        19 OfficeTrackerNMP131.exe 2->19         started        21 7 other processes 2->21 signatures3 process4 dnsIp5 77 C:\Users\user\AppData\Local\...\wI7qO24.exe, PE32 12->77 dropped 79 C:\Users\user\AppData\Local\...\5FM8xM9.exe, PE32 12->79 dropped 23 wI7qO24.exe 1 4 12->23         started        89 ipinfo.io 34.117.59.81, 443, 49707, 49708 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->89 91 Multi AV Scanner detection for dropped file 15->91 93 Contains functionality to check for running processes (XOR) 15->93 95 Tries to steal Mail credentials (via file / registry access) 15->95 101 3 other signatures 15->101 27 WerFault.exe 15->27         started        97 Tries to harvest and steal browser information (history, passwords, etc) 19->97 29 WerFault.exe 19->29         started        99 Machine Learning detection for dropped file 21->99 file6 signatures7 process8 file9 67 C:\Users\user\AppData\Local\...\yI4Yr04.exe, PE32 23->67 dropped 69 C:\Users\user\AppData\Local\...\4mK184KA.exe, PE32 23->69 dropped 131 Antivirus detection for dropped file 23->131 133 Multi AV Scanner detection for dropped file 23->133 135 Binary is likely a compiled AutoIt script file 23->135 137 Machine Learning detection for dropped file 23->137 31 yI4Yr04.exe 1 4 23->31         started        signatures10 process11 file12 81 C:\Users\user\AppData\Local\...\zS3mh13.exe, PE32 31->81 dropped 83 C:\Users\user\AppData\Local\...\3tM26Fj.exe, PE32 31->83 dropped 103 Antivirus detection for dropped file 31->103 105 Multi AV Scanner detection for dropped file 31->105 107 Machine Learning detection for dropped file 31->107 35 zS3mh13.exe 1 4 31->35         started        signatures13 process14 file15 63 C:\Users\user\AppData\Local\...\2ve1925.exe, PE32 35->63 dropped 65 C:\Users\user\AppData\Local\...\1dS08HT5.exe, PE32 35->65 dropped 117 Antivirus detection for dropped file 35->117 119 Multi AV Scanner detection for dropped file 35->119 121 Machine Learning detection for dropped file 35->121 39 1dS08HT5.exe 1 503 35->39         started        44 2ve1925.exe 35->44         started        signatures16 process17 dnsIp18 87 194.49.94.152, 19053, 49705, 49706 EQUEST-ASNL unknown 39->87 71 C:\Users\user\AppData\...\FANBooster131.exe, PE32 39->71 dropped 73 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 39->73 dropped 75 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 39->75 dropped 139 Multi AV Scanner detection for dropped file 39->139 141 Contains functionality to check for running processes (XOR) 39->141 143 Tries to steal Mail credentials (via file / registry access) 39->143 153 5 other signatures 39->153 46 schtasks.exe 1 39->46         started        48 schtasks.exe 1 39->48         started        50 WerFault.exe 39->50         started        145 Antivirus detection for dropped file 44->145 147 Writes to foreign memory regions 44->147 149 Allocates memory in foreign processes 44->149 151 Injects a PE file into a foreign processes 44->151 52 AppLaunch.exe 44->52         started        55 AppLaunch.exe 44->55         started        57 conhost.exe 44->57         started        file19 signatures20 process21 signatures22 59 conhost.exe 46->59         started        61 conhost.exe 48->61         started        123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->123 125 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->125 127 Found many strings related to Crypto-Wallets (likely being stolen) 55->127 129 Tries to harvest and steal browser information (history, passwords, etc) 55->129 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-11-26 09:03:06 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmefawveejiuyfjiqtmtjaydykojdrizdi7hp2qunt6jb2sufoja._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro loader persistence stealer
Link:
https://tria.ge/reports/231126-kz15eagb64/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Executes dropped EXE
PrivateLoader
RisePro
Malware Config
C2 Extraction:
194.49.94.152
Unpacked files
SH256 hash:
94b596e1eb2cc6484458ca6c16b57381ec0767dbbbc900a98cc1033b016ae9d5
MD5 hash:
1102356f4617283415a9cd11e2b62476
SHA1 hash:
f1719167905d101a1ac8c25c567b8444ae0dcaa4
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/a5d47877-c1cf-4fee-b2b8-798667c3f751/
Parent samples :
3f3db5abfb02754f3e57374c328736c80664abea892a397018ae5e91257edae0
ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92
d11147f3e5a94754d73dabb4007a05d0b0ff304971b2bd43829b48c73ff0ba47
fb715d832dc2ccdd174f5ce2c826609ce79e3091b73d85747a1d42ac6a80169c
fecd07f619fcc202c0c60384c1466762f7452360ad0fa073ef1a90d76f711f04
b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b
b467f4f038aeaabd94eaa3341e578cbd36b1062a50d24098a4edebbe798f4a59
SH256 hash:
ac81cb61a39e4057a0ed03d9b5f33489c451718ada5d239217f096080ed96d7f
MD5 hash:
720413c7f3ac1c55331577e10b8bfbbd
SHA1 hash:
4229860f4c28e52053790c94001baf779e1c19f0
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/a5d47877-c1cf-4fee-b2b8-798667c3f751/
Parent samples :
3f3db5abfb02754f3e57374c328736c80664abea892a397018ae5e91257edae0
ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92
fb715d832dc2ccdd174f5ce2c826609ce79e3091b73d85747a1d42ac6a80169c
fecd07f619fcc202c0c60384c1466762f7452360ad0fa073ef1a90d76f711f04
b467f4f038aeaabd94eaa3341e578cbd36b1062a50d24098a4edebbe798f4a59
SH256 hash:
dcaab7bc22fd236383a1603c18ad07227f5c775a9ad89b620dc3f12b9fbb8d3f
MD5 hash:
69002f70136e0818e0198d7b488bf192
SHA1 hash:
1e7906e6daba2efb09e623a1fbe3e0777db9d37b
Link:
https://www.unpac.me/results/a5d47877-c1cf-4fee-b2b8-798667c3f751/
SH256 hash:
ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92
MD5 hash:
c7fffbee15d5fb4fafd44c29466adeae
SHA1 hash:
3bebc615f1d8777a7e64411d80adaa38b975df2b
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/a5d47877-c1cf-4fee-b2b8-798667c3f751/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab08505aa422/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/460252/

Comments


Avatar
zbet commented on 2023-11-26 09:02:24 UTC

url : hxxp://109.107.182.45/i/smo.exe