MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9
SHA3-384 hash: 9de62db5bcd68e16cc7c090ff0db98d7e7eba25c1f5103954447102a66855a1dfc38e4cc0a8761b2544b150da5033005
SHA1 hash: 6f59a368a1938a9bd276e6335995f02e440f69af
MD5 hash: ddc7c729f452701a0277384511d76d0b
humanhash: bulldog-bakerloo-london-tennis
File name:ddc7c729f452701a0277384511d76d0b.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'603'520 bytes
First seen:2023-12-30 15:45:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:/4MWBFF6yZ2i8f+j62RfXlrEgCz9uO1WGKKKoNYy8L5F5tPminltUyTpfnT+:WL6yH96WVrEgCzkOmZcQ3XnsyThy
Threatray 221 similar samples on MalwareBazaar
TLSH T150C5338366D10472C9F81BB194FB13C71E34FDB267A86B5F3590DB9008B3895B539B2A
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
http://185.172.128.79/3886d2276f6914c4.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65903b3b7d4bdb7f8b00d1d0/reports/c2a96db7-157a-4754-a43c-3e576d92107a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7ab82b4-3929-4b57-991e-861f4bc0d8eb
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368278
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368278 Sample: Q3QUJLFT5h.exe Startdate: 30/12/2023 Architecture: WINDOWS Score: 100 138 rr3.sn-q4fl6nds.googlevideo.com 2->138 140 rr3.sn-q4fl6n6r.googlevideo.com 2->140 142 10 other IPs or domains 2->142 178 Snort IDS alert for network traffic 2->178 180 Antivirus detection for URL or domain 2->180 182 Antivirus detection for dropped file 2->182 184 11 other signatures 2->184 11 Q3QUJLFT5h.exe 1 4 2->11         started        14 OfficeTrackerNMP131.exe 2->14         started        17 FANBooster131.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 112 C:\Users\user\AppData\Local\...\aq6ja32.exe, PE32 11->112 dropped 114 C:\Users\user\AppData\Local\...\7nI5mV43.exe, PE32 11->114 dropped 22 aq6ja32.exe 1 4 11->22         started        116 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 14->116 dropped 118 C:\...\HZ0DkyX4bwvVMdxY9GnUBpIq4STZwbRh.zip, Zip 14->118 dropped 204 Antivirus detection for dropped file 14->204 206 Multi AV Scanner detection for dropped file 14->206 208 Detected unpacking (changes PE section rights) 14->208 224 3 other signatures 14->224 26 powershell.exe 14->26         started        28 powershell.exe 14->28         started        30 powershell.exe 14->30         started        38 10 other processes 14->38 120 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->120 dropped 122 C:\...\v3RZhEXn4jO0plw1yhjEgjoIB4mCZff5.zip, Zip 17->122 dropped 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->210 212 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->212 214 Tries to steal Mail credentials (via file / registry access) 17->214 216 Tries to harvest and steal browser information (history, passwords, etc) 17->216 32 WerFault.exe 17->32         started        144 clients1.google.com 19->144 146 clients.l.google.com 19->146 124 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->124 dropped 126 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->126 dropped 128 2 other malicious files 19->128 dropped 218 Machine Learning detection for dropped file 19->218 220 Modifies Windows Defender protection settings 19->220 222 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->222 34 powershell.exe 19->34         started        36 powershell.exe 19->36         started        40 12 other processes 19->40 file6 signatures7 process8 file9 104 C:\Users\user\AppData\Local\...\KW0GS79.exe, PE32 22->104 dropped 106 C:\Users\user\AppData\Local\...\6Nz3dO3.exe, PE32 22->106 dropped 190 Antivirus detection for dropped file 22->190 192 Multi AV Scanner detection for dropped file 22->192 194 Machine Learning detection for dropped file 22->194 42 KW0GS79.exe 1 4 22->42         started        46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 conhost.exe 38->56         started        58 8 other processes 38->58 60 10 other processes 40->60 signatures10 process11 file12 108 C:\Users\user\AppData\Local\...\5qy6UZ4.exe, PE32 42->108 dropped 110 C:\Users\user\AppData\Local\...\2UF7131.exe, PE32 42->110 dropped 196 Antivirus detection for dropped file 42->196 198 Multi AV Scanner detection for dropped file 42->198 200 Binary is likely a compiled AutoIt script file 42->200 202 Machine Learning detection for dropped file 42->202 62 5qy6UZ4.exe 21 69 42->62         started        67 2UF7131.exe 12 42->67         started        signatures13 process14 dnsIp15 158 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 62->158 160 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 62->160 130 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 62->130 dropped 132 C:\Users\user\AppData\...\FANBooster131.exe, PE32 62->132 dropped 134 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 62->134 dropped 136 2 other malicious files 62->136 dropped 162 Antivirus detection for dropped file 62->162 164 Multi AV Scanner detection for dropped file 62->164 166 Detected unpacking (changes PE section rights) 62->166 176 9 other signatures 62->176 69 cmd.exe 62->69         started        72 powershell.exe 62->72         started        74 cmd.exe 62->74         started        83 12 other processes 62->83 168 Binary is likely a compiled AutoIt script file 67->168 170 Machine Learning detection for dropped file 67->170 172 Found API chain indicative of sandbox detection 67->172 174 Contains functionality to modify clipboard data 67->174 76 chrome.exe 1 67->76         started        79 chrome.exe 67->79         started        81 chrome.exe 67->81         started        file16 signatures17 process18 dnsIp19 186 Uses schtasks.exe or at.exe to add and modify task schedules 69->186 98 2 other processes 69->98 188 Found many strings related to Crypto-Wallets (likely being stolen) 72->188 85 conhost.exe 72->85         started        100 2 other processes 74->100 154 192.168.2.4 unknown unknown 76->154 156 239.255.255.250 unknown Reserved 76->156 87 chrome.exe 76->87         started        90 chrome.exe 76->90         started        92 chrome.exe 76->92         started        94 chrome.exe 79->94         started        96 chrome.exe 81->96         started        102 11 other processes 83->102 signatures20 process21 dnsIp22 148 www3.l.google.com 142.250.113.100 GOOGLEUS United States 87->148 150 i3.ytimg.com 142.250.113.101 GOOGLEUS United States 87->150 152 45 other IPs or domains 87->152
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2023-12-30 15:46:11 UTC
File Type:
PE (Exe)
Extracted files:
202
AV detection:
19 of 23 (82.61%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnm6n653fpzjnwsls33p6rwdtjy2pau6hqpjiaflpu7g77tygtuq._file
Verdict:
malicious
Similar samples:
44d85e7e0e05ce06956da634a3f19633f1393bf7f82f1faef84e2c4e9d57af5a
RiseProStealer
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
RiseProStealer
4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1
RiseProStealer
b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb
RiseProStealer
b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd
RiseProStealer
b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
RiseProStealer
bd09222e00af329436f92ffddb3d0b35bc2ba06142c28731a7701b1f02d035ab
RiseProStealer
d727b6a26f73dadebca9b92f00be6dbb2958a56539c8d173a106ea18e33976fd
RiseProStealer
e676efee6430e704781265aaa9f98be910d8a0897ad2b4dc2cc93d8461c2851b
RiseProStealer
+ 211 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:smokeloader backdoor persistence stealer trojan
Link:
https://tria.ge/reports/231230-s7lzfsaber/
Behaviour
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Detect Lumma Stealer payload V4
Lumma Stealer
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
Unpacked files
SH256 hash:
ca1345830326bc2dfa049edb3ccd89a57ce3faae637e540d373d7209526caf3a
MD5 hash:
cfb94e44ed199be189f6ca3708ab90e4
SHA1 hash:
105be7195ae8fd0d62e4ff468f30480cbbd22514
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/60494fa8-40f2-479d-a9c3-dfdafeabf4ad/
SH256 hash:
ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9
MD5 hash:
ddc7c729f452701a0277384511d76d0b
SHA1 hash:
6f59a368a1938a9bd276e6335995f02e440f69af
Link:
https://www.unpac.me/results/60494fa8-40f2-479d-a9c3-dfdafeabf4ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download

Comments