MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
SHA3-384 hash: 672f747bd27386bd3a405f9468d3d6b260825e0f6a3cbb4583d5ce2894a637206fd4eb0a92f4b4ac536d67780ed3939b
SHA1 hash: cada0b63415bfdafac480da21742d673a6f1d359
MD5 hash: f3b0179ba1f2f60ea88c4f14c4e7a829
humanhash: july-delta-burger-orange
File name:f3b0179ba1f2f60ea88c4f14c4e7a829.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'608'128 bytes
First seen:2023-12-28 07:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:VkJD9VUS2v2/czNA6XgbuzDUyjYFb1nbuZvaMba5A7e0JSkJsGdLtFprqRbFFjfr:y9ESLEzNA6XAycRpuwiPBOGdZGxFFrJh
Threatray 586 similar samples on MalwareBazaar
TLSH T1D6C53383F2D24161DCA423345CE927931B363D93DDB5B30B2B61A98E48E3A95347277B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
195.20.16.103:20440

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469497/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Searching for the browser window
Searching for the window
DNS request
Sending an HTTP GET request
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/658d21dfb855eb3693fdf35c/reports/21f0b3d3-2eec-4812-bfe2-8a8f89f0cadb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a02ab345-5e89-4d63-800a-ad4eb2d8cb22
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367591
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
GPT-4 Vision identified phishing page
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
PE file has nameless sections
Phishing site detected (based on logo match)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1367591 Sample: Gbm1OTFacv.exe Startdate: 28/12/2023 Architecture: WINDOWS Score: 100 166 youtube-ui.l.google.com 2->166 168 www.youtube.com 2->168 170 ipinfo.io 2->170 208 Snort IDS alert for network traffic 2->208 210 Antivirus detection for URL or domain 2->210 212 Antivirus detection for dropped file 2->212 214 14 other signatures 2->214 14 Gbm1OTFacv.exe 1 4 2->14         started        17 FANBooster131.exe 2->17         started        20 MaxLoonaFest131.exe 2->20         started        22 4 other processes 2->22 signatures3 process4 file5 148 C:\Users\user\AppData\Local\...U6Wr47.exe, PE32 14->148 dropped 150 C:\Users\user\AppData\Local\...\7hx9Oo55.exe, PE32 14->150 dropped 24 EU6Wr47.exe 1 4 14->24         started        152 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->152 dropped 154 C:\...154xlG5dXxG2oa8Zqs40WrwL5UfCz6VaPo.zip, Zip 17->154 dropped 186 Antivirus detection for dropped file 17->186 188 Multi AV Scanner detection for dropped file 17->188 190 Detected unpacking (changes PE section rights) 17->190 202 4 other signatures 17->202 28 WerFault.exe 17->28         started        156 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->156 dropped 158 C:\...\wuTER3ZYelFog0gcdNLyRLKv6cnlkm0u.zip, Zip 20->158 dropped 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->192 194 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 20->194 196 Tries to steal Mail credentials (via file / registry access) 20->196 30 WerFault.exe 20->30         started        160 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 22->160 dropped 162 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 22->162 dropped 164 2 other malicious files 22->164 dropped 198 Modifies Windows Defender protection settings 22->198 200 Hides threads from debuggers 22->200 32 powershell.exe 22->32         started        34 powershell.exe 22->34         started        36 powershell.exe 22->36         started        38 11 other processes 22->38 signatures6 process7 file8 132 C:\Users\user\AppData\Local\...\fo7Qf38.exe, PE32 24->132 dropped 134 C:\Users\user\AppData\Local\...\6Dj5xH9.exe, PE32 24->134 dropped 224 Antivirus detection for dropped file 24->224 226 Machine Learning detection for dropped file 24->226 40 fo7Qf38.exe 1 4 24->40         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        50 conhost.exe 38->50         started        52 conhost.exe 38->52         started        54 conhost.exe 38->54         started        56 6 other processes 38->56 signatures9 process10 file11 136 C:\Users\user\AppData\Local\...\5yN0yH9.exe, PE32 40->136 dropped 138 C:\Users\user\AppData\Local\...\2OC4417.exe, PE32 40->138 dropped 228 Antivirus detection for dropped file 40->228 230 Multi AV Scanner detection for dropped file 40->230 232 Binary is likely a compiled AutoIt script file 40->232 234 Machine Learning detection for dropped file 40->234 58 5yN0yH9.exe 21 69 40->58         started        63 2OC4417.exe 12 40->63         started        signatures12 process13 dnsIp14 178 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 58->178 180 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 58->180 140 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 58->140 dropped 142 C:\Users\user\AppData\...\FANBooster131.exe, PE32 58->142 dropped 144 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 58->144 dropped 146 2 other malicious files 58->146 dropped 236 Antivirus detection for dropped file 58->236 238 Multi AV Scanner detection for dropped file 58->238 240 Detected unpacking (changes PE section rights) 58->240 250 9 other signatures 58->250 65 cmd.exe 58->65         started        68 powershell.exe 58->68         started        70 powershell.exe 58->70         started        79 13 other processes 58->79 242 Binary is likely a compiled AutoIt script file 63->242 244 Machine Learning detection for dropped file 63->244 246 Found API chain indicative of sandbox detection 63->246 248 Contains functionality to modify clipboard data 63->248 72 chrome.exe 63->72         started        74 chrome.exe 1 63->74         started        77 chrome.exe 63->77         started        file15 signatures16 process17 dnsIp18 204 Uses schtasks.exe or at.exe to add and modify task schedules 65->204 94 2 other processes 65->94 206 Found many strings related to Crypto-Wallets (likely being stolen) 68->206 81 conhost.exe 68->81         started        83 conhost.exe 70->83         started        85 chrome.exe 72->85         started        182 192.168.2.4, 443, 49729, 49730 unknown unknown 74->182 184 239.255.255.250 unknown Reserved 74->184 87 chrome.exe 74->87         started        96 2 other processes 74->96 90 chrome.exe 77->90         started        92 conhost.exe 79->92         started        98 11 other processes 79->98 signatures19 process20 dnsIp21 100 conhost.exe 83->100         started        102 OfficeTrackerNMP131.exe 85->102         started        172 play.google.com 142.250.113.113 GOOGLEUS United States 87->172 174 142.250.113.138 GOOGLEUS United States 87->174 176 28 other IPs or domains 87->176 process22 file23 128 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 102->128 dropped 130 C:\...\84QfXXykClaGwtc6rQY6iBHXIZstoW1b.zip, Zip 102->130 dropped 216 Antivirus detection for dropped file 102->216 218 Multi AV Scanner detection for dropped file 102->218 220 Detected unpacking (changes PE section rights) 102->220 222 8 other signatures 102->222 106 powershell.exe 102->106         started        108 powershell.exe 102->108         started        110 powershell.exe 102->110         started        112 9 other processes 102->112 signatures24 process25 process26 114 conhost.exe 106->114         started        116 conhost.exe 108->116         started        118 conhost.exe 110->118         started        120 conhost.exe 112->120         started        122 conhost.exe 112->122         started        124 conhost.exe 112->124         started        126 5 other processes 112->126
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2023-12-28 07:21:11 UTC
File Type:
PE (Exe)
Extracted files:
202
AV detection:
16 of 22 (72.73%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnkbgfbob75fmr4tgw5rli37uegfgebuwc5rg72wioljucxhnm5a._file
Verdict:
malicious
Similar samples:
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
RiseProStealer
70d432aaae6f900cb7d7e8cc0d4b78551d905d1ac9e208d4c73c4ead3b4f97a4
RiseProStealer
7324e9649a54a5f6767cf58fcec138770627780486cbb709f751a684be7a0b1a
RiseProStealer
aa6109131f311c7ec4cbd993ac6fb997dda5beefee5863895e36608288fcac8a
RiseProStealer
b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb
RiseProStealer
e676efee6430e704781265aaa9f98be910d8a0897ad2b4dc2cc93d8461c2851b
RiseProStealer
f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
RiseProStealer
+ 576 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:smokeloader family:stealc family:zgrat botnet:up3 backdoor evasion persistence rat stealer trojan
Link:
https://tria.ge/reports/231228-h6m51sfec7/
Behaviour
Creates scheduled task(s)
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
AutoIT Executable
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Detect Lumma Stealer payload V4
Detect ZGRat V1
Lumma Stealer
SmokeLoader
Stealc
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
http://host-file-host6.com/
http://host-host-file8.com/
http://5.42.66.58
Unpacked files
SH256 hash:
15c170b4e047bebb1437a1fa6f7529505113f0a5b220824048871f1699d68f31
MD5 hash:
57056641252f689f4608c4baca59fbf0
SHA1 hash:
7f5d65be753608a16e9decb3675755e0566a74d3
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/d019017e-ab9c-474a-90e2-50aacf873add/
SH256 hash:
b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
MD5 hash:
f3b0179ba1f2f60ea88c4f14c4e7a829
SHA1 hash:
cada0b63415bfdafac480da21742d673a6f1d359
Link:
https://www.unpac.me/results/d019017e-ab9c-474a-90e2-50aacf873add/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469497/

Comments