MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7
SHA3-384 hash:	aaa785fa1bffe80955b8d87d686f1daffeebae2d65a06246d98bb0df5aaa6eec3546392cbc37055e2730b533160dfd3a
SHA1 hash:	583f82ce693324ce053fc01ca5bf99fd8831ae87
MD5 hash:	1ff5ba352b0b5720f0d42f01f1653b0d
humanhash:	angel-eight-one-social
File name:	SecuriteInfo.com.Win32.TrojanX-gen.24641.4630
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	2'014'208 bytes
First seen:	2024-03-20 13:22:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	24576:oAG7NcTkfzPgFB0Bim03O3553G3LBVZhapONGR3DX9S5rYT/VWQboBkrzb1ezdB5:E7ciTg0km0KrOLvzLYRS5CHQx88
Threatray	215 similar samples on MalwareBazaar
TLSH	T10195336E5FE364B9CC54BDB33563C425FB142E2108B1ED31110ADAB263B768A3BC1D96
TrID	32.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.9% (.EXE) Win32 Executable (generic) (4504/4/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	0fd6b2b29abbb90f (26 x RiseProStealer)
Reporter	SecuriteInfoCom
Tags:	exe RiseProStealer

Intelligence

File Origin

# of uploads :

# of downloads :

353

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7.exe

Verdict:

Malicious activity

Analysis date:

2024-03-20 13:24:11 UTC

Tags:

risepro

Link:

https://app.any.run/tasks/d500f7bf-eeda-46cd-95b3-19b9857a38d5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.24641.4630.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Launching a process

Creating a file in the %temp% directory

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/65fae33a87137159d44b799b/reports/45139d6f-ebb2-469e-9908-252608455afb/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/dbe0ba37-dd3f-47cd-9191-ad53a092480e

Result

Threat name:

RisePro Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1412431

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected RisePro Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7/

Threat name:

Win32.Trojan.Privateloader

Status:

Suspicious

First seen:

2024-03-20 11:18:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wsew2uttrq74pjfqvw7rq5sybmt5whgx4h32qloqvshygs35fwtq._file

Verdict:

malicious

RiseProStealer

434beeb8f2e19dc394fa2bba866f2e0fb70a932f4c59579799da9a3f233058a0

RiseProStealer

5628c8670baa68adc4ddff618a8c30b8532b429227a8e94433342a504c521aef

RiseProStealer

5c335665b2fb2c574235f981f7bd05586b5179084fd265b6b63a9b0feac001b5

RiseProStealer

7072ab5130e9363ddd1113da878eaf0ccd401baa90a3386af361139bf217d6a0

RiseProStealer

7328137bc001ce9b391c7a83a4e751143db72dcef460efe5393f5d6be3b2546d

RiseProStealer

7a410ea5ba07d756ef3114466cad99a49f71b433a1080c8c8fdf4c3f196a84f8

RiseProStealer

9017d75a6a7437cc78a05a96f6a773ce8427a0ca649e460d8bba434ba9a3e234

RiseProStealer

b1bb37dd8373d6658ee5d8cec09797d6a3c4ebbf7238cc7dee40945323c2827b

RiseProStealer

+ 205 additional samples on MalwareBazaar

Result

Malware family:

risepro

Score:

10/10

Tags:

family:risepro evasion stealer

Link:

https://tria.ge/reports/240320-qmskdshd69/

Behaviour

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RisePro

Malware Config

C2 Extraction:

193.233.132.74:58709

Unpacked files

SH256 hash:

383962f9df113ca6bba76a53996310fd317e397b0a09dc4772137cc6a71d2b45

MD5 hash:

9256394434eb3aad0dfb47445f57081a

SHA1 hash:

4be04419f401c4f6e8be705d90977afb2214b0cd

Link:

https://www.unpac.me/results/457451b4-012b-4cdf-92ee-422bc43299b8/

SH256 hash:

9865a0b00d3afa7b060eac6685ed36f1d2214cbf904ff451ec63b223bf6b1410

MD5 hash:

d0edea8daf8db93725c715e1b42ad082

SHA1 hash:

fecfc468a311b79253b35e1d7316b9d8a6e0f205

Link:

https://www.unpac.me/results/457451b4-012b-4cdf-92ee-422bc43299b8/

SH256 hash:

4bf1109d02442e73198138d0f9d0fccd52caaccf5ee5bbc89c4c583b505e8dbf

MD5 hash:

3f459b435d74cbc77fcae6c1971e2f2e

SHA1 hash:

73b48dc81d87c7d29b9fc15a8c47e755e7dafdc4

Link:

https://www.unpac.me/results/457451b4-012b-4cdf-92ee-422bc43299b8/

SH256 hash:

e728b893d5d782a215849e63fec8d5754cc4bffff527f87f4ba46f5e4e7e471b

MD5 hash:

2ca0a72401db99067e4e7bf64b200403

SHA1 hash:

be70b62af8b97f6ad4526cd7625aaba89b88e370

Link:

https://www.unpac.me/results/457451b4-012b-4cdf-92ee-422bc43299b8/

SH256 hash:

a458b34708268b75f732a3e6b503d0b43bf08912cc8aa97ff39719ee127d8a0f

MD5 hash:

8108aeeb051e627200f1fbd9a78f3b13

SHA1 hash:

78017bb93238440182fb33b7b942a4a4b2ca3687

Link:

https://www.unpac.me/results/457451b4-012b-4cdf-92ee-422bc43299b8/

SH256 hash:

7fca229797a0eb4ddd1884e2205dac85a25c62dd61eac822eee21acca4877c75

MD5 hash:

5bf8424cfef19acce596c77cb1d6d98d

SHA1 hash:

5ebb5bb40b284bd8c30641a115de6df8ccf22747

Link:

https://www.unpac.me/results/457451b4-012b-4cdf-92ee-422bc43299b8/

SH256 hash:

b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7

MD5 hash:

1ff5ba352b0b5720f0d42f01f1653b0d

SHA1 hash:

583f82ce693324ce053fc01ca5bf99fd8831ae87

Link:

https://www.unpac.me/results/457451b4-012b-4cdf-92ee-422bc43299b8/

Malware family:

RisePro

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b4896d52738c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Generic_Threat_e5f4703f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

exe b4896d52738c3fc7a4b0adbf1876580b27db1cd7e1f7a82dd0ac8f834b7d2da7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2787336/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2773532/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample