MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7
SHA3-384 hash: 1f294107057f4683416f1e88188e2c323848f7953a178cf05c15dcfbc74f53d11d28f9984c2fd099eddf14f69639b5b4
SHA1 hash: 87f02e09c5b2f98cc5ff3c57e0088c225803d5f3
MD5 hash: 91f52f26984352e3767ea204305361fe
humanhash: juliet-sad-lamp-princess
File name:91f52f26984352e3767ea204305361fe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'338'816 bytes
First seen:2024-02-04 23:11:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:osE/CdKEl0Lk2+qibePHiBxC1RhgMeF5YJx5rTofbey1MXBv+Vwp:os8CsFLk2+qibe8A1Rhc5YJHoj9c
TLSH T1E9B533F129364288E243077B76157A855C23FE83E922157D3419FAF26BFE2F26245F09
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
523
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474547/
Detection(s):
Win.Packed.Trojanx-10020211-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c019c31a072d565265c4c8/reports/4b816ad4-8d17-4cb3-b8dc-10a461b3ace0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c9a67b86-8146-4892-bf0f-6dd22912aaf7
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386431
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386431 Sample: r1cE8H161I.exe Startdate: 05/02/2024 Architecture: WINDOWS Score: 100 80 prod.detectportal.prod.cloudops.mozgcp.net 2->80 82 ipv4only.arpa 2->82 84 5 other IPs or domains 2->84 114 Snort IDS alert for network traffic 2->114 116 Multi AV Scanner detection for domain / URL 2->116 118 Antivirus detection for URL or domain 2->118 120 7 other signatures 2->120 9 r1cE8H161I.exe 1 108 2->9         started        14 MPGPH131.exe 99 2->14         started        16 RageMP131.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 96 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->96 98 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 9->98 100 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 9->100 64 C:\Users\user\...\kPaVnBDQCixU3IL1g1dH.exe, PE32 9->64 dropped 66 C:\Users\user\...\hBhc8d0x1PCcIijE10Tl.exe, PE32 9->66 dropped 68 C:\Users\user\...\2kRvrvAD9PcKncfgIXJa.exe, PE32 9->68 dropped 76 8 other malicious files 9->76 dropped 142 Detected unpacking (changes PE section rights) 9->142 144 Binary is likely a compiled AutoIt script file 9->144 146 Tries to steal Mail credentials (via file / registry access) 9->146 164 2 other signatures 9->164 20 2kRvrvAD9PcKncfgIXJa.exe 9->20         started        23 hBhc8d0x1PCcIijE10Tl.exe 9->23         started        25 1h2fdaF26L2K0c3vlrXa.exe 9->25         started        34 3 other processes 9->34 148 Multi AV Scanner detection for dropped file 14->148 150 Machine Learning detection for dropped file 14->150 152 Found many strings related to Crypto-Wallets (likely being stolen) 14->152 154 Tries to evade debugger and weak emulator (self modifying code) 16->154 156 Hides threads from debuggers 16->156 158 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->158 102 18.160.60.125 MIT-GATEWAYSUS United States 18->102 104 108.177.122.136 GOOGLEUS United States 18->104 106 17 other IPs or domains 18->106 70 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 18->70 dropped 72 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 18->72 dropped 74 4C863284CDA7F859EB300BED16DBCEF9517F1824, DOS 18->74 dropped 78 5 other malicious files 18->78 dropped 160 Tries to harvest and steal browser information (history, passwords, etc) 18->160 162 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->162 27 firefox.exe 18->27         started        29 msedge.exe 18->29         started        32 msedge.exe 18->32         started        36 7 other processes 18->36 file6 signatures7 process8 dnsIp9 122 Multi AV Scanner detection for dropped file 20->122 124 Detected unpacking (changes PE section rights) 20->124 126 Detected unpacking (overwrites its own PE header) 20->126 138 4 other signatures 20->138 128 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->128 130 Tries to evade debugger and weak emulator (self modifying code) 23->130 132 Hides threads from debuggers 23->132 140 2 other signatures 23->140 134 Binary is likely a compiled AutoIt script file 25->134 38 chrome.exe 25->38         started        41 chrome.exe 25->41         started        43 chrome.exe 25->43         started        49 9 other processes 25->49 136 Found many strings related to Crypto-Wallets (likely being stolen) 27->136 108 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->108 110 13.107.22.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->110 112 27 other IPs or domains 29->112 45 conhost.exe 34->45         started        47 conhost.exe 34->47         started        signatures10 process11 dnsIp12 92 192.168.2.5 unknown unknown 38->92 94 239.255.255.250 unknown Reserved 38->94 51 chrome.exe 38->51         started        54 chrome.exe 41->54         started        56 chrome.exe 43->56         started        58 msedge.exe 49->58         started        60 msedge.exe 49->60         started        62 msedge.exe 49->62         started        process13 dnsIp14 86 108.177.122.102 GOOGLEUS United States 51->86 88 www.google.com 142.250.105.106 GOOGLEUS United States 51->88 90 20 other IPs or domains 51->90
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-04 23:12:06 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wz5xaauaod654s7lbyhqurocsia3cgoiwetp27om36pymkpkxxdq._file
Verdict:
unknown
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240204-26tgksfabl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
b7fc36f635fc37c8f3cfdcbe3a0759a4690467f7cfabc574015d6c25177ebdb8
MD5 hash:
57eac487c45c98be904177a7d47cd9ba
SHA1 hash:
eec126803908c595dd6efd741ff5b7aaefc33b6c
Link:
https://www.unpac.me/results/c691b7b9-d018-42d0-87d7-a3200f360cdc/
SH256 hash:
b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7
MD5 hash:
91f52f26984352e3767ea204305361fe
SHA1 hash:
87f02e09c5b2f98cc5ff3c57e0088c225803d5f3
Link:
https://www.unpac.me/results/c691b7b9-d018-42d0-87d7-a3200f360cdc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b67b70028070/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe b67b70028070fdde4beb0e0f0a45c29201b119c8b126fd7dccdf9f8629eabdc7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474547/
  
URLhaus
https://urlhaus.abuse.ch/url/2756765/

Comments


Avatar
zbet commented on 2024-02-04 23:11:35 UTC

url : hxxp://109.107.182.38/retro/dota.exe