MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd
SHA3-384 hash: 813ce933e8f15fd77fdf2252a7b354ebfc40e7465e07806a18251ac2080034246bf2871e2075616af93657fff5d35202
SHA1 hash: cf65049b306a732b4c6c931aa0a348ac55247ffb
MD5 hash: a87755c0f943036da660fcb4d94ef20d
humanhash: eleven-purple-april-johnny
File name:a87755c0f943036da660fcb4d94ef20d.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:6'494'720 bytes
First seen:2024-01-04 13:35:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:Rdsae+qCYEe8Nu5/e+Nb9VE7yfmfoQXIC5cfkP93FvTARvXKnqN8ygsAHf:RmGs5/eIBO7yuoY5cEbTQCna8y6Hf
Threatray 37 similar samples on MalwareBazaar
TLSH T1C366331BEEC486ADD4650F35C89D23D65E35FE25EC352A6BA61BC48A0CF7B80402536F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
103.13.209.45:4782

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Searching for the browser window
Searching for the window
DNS request
Reading critical registry keys
Blocking the Windows Defender launch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-debug anti-vm CAB control explorer installer installer lolbin monero packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6596b444f4b6e5e1636789be/reports/399f8d7a-9119-46ce-a52f-101cada7fd4f/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ad3aaf4-346f-4b80-8df8-77c576ed416e
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1369800
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1369800 Sample: qKdraGhlzi.exe Startdate: 04/01/2024 Architecture: WINDOWS Score: 100 161 youtube-ui.l.google.com 2->161 163 www.youtube.com 2->163 165 ipinfo.io 2->165 203 Snort IDS alert for network traffic 2->203 205 Antivirus detection for URL or domain 2->205 207 Antivirus detection for dropped file 2->207 209 15 other signatures 2->209 13 qKdraGhlzi.exe 1 4 2->13         started        16 OfficeTrackerNMP131.exe 2->16         started        19 MaxLoonaFest131.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 file5 133 C:\Users\user\AppData\Local\...\qY1DD17.exe, PE32 13->133 dropped 135 C:\Users\user\AppData\Local\...\6Lb0gM4.exe, PE32+ 13->135 dropped 23 qY1DD17.exe 1 4 13->23         started        137 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 16->137 dropped 139 C:\...\LgULxrjtZF48U2Mfcb2WtTMnDPkI9vk9.zip, Zip 16->139 dropped 177 Antivirus detection for dropped file 16->177 179 Multi AV Scanner detection for dropped file 16->179 181 Detected unpacking (changes PE section rights) 16->181 195 3 other signatures 16->195 27 powershell.exe 16->27         started        29 powershell.exe 16->29         started        31 powershell.exe 16->31         started        39 10 other processes 16->39 141 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->141 dropped 143 C:\...\7Ar1znlxOtOX3G65A3Ka8bB8btuODtKa.zip, Zip 19->143 dropped 183 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->183 185 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 19->185 187 Tries to steal Mail credentials (via file / registry access) 19->187 33 WerFault.exe 19->33         started        145 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->145 dropped 147 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->147 dropped 149 C:\...\mNpMDvsye7DnAGGt8f02AT0pybAba7Jo.zip, Zip 21->149 dropped 189 Machine Learning detection for dropped file 21->189 191 Tries to harvest and steal browser information (history, passwords, etc) 21->191 193 Modifies Windows Defender protection settings 21->193 35 powershell.exe 21->35         started        37 powershell.exe 21->37         started        41 12 other processes 21->41 signatures6 process7 file8 117 C:\Users\user\AppData\Local\...\UU4ap64.exe, PE32 23->117 dropped 119 C:\Users\user\AppData\Local\...\5up4ZQ8.exe, PE32 23->119 dropped 217 Antivirus detection for dropped file 23->217 219 Multi AV Scanner detection for dropped file 23->219 221 Machine Learning detection for dropped file 23->221 43 UU4ap64.exe 1 4 23->43         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 conhost.exe 35->53         started        55 conhost.exe 37->55         started        57 conhost.exe 39->57         started        59 8 other processes 39->59 61 10 other processes 41->61 signatures9 process10 file11 129 C:\Users\user\AppData\Local\...\qV0gt70.exe, PE32 43->129 dropped 131 C:\Users\user\AppData\Local\...\4KN171Sb.exe, PE32 43->131 dropped 239 Antivirus detection for dropped file 43->239 241 Multi AV Scanner detection for dropped file 43->241 243 Machine Learning detection for dropped file 43->243 63 qV0gt70.exe 1 4 43->63         started        signatures12 process13 file14 151 C:\Users\user\AppData\Local\...\Bj0im78.exe, PE32 63->151 dropped 153 C:\Users\user\AppData\Local\...\3mS16xe.exe, PE32 63->153 dropped 197 Antivirus detection for dropped file 63->197 199 Multi AV Scanner detection for dropped file 63->199 201 Machine Learning detection for dropped file 63->201 67 Bj0im78.exe 1 4 63->67         started        signatures15 process16 file17 113 C:\Users\user\AppData\Local\...\2pT6449.exe, PE32 67->113 dropped 115 C:\Users\user\AppData\Local\...\1Ca24oY6.exe, PE32 67->115 dropped 211 Antivirus detection for dropped file 67->211 213 Binary is likely a compiled AutoIt script file 67->213 215 Machine Learning detection for dropped file 67->215 71 2pT6449.exe 21 41 67->71         started        76 1Ca24oY6.exe 12 67->76         started        signatures18 process19 dnsIp20 173 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 71->173 175 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 71->175 121 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 71->121 dropped 123 C:\Users\user\AppData\...\FANBooster131.exe, PE32 71->123 dropped 125 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 71->125 dropped 127 2 other malicious files 71->127 dropped 223 Antivirus detection for dropped file 71->223 225 Multi AV Scanner detection for dropped file 71->225 227 Detected unpacking (changes PE section rights) 71->227 237 10 other signatures 71->237 78 cmd.exe 71->78         started        81 powershell.exe 71->81         started        83 cmd.exe 71->83         started        92 13 other processes 71->92 229 Binary is likely a compiled AutoIt script file 76->229 231 Machine Learning detection for dropped file 76->231 233 Found API chain indicative of sandbox detection 76->233 235 Contains functionality to modify clipboard data 76->235 85 chrome.exe 1 76->85         started        88 chrome.exe 76->88         started        90 chrome.exe 76->90         started        file21 signatures22 process23 dnsIp24 245 Uses schtasks.exe or at.exe to add and modify task schedules 78->245 107 2 other processes 78->107 247 Found many strings related to Crypto-Wallets (likely being stolen) 81->247 94 conhost.exe 81->94         started        109 2 other processes 83->109 167 192.168.2.6 unknown unknown 85->167 169 192.168.2.17 unknown unknown 85->169 171 239.255.255.250 unknown Reserved 85->171 96 chrome.exe 85->96         started        99 chrome.exe 85->99         started        101 chrome.exe 85->101         started        103 chrome.exe 88->103         started        105 chrome.exe 90->105         started        111 11 other processes 92->111 signatures25 process26 dnsIp27 155 static.doubleclick.net 142.250.31.149 GOOGLEUS United States 96->155 157 142.251.16.102 GOOGLEUS United States 96->157 159 50 other IPs or domains 96->159
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-04 13:36:07 UTC
File Type:
PE (Exe)
Extracted files:
224
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5fxdc6h25eggtufelxjj2b36sgkm2kczh4l7cbffwiiseeyf7oq._file
Verdict:
malicious
Similar samples:
320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339
RiseProStealer
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
RiseProStealer
4c062e33871e165914ef7883c4c82492b2e2d4623b30e0288d3c1ac9038f1e7f
RiseProStealer
782f86bf443f1fa483250087a4176655b46e1404d3b970e64270a0d9c9c55a3e
RiseProStealer
952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534
RiseProStealer
ac29d8bda9ae1b4a0ac054f7cbc9ef6475343d1d74e13b88b85958beb7ec8a48
RiseProStealer
cba68bf6a3d9dc7259d342c02a7b48866fed114cb1634a4b90ef401fb15c1120
RiseProStealer
cf8fc15de0b79ca65fcf8682ed6d088ee5b8b994ed71454f84fabade050d2b44
RiseProStealer
dfe53a3643313201394d6393ef46447a32968d7a8003139921f3a63996a6f683
RiseProStealer
e676efee6430e704781265aaa9f98be910d8a0897ad2b4dc2cc93d8461c2851b
RiseProStealer
+ 27 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:zgrat backdoor brand:google collection discovery evasion persistence phishing rat spyware stealer themida trojan
Link:
https://tria.ge/reports/240104-qv8lksbhb6/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Windows security modification
Contains code to disable Windows Defender
Detect ZGRat V1
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
Unpacked files
SH256 hash:
a79c21bf239c475d9d666468f5771106f27f33431ff6c80f9c5904c1dc59aa1d
MD5 hash:
a99ea8af69aa691c251b1619762fa253
SHA1 hash:
dd113abdef305b9a70f904e48ec79947a8d0f7cd
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/09b09e31-b639-49d0-9bbe-5c293c341c18/
Parent samples :
b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd
9c7844e137bd630f22e7d487c43be450d9c185ea7339230bef46d2decb817d4d
e3cdb09481565d89e6123cf4145a1291d7abeac808d2f19364f9a3e04c3e1ccc
SH256 hash:
077120cb94c0d1e4283f092d66c7795b9bfbabac3bda352ee9c85d8dc10dca90
MD5 hash:
a8e04cc14577608cf88bbb34ce1e99c8
SHA1 hash:
540401e1987722c3029cc5544ead7bc498c2e14f
Link:
https://www.unpac.me/results/09b09e31-b639-49d0-9bbe-5c293c341c18/
SH256 hash:
b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd
MD5 hash:
a87755c0f943036da660fcb4d94ef20d
SHA1 hash:
cf65049b306a732b4c6c931aa0a348ac55247ffb
Link:
https://www.unpac.me/results/09b09e31-b639-49d0-9bbe-5c293c341c18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download

Comments