MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d
SHA3-384 hash: b3fe97d27a5655ebad640ff5340241c78b2771cec0f40edaa715e65adebdd26c70f88c03503a8dde87f103aeb7a0cf9f
SHA1 hash: 009e93af086ba48f8c134cd8c157f265bf6ca43d
MD5 hash: 81298ad77dfe3db427ca6feae918ef9d
humanhash: romeo-hotel-april-white
File name:81298ad77dfe3db427ca6feae918ef9d.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:6'522'368 bytes
First seen:2024-03-19 09:30:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b279e2f2b98cf3638cb7de1d8ce825da (2 x RiseProStealer)
ssdeep 196608:Ud0tUQs133oHnbI8PRlB93CIobiNcGV7E:Ud4UQq3oHnbI8PR/93obi
Threatray 1 similar samples on MalwareBazaar
TLSH T1176623537D845DC0D9BC4130866AE9BD31353EB180948AE777BA3F8E9DF3660B42784A
TrID 35.1% (.SCR) Windows screen saver (13097/50/3)
17.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.5% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2cc6f9f024278e40 (1 x RiseProStealer)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
217.197.107.177:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d.exe
Verdict:
Malicious activity
Analysis date:
2024-03-19 09:35:28 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/a184d6a9-a83b-4242-8824-36037c8044c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto lolbin packed risepro setupapi shell32
Link:
https://www.filescan.io/uploads/65f95b5c5cd908a33db8eae6/reports/01e376ae-f1ae-432b-a2e5-a6e2b3d32f47/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c070721-0a0f-4b28-91d4-6f29d99727c5
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1411610
Signature
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-19 09:31:07 UTC
File Type:
PE (Exe)
Extracted files:
223
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwa2vtbueex5zc6x6b4i5bior2k4ziy5wwigzkjg5nifz3epzooq._file
Verdict:
unknown
Similar samples:
bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d
RiseProStealer
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240319-lg2tnahb2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
RisePro
Malware Config
C2 Extraction:
217.197.107.177:50500
Unpacked files
SH256 hash:
a85706923a3cd5aaeed192946b64efebb40b78dbba0fe5a70bf6f3e2d52bede0
MD5 hash:
a4b6d70f07bee97279af92417163c809
SHA1 hash:
1bf3059bdb651bbd031e500ffaef7bd1bb3df2fc
Link:
https://www.unpac.me/results/44a6ae6a-7829-4403-a891-d694383b5f62/
SH256 hash:
bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d
MD5 hash:
81298ad77dfe3db427ca6feae918ef9d
SHA1 hash:
009e93af086ba48f8c134cd8c157f265bf6ca43d
Link:
https://www.unpac.me/results/44a6ae6a-7829-4403-a891-d694383b5f62/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd81aacc3421/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe bd81aacc34212fdc8bd7f0788e850e8e95cca31db5906ca926eb505cec8fcb9d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757109/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2786257/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdipGetImageEncoders
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments