MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d
SHA3-384 hash: a71a4eaec8df838dcb14ede9ee6c588051e9684719c8094c6698c00d2b2e138f431f2ffda9f70786dbbac6bf09543d1c
SHA1 hash: 808a532166ec82e1bc15db8ebd28af229b7b97d0
MD5 hash: 46435ce1d75ad4605ad38de3b5ae620b
humanhash: whiskey-nineteen-double-xray
File name:SecuriteInfo.com.Win32.TrojanX-gen.2497.16579
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'355'200 bytes
First seen:2024-02-02 16:24:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:mR6Elo7ToHnZz/OohjSsz02H+ECFLuJ8N1Lt:pEav0ZDOolD0hzL7Lt
Threatray 200 similar samples on MalwareBazaar
TLSH T10FB533E4ABB2111CC0F393B8967B6C19A6631F03D8645268D1C0F55ACFFD8B9E591F28
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474215/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.2497.16579.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/65bd175f1c125702ab386766/reports/6870b78c-dbc5-498f-bc5e-359382361ab2/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c19ce2a0-a29e-4b0c-bc2f-a94e2d0ebbe2
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385715
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385715 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 02/02/2024 Architecture: WINDOWS Score: 100 84 youtube-ui.l.google.com 2->84 86 www.youtube.com 2->86 88 33 other IPs or domains 2->88 118 Snort IDS alert for network traffic 2->118 120 Antivirus detection for URL or domain 2->120 122 Antivirus / Scanner detection for submitted sample 2->122 124 6 other signatures 2->124 9 SecuriteInfo.com.Win32.TrojanX-gen.2497.16579.exe 2 112 2->9         started        14 MPGPH131.exe 7 2->14         started        16 RageMP131.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 100 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->100 102 109.107.182.3, 49718, 80 TELEPORT-TV-ASRU Russian Federation 9->102 108 2 other IPs or domains 9->108 68 C:\Users\user\...\h5bBqhCCQcP1UbKpduWJ.exe, PE32 9->68 dropped 70 C:\Users\user\...\XjqnNIEXLC5keQqypyQg.exe, PE32 9->70 dropped 72 C:\Users\user\...\8GL39QPB4WwJbjo17A2E.exe, PE32 9->72 dropped 80 13 other malicious files 9->80 dropped 138 Detected unpacking (changes PE section rights) 9->138 140 Binary is likely a compiled AutoIt script file 9->140 142 Tries to steal Mail credentials (via file / registry access) 9->142 162 5 other signatures 9->162 20 h5bBqhCCQcP1UbKpduWJ.exe 9->20         started        23 7juYigr2zDtXc9qMw1qb.exe 9->23         started        25 8GL39QPB4WwJbjo17A2E.exe 9->25         started        34 4 other processes 9->34 144 Antivirus detection for dropped file 14->144 146 Multi AV Scanner detection for dropped file 14->146 148 Machine Learning detection for dropped file 14->148 150 Tries to detect sandboxes and other dynamic analysis tools (window names) 16->150 152 Tries to evade debugger and weak emulator (self modifying code) 16->152 154 Hides threads from debuggers 16->154 104 173.194.219.93 GOOGLEUS United States 18->104 106 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 18->106 110 9 other IPs or domains 18->110 74 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 18->74 dropped 76 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 18->76 dropped 78 C:\Users\user\...\service_worker_bin_prod.js, ASCII 18->78 dropped 82 4 other malicious files 18->82 dropped 156 Tries to harvest and steal browser information (history, passwords, etc) 18->156 158 Maps a DLL or memory area into another process 18->158 160 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->160 27 msedge.exe 18->27         started        30 firefox.exe 18->30         started        32 firefox.exe 18->32         started        36 3 other processes 18->36 file6 signatures7 process8 dnsIp9 126 Detected unpacking (changes PE section rights) 20->126 128 Detected unpacking (overwrites its own PE header) 20->128 130 Modifies windows update settings 20->130 136 3 other signatures 20->136 132 Binary is likely a compiled AutoIt script file 23->132 38 chrome.exe 23->38         started        41 chrome.exe 23->41         started        43 chrome.exe 23->43         started        53 9 other processes 23->53 134 Hides threads from debuggers 25->134 112 bzib.nelreports.net 27->112 114 13.107.246.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->114 116 20 other IPs or domains 27->116 45 conhost.exe 34->45         started        47 conhost.exe 34->47         started        49 conhost.exe 34->49         started        51 conhost.exe 34->51         started        signatures10 process11 dnsIp12 90 192.168.2.6, 443, 49706, 49710 unknown unknown 38->90 92 239.255.255.250 unknown Reserved 38->92 55 chrome.exe 38->55         started        58 chrome.exe 41->58         started        60 chrome.exe 43->60         started        62 msedge.exe 53->62         started        64 msedge.exe 53->64         started        66 msedge.exe 53->66         started        process13 dnsIp14 94 www.google.com 142.250.105.147 GOOGLEUS United States 55->94 96 accounts.google.com 142.250.105.84, 443, 49721, 49724 GOOGLEUS United States 55->96 98 13 other IPs or domains 55->98
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2024-02-02 14:25:23 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yi6i6ym4zgbdifx7db53irbayzkdzcyaanygnq6udev5vsyxs2gq._file
Verdict:
malicious
Similar samples:
3a3490f08a118f2e2c927e3458c6d0251773127c7a03060067f79298f4a28906
RiseProStealer
5239eb589ac4d96a633db9d7031f4e04b3d07268aa42822a228a0eaa6d94c1bf
RiseProStealer
58f7f99b1c6b805f9dce823eabd9098ed96f5fb582938808e544013de6911232
RiseProStealer
5cf41546232059b45ae02f5aacccf38e7efd99e122414dbeceea2a85b16a38c1
RiseProStealer
80825adf522373ab075d5b7992982146eda44e61030d2ec7216aad7ba614fe52
RiseProStealer
cb9c4d1d3bdec4066ee2ab596cbbe4846a28130e42ffae0b0a336b26e29a8a37
RiseProStealer
e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb
RiseProStealer
f30ab6d6ca6ef00ba665588e4170bc2619a07efbe76de6e17888004aa3e3af44
RiseProStealer
ff974573fdd859395f3e9fd808105a38390d1f99d4bb7655771c8ba7f8de3288
RiseProStealer
+ 190 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240202-twx31sacd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
3b4802acb1e46a1dc22e1e818d0483ec07692324d1489a6e12c79617549ade61
MD5 hash:
a57c38e74e65a35424502e80f4dd28f0
SHA1 hash:
cdaf391a4054e50f443ec2ecc29a2740ddb680f1
Link:
https://www.unpac.me/results/b369dd98-be97-40b4-90e5-66b2afc9971a/
SH256 hash:
c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d
MD5 hash:
46435ce1d75ad4605ad38de3b5ae620b
SHA1 hash:
808a532166ec82e1bc15db8ebd28af229b7b97d0
Link:
https://www.unpac.me/results/b369dd98-be97-40b4-90e5-66b2afc9971a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c23c8f619cc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe c23c8f619cc9823416ff187bb44420c6543c8b00037066c3d4192bdacb17968d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/474215/
  
URLhaus
https://urlhaus.abuse.ch/url/2755484/
  
Delivery method
Distributed via web download

Comments