MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a
SHA3-384 hash: d86ee0d6b09b93fce6c0acf8dd18509c6d226d2ee084d1e018b54f295228ad67cb278228b3da46c3e172ae7db5bc91fe
SHA1 hash: 6561c08ee12b73efc30a9cb8439197de64f3fb7c
MD5 hash: f0a42f5d56ccf81b1fdeaae7320e5de1
humanhash: artist-cup-north-undress
File name:SecuriteInfo.com.Trojan.Siggen26.6766.1834.3852
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'399'232 bytes
First seen:2024-02-12 23:47:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:YtNjudw+TeIsz5y48CU+1VvWlLt0YiO7N+9k/tm5lxMTGiR9X:vCTy48CU+1VIJ0XO8uVm5/uGiH
TLSH T18EB523CF7C004157DA443B7045D2FB78032FECA9A69A50DAACDA7B97B533A161C2386D
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475910/
Detection(s):
SecuriteInfo.com.Trojan.Siggen26.6766.1834.3852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a process from a recently created file
Creating a window
Searching for the browser window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm masquerade packed
Link:
https://www.filescan.io/uploads/65caae32179f724a955043cd/reports/ae1b4894-7161-4270-b7d7-65a4ae4ecd93/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ea8076de-adea-4b94-a215-2544e3d8ea0f
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1391148
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1391148 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 13/02/2024 Architecture: WINDOWS Score: 100 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for URL or domain 2->127 129 Multi AV Scanner detection for submitted file 2->129 131 5 other signatures 2->131 8 RageMP131.exe 2->8         started        12 SecuriteInfo.com.Trojan.Siggen26.6766.1834.3852.exe 2 117 2->12         started        15 MPGPH131.exe 103 2->15         started        17 9 other processes 2->17 process3 dnsIp4 87 13 other malicious files 8->87 dropped 147 Multi AV Scanner detection for dropped file 8->147 149 Detected unpacking (changes PE section rights) 8->149 151 Binary is likely a compiled AutoIt script file 8->151 153 Tries to harvest and steal browser information (history, passwords, etc) 8->153 19 BynezBIUvEAKdFl3EQiR.exe 8->19         started        22 4ir6SoqxxRBPeB915zA3.exe 8->22         started        24 YlBMpUpkumOQtQhP6rno.exe 8->24         started        107 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 12->107 109 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->109 111 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 12->111 77 C:\Users\user\...\ylTUAIu_i092WfFI8_wn.exe, PE32 12->77 dropped 79 C:\Users\user\...\xBlK59p6ausbwdvHtodg.exe, PE32 12->79 dropped 81 C:\Users\user\...\w9uUF_mhHhdyprcOTCoh.exe, PE32 12->81 dropped 89 13 other malicious files 12->89 dropped 155 Tries to steal Mail credentials (via file / registry access) 12->155 157 Found many strings related to Crypto-Wallets (likely being stolen) 12->157 159 Found stalling execution ending in API Sleep call 12->159 169 4 other signatures 12->169 26 w9uUF_mhHhdyprcOTCoh.exe 12->26         started        28 schtasks.exe 1 12->28         started        30 schtasks.exe 1 12->30         started        35 2 other processes 12->35 83 C:\Users\user\...\xSULoNBhzMAY_z53kSJB.exe, PE32 15->83 dropped 91 12 other malicious files 15->91 dropped 161 Machine Learning detection for dropped file 15->161 163 Tries to evade debugger and weak emulator (self modifying code) 15->163 165 Hides threads from debuggers 15->165 113 142.250.105.136 GOOGLEUS United States 17->113 115 172.217.215.84 GOOGLEUS United States 17->115 117 11 other IPs or domains 17->117 85 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 17->85 dropped 93 15 other malicious files 17->93 dropped 167 Antivirus detection for dropped file 17->167 171 2 other signatures 17->171 32 msedge.exe 17->32         started        37 3 other processes 17->37 file5 signatures6 process7 dnsIp8 133 Detected unpacking (changes PE section rights) 19->133 135 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->135 137 Tries to evade debugger and weak emulator (self modifying code) 19->137 139 Hides threads from debuggers 22->139 141 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->141 143 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 22->143 39 chrome.exe 24->39         started        52 4 other processes 24->52 145 Binary is likely a compiled AutoIt script file 26->145 41 chrome.exe 26->41         started        44 chrome.exe 26->44         started        46 chrome.exe 26->46         started        54 10 other processes 26->54 48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        95 13.107.21.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->95 97 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->97 101 31 other IPs or domains 32->101 56 2 other processes 35->56 99 34.107.221.82 GOOGLEUS United States 37->99 signatures9 process10 dnsIp11 58 chrome.exe 39->58         started        103 192.168.2.5 unknown unknown 41->103 105 239.255.255.250 unknown Reserved 41->105 60 chrome.exe 41->60         started        63 chrome.exe 44->63         started        65 chrome.exe 46->65         started        67 chrome.exe 52->67         started        75 2 other processes 52->75 69 chrome.exe 54->69         started        71 msedge.exe 54->71         started        73 msedge.exe 54->73         started        process12 dnsIp13 119 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->119 121 144.2.9.1 LINKEDINUS Netherlands 60->121 123 37 other IPs or domains 60->123
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-12 23:48:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjgrqtg3337sxv55ctt32xr4nbjvockz7xj3gv3jmz2mywe3dcfa._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240212-3teckaee4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
4e06d662490c4ec7c7b0b2eed7af5f4519652f4477f563a2d2d18cc00c735355
MD5 hash:
fc3bfda130f76c56cbd3a67ada8e3cea
SHA1 hash:
87b34c9ecd3b25a790ce8a40af8a316ed61dbde0
Link:
https://www.unpac.me/results/8d9498b8-45f0-4d3b-b338-ce93e04c0749/
SH256 hash:
c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a
MD5 hash:
f0a42f5d56ccf81b1fdeaae7320e5de1
SHA1 hash:
6561c08ee12b73efc30a9cb8439197de64f3fb7c
Link:
https://www.unpac.me/results/8d9498b8-45f0-4d3b-b338-ce93e04c0749/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c24d184cdbde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe c24d184cdbdeff2bd7bd14e7bd5e3c6853570959fdd3b357696674cc589b188a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2760122/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/475910/

Comments