MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8d6c1588291d1c74901758f749a744f9785efabceb77083651aa522cf732e3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8d6c1588291d1c74901758f749a744f9785efabceb77083651aa522cf732e3a
SHA3-384 hash: 6e6d8427de913165578366554031b3ce60c619428f8907b953fe806ae562a2ac95d223249f969b9321c29557698d7f04
SHA1 hash: 5ff2bd69a546b71b082696aea74ebb842b0ffb5b
MD5 hash: bfcbce795272ae853a343628bd213390
humanhash: mango-island-tennis-friend
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'358'272 bytes
First seen:2024-02-10 14:08:07 UTC
Last seen:2024-02-10 14:10:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:I6awbAdh7xAUoqIdps5X5PZ/67VAWzy6jpEWn1WnLEemP:BawbAtAHy5XpZ/67vDjGPE
TLSH T16BB523CBEE01444BD60133B940C7FBBA12AEEDA1A19592CB2CDC7B1379B3E170527965
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
url: http://185.215.113.46/night/micro.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-02-10 17:45:21 UTC
Tags:
loader opendir hausbomber rhadamanthys stealer rat asyncrat remote azorult redline phorpiex trojan evasion xworm gcleaner dcrat stealc raccoon lokibot arechclient2 backdoor amadey botnet purplefox gh0st socks5systemz proxy ransomware blacknet risepro ramnit vidar
Link:
https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475690/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c7838102d5be924b62197d/reports/a405d8a3-812b-480d-b4cb-c58338406fc6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c8d6c1588291d1c74901758f749a744f9785efabceb77083651aa522cf732e3a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/53288563-36d7-4759-af63-e1881b420f26
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1390161
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390161 Sample: file.exe Startdate: 10/02/2024 Architecture: WINDOWS Score: 100 100 www.facebook.com 2->100 102 telemetry-incoming.r53-2.services.mozilla.com 2->102 104 16 other IPs or domains 2->104 134 Snort IDS alert for network traffic 2->134 136 Multi AV Scanner detection for domain / URL 2->136 138 Antivirus detection for URL or domain 2->138 140 8 other signatures 2->140 9 file.exe 101 2->9         started        14 MPGPH131.exe 2->14         started        16 msedge.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 106 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 9->106 108 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 9->108 110 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 9->110 80 C:\Users\user\...\ZCcEJeUJ1FHju5wKqgzw.exe, PE32 9->80 dropped 82 C:\Users\user\...\Xl9TlMI80g_IpKaBEmpP.exe, PE32 9->82 dropped 84 C:\Users\user\...\U9AKrXjRX0czwGTBlVZj.exe, PE32 9->84 dropped 94 8 other malicious files 9->94 dropped 168 Detected unpacking (changes PE section rights) 9->168 170 Binary is likely a compiled AutoIt script file 9->170 172 Tries to steal Mail credentials (via file / registry access) 9->172 190 4 other signatures 9->190 20 GTG6uFFDeF6xu0DXBLkH.exe 9->20         started        23 ZCcEJeUJ1FHju5wKqgzw.exe 9->23         started        26 Xl9TlMI80g_IpKaBEmpP.exe 13 9->26         started        39 2 other processes 9->39 174 Antivirus detection for dropped file 14->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->176 178 Machine Learning detection for dropped file 14->178 86 C:\Users\user\...\page_embed_script.js, ASCII 16->86 dropped 88 C:\Users\user\...\eventpage_bin_prod.js, ASCII 16->88 dropped 90 C:\Users\user\AppData\...\content_new.js, Unicode 16->90 dropped 92 C:\Users\user\AppData\Local\...\content.js, Unicode 16->92 dropped 180 Creates multiple autostart registry keys 16->180 182 Maps a DLL or memory area into another process 16->182 28 msedge.exe 16->28         started        31 msedge.exe 16->31         started        33 msedge.exe 16->33         started        35 identity_helper.exe 16->35         started        184 Hides threads from debuggers 18->184 186 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->186 188 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->188 37 firefox.exe 18->37         started        file6 signatures7 process8 dnsIp9 142 Detected unpacking (changes PE section rights) 20->142 144 Modifies windows update settings 20->144 146 Disables Windows Defender Tamper protection 20->146 166 3 other signatures 20->166 76 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 23->76 dropped 78 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 23->78 dropped 148 Creates multiple autostart registry keys 23->148 150 Uses schtasks.exe or at.exe to add and modify task schedules 23->150 152 Tries to evade debugger and weak emulator (self modifying code) 23->152 41 schtasks.exe 23->41         started        43 schtasks.exe 23->43         started        154 Binary is likely a compiled AutoIt script file 26->154 156 Found API chain indicative of sandbox detection 26->156 45 firefox.exe 26->45         started        49 chrome.exe 1 26->49         started        51 msedge.exe 10 26->51         started        55 10 other processes 26->55 112 bzib.nelreports.net 28->112 114 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->114 116 14 other IPs or domains 28->116 158 Found many strings related to Crypto-Wallets (likely being stolen) 37->158 53 firefox.exe 37->53         started        160 Multi AV Scanner detection for dropped file 39->160 162 Hides threads from debuggers 39->162 164 Tries to detect sandboxes / dynamic malware analysis system (registry check) 39->164 file10 signatures11 process12 dnsIp13 57 conhost.exe 41->57         started        59 conhost.exe 43->59         started        118 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 45->118 120 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 45->120 126 4 other IPs or domains 45->126 96 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 45->96 dropped 98 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 45->98 dropped 72 7 other processes 45->72 122 192.168.2.4 unknown unknown 49->122 124 239.255.255.250 unknown Reserved 49->124 61 chrome.exe 49->61         started        64 msedge.exe 51->64         started        66 chrome.exe 55->66         started        68 chrome.exe 55->68         started        70 chrome.exe 55->70         started        74 3 other processes 55->74 file14 process15 dnsIp16 128 ponf.linkedin.com 144.2.9.1 LINKEDINUS Netherlands 61->128 130 stun.l.google.com 108.177.122.127 GOOGLEUS United States 61->130 132 39 other IPs or domains 61->132
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c8d6c1588291d1c74901758f749a744f9785efabceb77083651aa522cf732e3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8d6c1588291d1c74901758f749a744f9785efabceb77083651aa522cf732e3a/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-02-10 14:09:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdlmcwecshi4osibowhxjgtuj6lyl35lz23xba3fdkssft3tfy5a._file
Verdict:
unknown
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240210-rf4vhseh72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
507b42f10f8aa9868c867d211cd15594ac57fa77e96d808ecd992378fefe6eb6
MD5 hash:
4df247379b5c2a297d28fa9f0c4b330d
SHA1 hash:
99c831397f9433bc0f7e572dc5540f6d37570c15
Link:
https://www.unpac.me/results/a3d46cdd-1826-4454-955e-8db3b8dd4e16/
SH256 hash:
c8d6c1588291d1c74901758f749a744f9785efabceb77083651aa522cf732e3a
MD5 hash:
bfcbce795272ae853a343628bd213390
SHA1 hash:
5ff2bd69a546b71b082696aea74ebb842b0ffb5b
Link:
https://www.unpac.me/results/a3d46cdd-1826-4454-955e-8db3b8dd4e16/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c8d6c1588291/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8d6c1588291d1c74901758f749a744f9785efabceb77083651aa522cf732e3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe c8d6c1588291d1c74901758f749a744f9785efabceb77083651aa522cf732e3a

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/475690/
  
URLhaus
https://urlhaus.abuse.ch/url/2759227/

Comments