MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3
SHA3-384 hash: 2ae76e7e4a7290d281f89d44e35d36cb3fb75ee99c40611b7b07a2d9eaf0078465ea2e1a1a82b7d2e29de64b6d59dafb
SHA1 hash: b475d83b19f5059d56db2bedc135f55f13196ad7
MD5 hash: f9e426a8401b3e77627dfc1237182f9d
humanhash: massachusetts-four-stairway-crazy
File name:f9e426a8401b3e77627dfc1237182f9d
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:9'437'696 bytes
First seen:2024-05-10 13:30:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d784b50e0634f83cc71436d4fb111768 (9 x RiseProStealer, 1 x RaccoonStealer)
ssdeep 196608:4BSdTFqAhRqOg8xOIo8TVlvT2gU1QZ1lbwyfl9xR9uRLffl:4BONq+/vlL2gKELwQH9utN
TLSH T1B3962333E3161045D0A58836B427BFF472FE0F1F8681A475D6DB6DE630EA2D5EA12A43
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4504/4/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon bcb4a0b8988a84f8 (1 x RiseProStealer)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3.exe
Verdict:
Malicious activity
Analysis date:
2024-05-10 13:36:08 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/b2a78210-ab66-48a3-85fd-808938139078

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto fingerprint lolbin packed setupapi shell32
Link:
https://www.filescan.io/uploads/663e21a554aa07c307f47ee5/reports/898a0317-5654-4733-b3ff-bf720e89a2e4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/47e52870-cea3-4aea-9f50-1e15295bd5bd
Result
Threat name:
PrivateLoader, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1439638
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic
Yara detected PrivateLoader
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-05-10 13:31:07 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhlyigbuzj5ibjchw2nht65cuntu54cdewopucu7egrfnkrbb7rq._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240510-qsdcnacb92/
Behaviour
Suspicious behavior: EnumeratesProcesses
RisePro
Malware Config
C2 Extraction:
5.42.96.55:50500
Unpacked files
SH256 hash:
0b69f0078f04b1ca90b70e6243bce73001af38a14ddb67d0dbda82a47113f271
MD5 hash:
297e933658b9c2c584a37958afa6db12
SHA1 hash:
f3f158e18fb876f961e5bf32a2b671dc435e3116
Link:
https://www.unpac.me/results/ec806ad5-6e81-4e52-8fd6-38786e30d10b/
SH256 hash:
1bc54164fe0daa4e165699c2f222ecfc85489892e621d4cdb236dc92ee9f6285
MD5 hash:
b688311471dee2735dfa83547f5f3e9c
SHA1 hash:
00c2eb862bf4d8cd77058d36b3836ae6d9fd0c51
Link:
https://www.unpac.me/results/ec806ad5-6e81-4e52-8fd6-38786e30d10b/
SH256 hash:
9bae32d86dd2b117d49264eae91fe64c94d4e4ab1970823a1998a2c624282d62
MD5 hash:
146b4c98a705b97672deb088b1acf03c
SHA1 hash:
6e0ed5bdacf1cd5b8f3ffd94739ba686e9c65642
Link:
https://www.unpac.me/results/ec806ad5-6e81-4e52-8fd6-38786e30d10b/
SH256 hash:
1f26ddb987818c9034f86713e11284f14f1e55a0e4763f9c5b35eb7e39181db1
MD5 hash:
220f5b700b91447e2b3afc267f6ca6c0
SHA1 hash:
502d2843c9eae083a1b76b2b0acd5ffa082b2de5
Link:
https://www.unpac.me/results/ec806ad5-6e81-4e52-8fd6-38786e30d10b/
SH256 hash:
c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3
MD5 hash:
f9e426a8401b3e77627dfc1237182f9d
SHA1 hash:
b475d83b19f5059d56db2bedc135f55f13196ad7
Link:
https://www.unpac.me/results/ec806ad5-6e81-4e52-8fd6-38786e30d10b/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9d7841834ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe c9d7841834ca7a80a447b69a79fba2a3674ef043259cfa0a9f21a256aa210fe3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2799388/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdipGetImageEncoders
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegQueryValueExA

Comments


Avatar
zbet commented on 2024-05-10 13:30:26 UTC

url : hxxp://5.42.66.10/download/th/getimage12.php