MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb108cedd665fe2340d78ead74e8c9d3a8c03d1298c37bde34750fa252ff62d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb108cedd665fe2340d78ead74e8c9d3a8c03d1298c37bde34750fa252ff62d2
SHA3-384 hash: 134dc742304381f23fbef7dbc6d5d137a37d1be899812713a73ab82321f1560db89dac59196b0037811e1e1e6626ed23
SHA1 hash: 43e722df4cfa574560a34aae19b621251a1099f9
MD5 hash: 3a88c91fcb450823a8e9ee5573d81ce7
humanhash: steak-delta-river-washington
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'195'520 bytes
First seen:2024-01-27 10:13:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ab723dc8d5af21b79dc301ed6a56a64 (49 x RiseProStealer, 1 x Amadey)
ssdeep 24576:XylDG6+YPHJ9l8UZ/HC/a7pnhY7Z+wQHN2K3yWds0JkKyVY/4gXZ:XKDZ6UZP4V+l8adsLqD
TLSH T1EB4533BE660B4755C14804F79DE8E5326EF8BDF0A29DA91F6E1F229401A50DE3363CC6
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
url: http://185.215.113.68/mine/stan.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473173/
Detection(s):
PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a file
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto enigma lolbin obfuscated packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/65b4d76b0eab2d1605447daf/reports/14f13b48-b03a-4e6f-862b-59d109c0da47/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/cb108cedd665fe2340d78ead74e8c9d3a8c03d1298c37bde34750fa252ff62d2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e7c7c208-9d97-48df-b513-12dbadd48811
Result
Threat name:
Amadey, LummaC Stealer, RedLine, RisePro
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1382089
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to check for running processes (XOR)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1382089 Sample: file.exe Startdate: 27/01/2024 Architecture: WINDOWS Score: 100 110 zeph-eu2.nanopool.org 2->110 112 pastebin.com 2->112 114 51 other IPs or domains 2->114 144 Snort IDS alert for network traffic 2->144 146 Multi AV Scanner detection for domain / URL 2->146 148 Found malware configuration 2->148 154 15 other signatures 2->154 10 RageMP131.exe 94 2->10         started        15 file.exe 2 10 2->15         started        17 MPGPH131.exe 2 2->17         started        19 4 other processes 2->19 signatures3 150 DNS related to crypt mining pools 110->150 152 Connects to a pastebin service (likely for C&C) 112->152 process4 dnsIp5 134 185.215.113.68, 49746, 80 WHOLESALECONNECTIONSNL Portugal 10->134 136 109.107.182.3, 49745, 80 TELEPORT-TV-ASRU Russian Federation 10->136 98 C:\Users\user\...\lxwKgBnA9CCNxvx9nYo4.exe, PE32 10->98 dropped 100 C:\Users\user\...\bGaErQR02RUgChnTvFYz.exe, PE32 10->100 dropped 102 C:\Users\user\...\MMwnlzjeeTiII5f6rdFF.exe, PE32 10->102 dropped 108 8 other malicious files 10->108 dropped 180 Binary is likely a compiled AutoIt script file 10->180 182 Tries to steal Mail credentials (via file / registry access) 10->182 184 Found many strings related to Crypto-Wallets (likely being stolen) 10->184 21 JLHaZoLOytSW0WYOGkgZ.exe 10->21         started        25 MMwnlzjeeTiII5f6rdFF.exe 10->25         started        27 4XSy0EeR1j1b6ey0hyuS.exe 13 10->27         started        33 2 other processes 10->33 138 193.233.132.62, 49728, 49729, 49730 FREE-NET-ASFREEnetEU Russian Federation 15->138 104 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 15->104 dropped 106 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 15->106 dropped 186 Detected unpacking (changes PE section rights) 15->186 188 Contains functionality to check for running processes (XOR) 15->188 190 Creates multiple autostart registry keys 15->190 200 2 other signatures 15->200 29 schtasks.exe 1 15->29         started        31 schtasks.exe 1 15->31         started        140 ipinfo.io 34.117.186.192, 443, 49732, 49739 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 17->140 192 Multi AV Scanner detection for dropped file 17->192 194 Machine Learning detection for dropped file 17->194 196 Contains functionality to inject threads in other processes 17->196 142 127.0.0.1 unknown unknown 19->142 198 Hides threads from debuggers 19->198 file6 signatures7 process8 file9 88 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 21->88 dropped 166 Detected unpacking (changes PE section rights) 21->166 35 explorhe.exe 21->35         started        90 C:\Users\user\...\voYQUFetMI0mCawl7fug.exe, PE32 25->90 dropped 92 C:\Users\user\...\qff6yfREXrbsybdCTAS3.exe, PE32 25->92 dropped 94 C:\Users\user\...\iqAyzKJB5kdgVe8Rjq2P.exe, PE32 25->94 dropped 96 8 other malicious files 25->96 dropped 168 Tries to steal Mail credentials (via file / registry access) 25->168 170 Found many strings related to Crypto-Wallets (likely being stolen) 25->170 172 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->172 178 2 other signatures 25->178 174 Multi AV Scanner detection for dropped file 27->174 176 Binary is likely a compiled AutoIt script file 27->176 40 msedge.exe 27->40         started        42 firefox.exe 27->42         started        44 chrome.exe 27->44         started        50 9 other processes 27->50 46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        signatures10 process11 dnsIp12 116 185.172.128.19 NADYMSS-ASRU Russian Federation 35->116 80 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 35->80 dropped 82 C:\Users\user\AppData\Local\Temp\...\stan.exe, PE32 35->82 dropped 84 C:\Users\user\AppData\...\latestrocki.exe, PE32 35->84 dropped 86 15 other malicious files 35->86 dropped 158 Detected unpacking (changes PE section rights) 35->158 160 Creates an undocumented autostart registry key 35->160 162 Creates multiple autostart registry keys 35->162 164 Hides threads from debuggers 35->164 52 rundll32.exe 35->52         started        55 schtasks.exe 35->55         started        57 msedge.exe 40->57         started        68 2 other processes 40->68 60 firefox.exe 42->60         started        118 239.255.255.250 unknown Reserved 44->118 62 chrome.exe 44->62         started        64 chrome.exe 50->64         started        66 chrome.exe 50->66         started        70 4 other processes 50->70 file13 signatures14 process15 dnsIp16 156 System process connects to network (likely due to code injection or exploit) 52->156 72 conhost.exe 55->72         started        120 bzib.nelreports.net 57->120 122 googlehosted.l.googleusercontent.com 142.250.9.132 GOOGLEUS United States 57->122 130 13 other IPs or domains 57->130 124 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 60->124 74 firefox.exe 60->74         started        76 firefox.exe 60->76         started        78 firefox.exe 60->78         started        126 142.250.105.119 GOOGLEUS United States 62->126 128 youtube-ui.l.google.com 142.251.15.190 GOOGLEUS United States 62->128 132 10 other IPs or domains 62->132 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb108cedd665fe2340d78ead74e8c9d3a8c03d1298c37bde34750fa252ff62d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb108cedd665fe2340d78ead74e8c9d3a8c03d1298c37bde34750fa252ff62d2/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-01-27 10:14:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmiiz3owmx7cgqgxr2wxj2gj2oumapistdbxxxruouh2eux7mlja._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240127-l9mv7sbgeq/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
cb108cedd665fe2340d78ead74e8c9d3a8c03d1298c37bde34750fa252ff62d2
MD5 hash:
3a88c91fcb450823a8e9ee5573d81ce7
SHA1 hash:
43e722df4cfa574560a34aae19b621251a1099f9
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/e3550130-9d5b-41f7-b589-8f0da9c1ae43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb108cedd665fe2340d78ead74e8c9d3a8c03d1298c37bde34750fa252ff62d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe cb108cedd665fe2340d78ead74e8c9d3a8c03d1298c37bde34750fa252ff62d2

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2751089/
Cape
Cape
https://www.capesandbox.com/analysis/473173/

Comments