MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966
SHA3-384 hash: dc522c1d6bbaeeda81a2e03330adcd5b3af8f0b2c54b6d10b811651baa3cca4a161c6d12207b358d29a74c6386df111f
SHA1 hash: 5ab7be40aae923dea562fb2f57891080eeb8bf97
MD5 hash: 3a9c8dc060b839403dcfc8a72d29defd
humanhash: don-pizza-montana-vegan
File name:3a9c8dc060b839403dcfc8a72d29defd.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:4'425'216 bytes
First seen:2024-01-06 02:05:06 UTC
Last seen:2024-01-07 04:09:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:y+fpyz2UiyoOXzQznVsyN82L3YJXgX5/Knq6zLRx:Dpy7iyoOjQziyN82DYJXwpKn7nH
TLSH T1BA26339AA7D44574C4765B7228E346C34722FE3095F6A3672BBEA50C1DB38A25C33723
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
91.92.247.99:46554

Intelligence

File Origin
# of uploads :
2
# of downloads :
351
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469693/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
DNS request
Sending a custom TCP request
Reading critical registry keys
Launching a service
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Running batch commands
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin lolbin obfuscated packed risepro rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6598b58bfd5068bbc3c6e257/reports/d152c11e-fa49-4dd9-96dd-730aaaa6f4c5/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6720bbba-a79a-41cb-ab62-de68d1f815b8
Result
Threat name:
LummaC, Amadey, LummaC Stealer, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370677
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the user root directory
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1370677 Sample: grekjJu4PM.exe Startdate: 06/01/2024 Architecture: WINDOWS Score: 100 187 recessionconceptjetwe.pw 2->187 189 politefrightenpowoa.pw 2->189 191 5 other IPs or domains 2->191 243 Snort IDS alert for network traffic 2->243 245 Multi AV Scanner detection for domain / URL 2->245 247 Malicious sample detected (through community Yara rule) 2->247 249 19 other signatures 2->249 13 grekjJu4PM.exe 1 4 2->13         started        16 OfficeTrackerNMP131.exe 2->16         started        19 MaxLoonaFest131.exe 2->19         started        21 9 other processes 2->21 signatures3 process4 file5 157 C:\Users\user\AppData\Local\...\Lm3NB63.exe, PE32 13->157 dropped 159 C:\Users\user\AppData\Local\...\6dt0iT0.exe, PE32 13->159 dropped 23 Lm3NB63.exe 1 4 13->23         started        161 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 16->161 dropped 221 Multi AV Scanner detection for dropped file 16->221 223 Machine Learning detection for dropped file 16->223 225 Modifies Windows Defender protection settings 16->225 27 powershell.exe 16->27         started        29 powershell.exe 16->29         started        39 11 other processes 16->39 163 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->163 dropped 227 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->227 31 conhost.exe 19->31         started        165 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->165 dropped 167 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->167 dropped 169 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->169 dropped 171 2 other malicious files 21->171 dropped 229 Hides threads from debuggers 21->229 33 powershell.exe 21->33         started        35 powershell.exe 21->35         started        37 powershell.exe 21->37         started        41 14 other processes 21->41 signatures6 process7 file8 149 C:\Users\user\AppData\Local\...\Rb3sH52.exe, PE32 23->149 dropped 151 C:\Users\user\AppData\Local\...\5id6CC5.exe, PE32 23->151 dropped 285 Antivirus detection for dropped file 23->285 287 Binary is likely a compiled AutoIt script file 23->287 289 Machine Learning detection for dropped file 23->289 43 Rb3sH52.exe 1 4 23->43         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 33->51         started        53 conhost.exe 35->53         started        55 conhost.exe 37->55         started        59 10 other processes 39->59 57 conhost.exe 41->57         started        61 8 other processes 41->61 signatures9 process10 file11 153 C:\Users\user\AppData\Local\...\cN5Rh86.exe, PE32 43->153 dropped 155 C:\Users\user\AppData\Local\...\4Ut851dI.exe, PE32 43->155 dropped 293 Antivirus detection for dropped file 43->293 295 Machine Learning detection for dropped file 43->295 63 4Ut851dI.exe 43->63         started        67 cN5Rh86.exe 1 4 43->67         started        signatures12 process13 file14 181 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 63->181 dropped 231 Antivirus detection for dropped file 63->231 233 Multi AV Scanner detection for dropped file 63->233 235 Detected unpacking (changes PE section rights) 63->235 237 Hides threads from debuggers 63->237 69 explorhe.exe 63->69         started        183 C:\Users\user\AppData\Local\...\2cD4503.exe, PE32 67->183 dropped 185 C:\Users\user\AppData\Local\...\1uT83YZ4.exe, PE32 67->185 dropped 239 Binary is likely a compiled AutoIt script file 67->239 241 Machine Learning detection for dropped file 67->241 74 2cD4503.exe 21 16 67->74         started        76 1uT83YZ4.exe 12 67->76         started        signatures15 process16 dnsIp17 211 185.215.113.68, 49789, 49790, 49795 WHOLESALECONNECTIONSNL Portugal 69->211 213 77.91.68.21, 49797, 49800, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 69->213 215 cdn.discordapp.com 162.159.130.233, 443, 49792 CLOUDFLARENETUS United States 69->215 133 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 69->133 dropped 135 C:\Users\user\AppData\Local\Temp\...\rise.exe, PE32 69->135 dropped 137 C:\Users\user\AppData\...\R83RL20231230.exe, PE32 69->137 dropped 147 7 other malicious files 69->147 dropped 263 Multi AV Scanner detection for dropped file 69->263 265 Detected unpacking (changes PE section rights) 69->265 267 Creates an undocumented autostart registry key 69->267 269 Hides threads from debuggers 69->269 78 Setup1234.exe 69->78         started        82 ev.exe 69->82         started        85 rise.exe 69->85         started        95 3 other processes 69->95 217 193.233.132.62, 49772, 49791, 49801 FREE-NET-ASFREEnetEU Russian Federation 74->217 219 ipinfo.io 34.117.186.192, 443, 49785, 49794 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 74->219 139 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 74->139 dropped 141 C:\Users\user\AppData\...\FANBooster131.exe, PE32 74->141 dropped 143 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 74->143 dropped 145 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 74->145 dropped 271 Machine Learning detection for dropped file 74->271 273 Found many strings related to Crypto-Wallets (likely being stolen) 74->273 275 Creates multiple autostart registry keys 74->275 283 4 other signatures 74->283 87 powershell.exe 23 74->87         started        89 cmd.exe 74->89         started        91 powershell.exe 74->91         started        97 12 other processes 74->97 277 Binary is likely a compiled AutoIt script file 76->277 279 Found API chain indicative of sandbox detection 76->279 281 Contains functionality to modify clipboard data 76->281 93 chrome.exe 1 76->93         started        file18 signatures19 process20 dnsIp21 175 C:\Users\user\cwLextTbveUVQxu.pdf, PE32 78->175 dropped 177 C:\Users\user\KsEXoFizibsxksL.pdf, PE32 78->177 dropped 297 Multi AV Scanner detection for dropped file 78->297 299 Drops PE files to the user root directory 78->299 317 3 other signatures 78->317 109 2 other processes 78->109 193 i.ibb.co 104.243.38.202, 443, 49798 RELIABLESITEUS United States 82->193 301 Antivirus detection for dropped file 82->301 303 Machine Learning detection for dropped file 82->303 319 3 other signatures 82->319 99 AddInProcess32.exe 82->99         started        179 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 85->179 dropped 321 2 other signatures 85->321 112 13 other processes 85->112 305 Found many strings related to Crypto-Wallets (likely being stolen) 87->305 103 conhost.exe 87->103         started        307 Uses schtasks.exe or at.exe to add and modify task schedules 89->307 105 schtasks.exe 89->105         started        107 conhost.exe 91->107         started        195 192.168.2.4, 443, 49672, 49723 unknown unknown 93->195 197 239.255.255.250 unknown Reserved 93->197 114 3 other processes 93->114 199 91.92.247.99 THEZONEBG Bulgaria 95->199 309 System process connects to network (likely due to code injection or exploit) 95->309 311 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 95->311 313 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 95->313 315 Tries to steal Crypto Currency Wallets 95->315 116 2 other processes 95->116 118 11 other processes 97->118 file22 signatures23 process24 dnsIp25 201 recessionconceptjetwe.pw 172.67.187.94 CLOUDFLARENETUS United States 99->201 251 Query firmware table information (likely to detect VMs) 99->251 253 Found many strings related to Crypto-Wallets (likely being stolen) 99->253 255 Tries to harvest and steal browser information (history, passwords, etc) 99->255 257 Tries to steal Crypto Currency Wallets 99->257 203 95.217.236.92 HETZNER-ASDE Germany 109->203 173 C:\Users\user\AppData\Local\...\qemu-ga.exe, PE32 109->173 dropped 259 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 109->259 261 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 109->261 120 qemu-ga.exe 109->120         started        123 conhost.exe 109->123         started        125 conhost.exe 112->125         started        127 conhost.exe 112->127         started        129 conhost.exe 112->129         started        131 9 other processes 112->131 205 142.250.64.110, 443, 49779, 49787 GOOGLEUS United States 114->205 207 142.250.65.164, 443, 49776 GOOGLEUS United States 114->207 209 8 other IPs or domains 114->209 file26 signatures27 process28 signatures29 291 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 120->291
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966/
Threat name:
ByteCode-MSIL.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2024-01-06 02:06:08 UTC
File Type:
PE (Exe)
Extracted files:
203
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zr5nqghj2qbxy4vyzl7o4ikoz4xw7zwjv5b6x6rcd63izr5v7fta._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google evasion persistence phishing trojan
Link:
https://tria.ge/reports/240106-cjebpsefdk/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
e95ab2cad49c84d94004b3dc7eb7f88641d8c844f26ce221b7877895bb82f451
MD5 hash:
7e07cd0368c4da06108b564763fa7aad
SHA1 hash:
5d6820588d569937801b15f24ac1f0df99d97d13
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/af23ed9e-7dd1-4174-8d1b-3af620e186b9/
SH256 hash:
dc679456b2a3fe33b40bb4b3122280366aedcce4c986452b0199b0aa45c34d17
MD5 hash:
307e7d9eeb05c4ca074c2360b0a73c22
SHA1 hash:
2f07700f36d5ffe717a838a181d1000d2249ca7c
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/af23ed9e-7dd1-4174-8d1b-3af620e186b9/
Parent samples :
cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966
ea0e1edd416c2080d13fffc20ab4648156e4acf792d13f2dd9286a0a2b7bdc0a
SH256 hash:
cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966
MD5 hash:
3a9c8dc060b839403dcfc8a72d29defd
SHA1 hash:
5ab7be40aae923dea562fb2f57891080eeb8bf97
Link:
https://www.unpac.me/results/af23ed9e-7dd1-4174-8d1b-3af620e186b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe cc7ad818e9d4037c72b8cafeee214ecf2f6fe6c9af43ebfa221fb68cc7b5f966

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2746419/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469693/

Comments