MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04
SHA3-384 hash: 17365493136eaf1e0626b12825d2bcb0002a88d630e44ff43df98d15366fcec2df6cb1f5848c5d784494e6215b8ada0d
SHA1 hash: 47b1248c44f56f1e9f2bb8a8c633cb4a0e8983e1
MD5 hash: 44f67307cba7d1d9be50e617db5ea910
humanhash: north-high-magazine-echo
File name:44f67307cba7d1d9be50e617db5ea910.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:446'784 bytes
First seen:2024-04-04 13:05:07 UTC
Last seen:2024-04-04 13:24:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:NeRKfJ9He6QCHj5SZaz2hlzMRRN/KM7QDN+AJrZMKn:NeRKfJ9HeC5vMlMX7Qh/fD
Threatray 7 similar samples on MalwareBazaar
TLSH T109940124B3ED9A37EFEF167898F420815B71EA63A651DB5F0C48418F69267C04763B23
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RiseProStealer signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-27T07:44:28Z
Valid to:2025-03-27T07:44:28Z
Serial number: 0841d37cebd180d922b5639fa24297ae
Thumbprint Algorithm:SHA256
Thumbprint: 40c1f1a3188cfb02f31a9f4c43b743671a30d7a64fe6cc2f76e8c2107b742b62
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RiseProStealer C2:
193.233.132.253:50500

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04.exe
Verdict:
Malicious activity
Analysis date:
2024-04-04 13:07:03 UTC
Tags:
loader gcleaner evasion stealer stealc neoreklami adware trojan glupteba privateloader
Link:
https://app.any.run/tasks/b90e334d-f8d5-4e99-8951-d51222eaf091

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Modifying a system file
Using the Windows Management Instrumentation requests
Replacing files
Creating a file in the %temp% directory
Reading critical registry keys
Connection attempt to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5a1d618b-6471-4ba6-b5a1-167b4d08828f
Result
Threat name:
Glupteba, Mars Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1420154
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1420154 Sample: e8iuAWz9pB.exe Startdate: 04/04/2024 Architecture: WINDOWS Score: 100 184 Found malware configuration 2->184 186 Malicious sample detected (through community Yara rule) 2->186 188 Multi AV Scanner detection for dropped file 2->188 190 19 other signatures 2->190 12 e8iuAWz9pB.exe 2 2->12         started        15 cmd.exe 2->15         started        17 svchost.exe 1 3 2->17         started        21 6 other processes 2->21 process3 dnsIp4 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->220 222 Writes to foreign memory regions 12->222 224 Sample uses process hollowing technique 12->224 226 Injects a PE file into a foreign processes 12->226 23 InstallUtil.exe 15 411 12->23         started        28 WerFault.exe 12->28         started        30 InstallUtil.exe 12->30         started        32 ILWEcZ08M1xSfyJESeMXp81Z.exe 15->32         started        34 conhost.exe 15->34         started        152 23.43.45.167 OperbesSAdeCVMX United States 17->152 154 195.181.163.202 CDN77GB United Kingdom 17->154 156 127.0.0.1 unknown unknown 17->156 102 SystemMechanic_548...38868BD1.exe (copy), PE32 17->102 dropped 104 C:\Users\user\AppData\Local\...\BIT5039.tmp, PE32 17->104 dropped 106 C:\Users\user\AppData\Local\...\BIT1495.tmp, PE32 17->106 dropped 228 Benign windows process drops PE files 17->228 230 Very long command line found 21->230 232 Modifies Windows Defender protection settings 21->232 36 DNNKlylHdH4M1tOBeXqI8l7H.exe 21->36         started        38 powershell.exe 21->38         started        40 WerFault.exe 21->40         started        42 conhost.exe 21->42         started        file5 signatures6 process7 dnsIp8 162 107.167.110.211 OPERASOFTWAREUS United States 23->162 164 107.167.110.216 OPERASOFTWAREUS United States 23->164 168 18 other IPs or domains 23->168 108 C:\Users\...\zal1rHGTQfMJnqdbiPXJLFLc.exe, PE32 23->108 dropped 110 C:\Users\...\z0muZP3V0tbuz9G1hfWkwVLZ.exe, PE32+ 23->110 dropped 112 C:\Users\...\yzM31TLFS5pliZiAIRzpbyES.exe, PE32 23->112 dropped 114 192 other malicious files 23->114 dropped 206 Drops script or batch files to the startup folder 23->206 208 Creates HTML files with .exe extension (expired dropper behavior) 23->208 210 Writes many files with high entropy 23->210 44 wESXEBhFkbKP2MCnGNyz8acb.exe 23->44         started        49 rmPj94dKNNFremtcOgV9tB7T.exe 23->49         started        51 5hstJPzlm060HUmb22EfSSoh.exe 23->51         started        59 10 other processes 23->59 166 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->166 212 Detected unpacking (changes PE section rights) 32->212 214 Detected unpacking (overwrites its own PE header) 32->214 216 UAC bypass detected (Fodhelper) 32->216 53 cmd.exe 34->53         started        55 conhost.exe 38->55         started        57 Conhost.exe 38->57         started        file9 signatures10 process11 dnsIp12 170 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 44->170 172 87.240.137.134 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 44->172 178 22 other IPs or domains 44->178 116 C:\Users\...\x67egqvc_dGYYnIcS2nqyJNg.exe, PE32 44->116 dropped 118 C:\Users\...\wdoddWYFSlXyJ7rwG8BGE7Nm.exe, PE32 44->118 dropped 120 C:\Users\...\uzlAf3X4LLMJs5UfHRsPBJDG.exe, PE32 44->120 dropped 126 30 other malicious files 44->126 dropped 234 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 44->234 236 Drops PE files to the document folder of the user 44->236 238 Creates HTML files with .exe extension (expired dropper behavior) 44->238 250 7 other signatures 44->250 174 107.167.110.218 OPERASOFTWAREUS United States 49->174 176 107.167.125.189 OPERASOFTWAREUS United States 49->176 180 7 other IPs or domains 49->180 128 9 other malicious files 49->128 dropped 240 Writes many files with high entropy 49->240 61 rmPj94dKNNFremtcOgV9tB7T.exe 49->61         started        64 rmPj94dKNNFremtcOgV9tB7T.exe 49->64         started        66 rmPj94dKNNFremtcOgV9tB7T.exe 49->66         started        182 2 other IPs or domains 51->182 130 2 other malicious files 51->130 dropped 242 Detected unpacking (changes PE section rights) 51->242 244 Detected unpacking (overwrites its own PE header) 51->244 68 u63c.0.exe 51->68         started        72 u63c.1.exe 51->72         started        74 AVh2q1iVqe3JyRrAfrwviUc0.exe 53->74         started        76 conhost.exe 53->76         started        122 C:\Users\user\AppData\Local\Temp\u724.1.exe, PE32 59->122 dropped 124 C:\Users\user\AppData\Local\Temp\u724.0.exe, PE32 59->124 dropped 132 8 other malicious files 59->132 dropped 246 Found Tor onion address 59->246 248 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 59->248 78 Install.exe 59->78         started        file13 signatures14 process15 dnsIp16 134 Opera_installer_2404041307039877828.dll, PE32 61->134 dropped 136 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 61->136 dropped 138 C:\Users\user\...\win10_share_handler.dll, PE32+ 61->138 dropped 148 21 other malicious files 61->148 dropped 80 rmPj94dKNNFremtcOgV9tB7T.exe 61->80         started        140 Opera_installer_2404041307019147184.dll, PE32 64->140 dropped 142 Opera_installer_2404041307031476112.dll, PE32 66->142 dropped 158 185.172.128.209 NADYMSS-ASRU Russian Federation 68->158 144 C:\Users\user\AppData\...behaviorgraphIEHJDHCBA.exe, PE32 68->144 dropped 150 13 other files (5 malicious) 68->150 dropped 192 Detected unpacking (changes PE section rights) 68->192 194 Detected unpacking (overwrites its own PE header) 68->194 196 Tries to steal Mail credentials (via file / registry access) 68->196 204 4 other signatures 68->204 160 20.157.87.45 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 72->160 198 Checks if the current machine is a virtual machine (disk enumeration) 72->198 83 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 72->83         started        200 UAC bypass detected (Fodhelper) 74->200 146 C:\Users\user\AppData\Local\...\aOJBmKO.exe, PE32 78->146 dropped 202 Uses schtasks.exe or at.exe to add and modify task schedules 78->202 85 forfiles.exe 78->85         started        87 schtasks.exe 78->87         started        file17 signatures18 process19 file20 100 Opera_installer_2404041307046007912.dll, PE32 80->100 dropped 89 cmd.exe 85->89         started        92 conhost.exe 85->92         started        94 conhost.exe 87->94         started        process21 signatures22 218 Suspicious powershell command line found 89->218 96 powershell.exe 89->96         started        process23 process24 98 WMIC.exe 96->98         started       
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04/
Threat name:
ByteCode-MSIL.Trojan.WarzoneRAT
Create hunting rule
Status:
Malicious
First seen:
2024-03-28 21:20:11 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dxv27epurt4zidcnnlw7fw4q2syfe5ylgvf3xkkud7rgbccpuca._file
Verdict:
malicious
Similar samples:
2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0
RiseProStealer
56768dc2486a0eadfb82e3df6436434d1b6502d542fe6c41e2b52aae948b140f
RiseProStealer
5de000c94215943f6ddbb15376ca07f67f9965ab58cbd3335279ae66baf56bb6
RiseProStealer
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
RiseProStealer
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
RiseProStealer
adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
RiseProStealer
c54dec8c6c088c7b13267214dbc9ecb2f1e7aa3883e5bc4abe80accc83d32131
RiseProStealer
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence ransomware rootkit spyware stealer trojan
Link:
https://tria.ge/reports/240404-qb3afshc77/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies firewall policy service
Stealc
Windows security bypass
Malware Config
C2 Extraction:
http://185.172.128.209
Unpacked files
SH256 hash:
d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04
MD5 hash:
44f67307cba7d1d9be50e617db5ea910
SHA1 hash:
47b1248c44f56f1e9f2bb8a8c633cb4a0e8983e1
Link:
https://www.unpac.me/results/ea92301f-1c35-4bfc-be08-5b2abdf1c422/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0ef5d7c8fa4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
troystealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments