MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d284fdf1f86180afb01b47ac07faa898ecffc585f3fe2dfc27225f1a1f12354e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d284fdf1f86180afb01b47ac07faa898ecffc585f3fe2dfc27225f1a1f12354e
SHA3-384 hash: ad1b9483591193958e82b2b0f2fdc1009e2d527ab8aad113eba4e11fa256212f649ea12e17080e00c87e8b4c30a33f25
SHA1 hash: 65edc2be1c32217d046460611e584a29ab750d97
MD5 hash: 08bcf92194154a68f92533a9b7ebf0c4
humanhash: vermont-mississippi-mobile-early
File name:08bcf92194154a68f92533a9b7ebf0c4
Download: download sample
File size:407'552 bytes
First seen:2023-09-13 14:34:59 UTC
Last seen:2023-09-18 07:10:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8xLia+nRoSCvZAHW1w1DMF0/l7wrQqTcbcdlIQXJ2uvk9y7Wo:IWzRWvw9Nds8vQd
Threatray 38 similar samples on MalwareBazaar
TLSH T1CB84BEDC7AA475DFC81BC872CEA85C68EB9164BB831BD203E56311A9990D997CF140F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:171-22-28-208 32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08bcf92194154a68f92533a9b7ebf0c4
Verdict:
No threats detected
Analysis date:
2023-09-13 14:40:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/71fe7cb2-3505-4f74-b631-3c098803a13c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448421/
Detection(s):
SecuriteInfo.com.Win32.CoinminerX-gen.27741.9837.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6501c8987aa68bd3a1f8f9a8/reports/79e3d4be-2ea9-4ec3-9ce1-83e0a0ec612b/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILMamut
Link:
https://www.hybrid-analysis.com/sample/d284fdf1f86180afb01b47ac07faa898ecffc585f3fe2dfc27225f1a1f12354e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8850e2c-6b5e-4475-a0a1-f6a2e06cb6f4
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1308120
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d284fdf1f86180afb01b47ac07faa898ecffc585f3fe2dfc27225f1a1f12354e/
Threat name:
ByteCode-MSIL.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 12:58:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2kcp34pymgak7ma3i6wap6vitdwp7rmf6p7c37bhejpruhysgvha._file
Verdict:
malicious
Similar samples:
4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c
57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
65b93f1505201eab6ac6e7d516db7afca0efcad6157dc666684dfc6c7caf5458
69010ca4bc815b6422d4985a311a1331aacc1881003ce25e6fe9ef0ee48e0a38
7a5b5d23f9db7b7dc126d904ac33a9a61815c40e2396c239dc3fa5bcbe71fa6c
9ca85db909ababb84b0ea3fc5b0156dc01bb940999a91466cea93f683f53f11e
fe89a23ba4354518052429a3fe9fc7784b498a9d954f448df6d339fd8d669f55
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230913-rx1jescf7x/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
d284fdf1f86180afb01b47ac07faa898ecffc585f3fe2dfc27225f1a1f12354e
MD5 hash:
08bcf92194154a68f92533a9b7ebf0c4
SHA1 hash:
65edc2be1c32217d046460611e584a29ab750d97
Link:
https://www.unpac.me/results/8b32fab9-b7b0-4f43-981b-fcb905569e4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/d284fdf1f86180afb01b47ac07faa898ecffc585f3fe2dfc27225f1a1f12354e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d284fdf1f86180afb01b47ac07faa898ecffc585f3fe2dfc27225f1a1f12354e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448421/
  
URLhaus
https://urlhaus.abuse.ch/url/2711514/

Comments


Avatar
zbet commented on 2023-09-13 14:35:00 UTC

url : hxxp://171.22.28.208/download/rise/StealerClient_Sharp.exe