MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
SHA3-384 hash: da96e2520324200a7dac9a97de307e4cc696e29c1746cc4455df7ea8fb88c7f192523f07cc3c976cacc4383bfca49945
SHA1 hash: 2e54c340a223baf95b975d03c93c18c00f71a7b7
MD5 hash: 52af8f312d4667b7de3bc02aee96e033
humanhash: diet-uranus-cola-maryland
File name:52af8f312d4667b7de3bc02aee96e033
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:164'864 bytes
First seen:2024-03-06 07:30:49 UTC
Last seen:2024-03-06 09:27:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c6d19c8fbbcd0c83570e7dbd10119e65 (2 x RiseProStealer, 2 x Smoke Loader)
ssdeep 1536:7Yc5gZdDecFo+b3K//ErpPgyB1ahVfhdF8JpfbiQlpkgPF2vW8CPBRYCIVvlqgWi:TiZUCzr/aBdF8J5+Ql9QvoP4CIOse
Threatray 3'056 similar samples on MalwareBazaar
TLSH T148F3AEF032F0C076E067257459B882B25E3BB8736AB4819BF69A1F7E1E7D1C04965723
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 3370ecd2ccf033da (7 x Stealc, 3 x Smoke Loader, 2 x RiseProStealer)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
489
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f.exe
Verdict:
Malicious activity
Analysis date:
2024-03-06 07:33:51 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/00f9e5ac-1b10-495d-8df4-19715125fe0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.8414.16627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint
Link:
https://www.filescan.io/uploads/65e81bb783aa71d5c1459cbf/reports/ee9dcb36-400c-47d0-ae08-6a2471af71fb/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fa5048d8-6439-4158-b39f-2d52d2dde191
Result
Threat name:
LummaC, Babuk, Djvu, Glupteba, LummaC St
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1403851
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via Fodhelper.exe
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1403851 Sample: CgoegMEw8J.exe Startdate: 06/03/2024 Architecture: WINDOWS Score: 100 119 valowaves.com 2->119 121 trypokemon.com 2->121 123 10 other IPs or domains 2->123 141 Snort IDS alert for network traffic 2->141 143 Multi AV Scanner detection for domain / URL 2->143 145 Found malware configuration 2->145 147 21 other signatures 2->147 14 CgoegMEw8J.exe 2->14         started        17 gejejaa 2->17         started        19 BF99.exe 2->19         started        signatures3 process4 signatures5 193 Detected unpacking (changes PE section rights) 14->193 195 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->195 197 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->197 209 3 other signatures 14->209 21 explorer.exe 47 19 14->21 injected 199 Antivirus detection for dropped file 17->199 201 Multi AV Scanner detection for dropped file 17->201 203 Machine Learning detection for dropped file 17->203 205 Detected unpacking (overwrites its own PE header) 19->205 207 Injects a PE file into a foreign processes 19->207 26 BF99.exe 19->26         started        process6 dnsIp7 125 dildefotokopi.com 185.195.254.134 VEGANET-TELEKOMTR Turkey 21->125 127 sdfjhuz.com 190.224.203.37, 49745, 49768, 80 TelecomArgentinaSAAR Argentina 21->127 129 5 other IPs or domains 21->129 101 C:\Users\user\AppData\Roaming\gejejaa, PE32 21->101 dropped 103 C:\Users\user\AppData\Local\Temp\BF99.exe, PE32 21->103 dropped 105 C:\Users\user\AppData\Local\Temp\954A.exe, PE32 21->105 dropped 107 3 other malicious files 21->107 dropped 151 System process connects to network (likely due to code injection or exploit) 21->151 153 Benign windows process drops PE files 21->153 155 Deletes itself after installation 21->155 157 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->157 28 BF99.exe 21->28         started        31 954A.exe 21->31         started        33 437D.exe 21->33         started        35 4 other processes 21->35 file8 signatures9 process10 signatures11 167 Antivirus detection for dropped file 28->167 169 Detected unpacking (changes PE section rights) 28->169 171 Detected unpacking (overwrites its own PE header) 28->171 189 2 other signatures 28->189 37 BF99.exe 1 16 28->37         started        173 UAC bypass detected (Fodhelper) 31->173 175 Machine Learning detection for dropped file 31->175 177 Found Tor onion address 31->177 179 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->179 41 cmd.exe 31->41         started        181 Multi AV Scanner detection for dropped file 33->181 183 Writes to foreign memory regions 33->183 191 2 other signatures 33->191 185 Uses cmd line tools excessively to alter registry or file data 35->185 187 Injects a PE file into a foreign processes 35->187 43 conhost.exe 35->43         started        45 reg.exe 1 1 35->45         started        47 conhost.exe 35->47         started        49 3 other processes 35->49 process12 dnsIp13 131 api.2ip.ua 172.67.139.220, 443, 49755, 49765 CLOUDFLARENETUS United States 37->131 109 C:\Users\user\AppData\Local\...\BF99.exe, PE32 37->109 dropped 51 BF99.exe 37->51         started        54 icacls.exe 37->54         started        56 fodhelper.exe 41->56         started        58 conhost.exe 41->58         started        60 fodhelper.exe 41->60         started        62 fodhelper.exe 41->62         started        file14 process15 signatures16 149 Injects a PE file into a foreign processes 51->149 64 BF99.exe 1 25 51->64         started        69 954A.exe 56->69         started        process17 dnsIp18 111 sajdfue.com 122.100.154.145, 49773, 49774, 49776 CTM-MOCompanhiadeTelecomunicacoesdeMacauSARLMO Macau 64->111 113 45.64.21.244, 80 CTM-MOCompanhiadeTelecomunicacoesdeMacauSARLMO Macau 64->113 91 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 64->91 dropped 93 C:\Users\user\AppData\Local\...\build2.exe, PE32 64->93 dropped 95 C:\_README.txt, ASCII 64->95 dropped 97 6 other malicious files 64->97 dropped 133 Modifies existing user documents (likely ransomware behavior) 64->133 71 build2.exe 64->71         started        135 Found Tor onion address 69->135 74 954A.exe 69->74         started        76 powershell.exe 69->76         started        78 WerFault.exe 69->78         started        file19 signatures20 process21 signatures22 159 Antivirus detection for dropped file 71->159 161 Multi AV Scanner detection for dropped file 71->161 163 Detected unpacking (changes PE section rights) 71->163 165 3 other signatures 71->165 80 build2.exe 71->80         started        85 powershell.exe 74->85         started        87 conhost.exe 76->87         started        process23 dnsIp24 115 88.99.127.167, 49789, 49791, 49794 HETZNER-ASDE Germany 80->115 117 steamcommunity.com 23.51.204.111, 443, 49788 AKAMAI-ASUS United States 80->117 99 C:\Users\user\AppData\Local\...\sqlm[1].dll, PE32 80->99 dropped 137 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 80->137 139 Tries to harvest and steal browser information (history, passwords, etc) 80->139 89 conhost.exe 85->89         started        file25 signatures26 process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-03-06 07:31:05 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pohji54upgdrfb3sc6xwm677vud2c6pec6va5aedbpfswij2epq._file
Verdict:
malicious
Similar samples:
0004d851f92bfea425f064b898e7668d84a26e12954785ce0ec3b62ff2e34d46
RiseProStealer
02eb002f33af51183396e8406bc7518c01c4b2f3b326d227fef6bc7e3c8fd1a6
RiseProStealer
247eb6cc11d0a92ac985fb99c19dcfe4779878f4989764b8ced06727820ff57c
RiseProStealer
50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73
RiseProStealer
5c88a340b3b0502c9777fe6159f01d66875341dc739e23a56a21ee18479890f2
RiseProStealer
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
RiseProStealer
e629fcf41de2187cafd4c8c38b1e9408a5c521d29459971bb96fae5da26fa9d5
RiseProStealer
f518307808486c2718cd6b83e4e5f012e3531c8d352abd6d51b7311fcfa2c28c
RiseProStealer
f662b3ef913a9bfb62cb970e6f8f8e81ad75b21deaccffc01cbc1390f34e776e
RiseProStealer
+ 3'046 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:lumma family:smokeloader botnet:tfd5 backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/240306-jcc9dsfd97/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Detected Djvu ransomware
Djvu Ransomware
Lumma Stealer
SmokeLoader
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://sajdfue.com/test1/get.php
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Unpacked files
SH256 hash:
8920c744aebda5cd6304ea1aa88b1a051a5e34a3d5d7d2dab182ef9cb0aec361
MD5 hash:
9f6f0abfef1cad87fbdd302b790ab0be
SHA1 hash:
1e93fbaadbd9d880dd0dde3623b6f16233aa7811
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/b9b76677-c78f-4cbe-b13f-5ba55007b553/
Parent samples :
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
b1f57f9e13e75717674eeca314a042ac3e0816f17e7743c361e0be7f45bf9897
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
SH256 hash:
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
MD5 hash:
52af8f312d4667b7de3bc02aee96e033
SHA1 hash:
2e54c340a223baf95b975d03c93c18c00f71a7b7
Link:
https://www.unpac.me/results/b9b76677-c78f-4cbe-b13f-5ba55007b553/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3dc74a3bca3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleAliasExesLengthA
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::MoveFileExA
KERNEL32.dll::ReplaceFileW
KERNEL32.dll::GetFileAttributesA

Comments


Avatar
zbet commented on 2024-03-06 07:30:50 UTC

url : hxxp://galandskiyher5.com/downloads/toolspub5.exe