MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d572bbdb7b0b669ab8aae7eef3d99b783ce1ab2e7ed59910128223a5ea6f92ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d572bbdb7b0b669ab8aae7eef3d99b783ce1ab2e7ed59910128223a5ea6f92ae
SHA3-384 hash: 37964150b315bcd41c1dfc2d941733a40b538e7c0aecb9114aa35dc60a48222c72f49434951392453d4117c643c7d6ad
SHA1 hash: 5e6739e828f65746678a3b04701e21c5727ae1d9
MD5 hash: 32387d8e52fb3afd9948c9e1c3625350
humanhash: football-spring-lion-pip
File name:32387d8e52fb3afd9948c9e1c3625350
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'359'808 bytes
First seen:2024-03-04 04:00:49 UTC
Last seen:2024-03-04 05:19:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:GmjKXSWiqxM6+c9GUQDa2YFhDYn7/9VNUOsJbb5n3eM:GvXSWlJnGUQDa/ha7rNUOaMM
Threatray 418 similar samples on MalwareBazaar
TLSH T146B533227F37D56AD32EB2714AA04D33DA332C40ADA61776154C75C97F8FA385A20ACD
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b3b2b3b2cceee7b2 (146 x RiseProStealer, 7 x CoinMiner, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
458
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.3919.11858.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin msbuild packed
Link:
https://www.filescan.io/uploads/65e5477ed86c827370ce6d15/reports/bdf34691-8dad-4a58-b342-dcf26c5bb051/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d572bbdb7b0b669ab8aae7eef3d99b783ce1ab2e7ed59910128223a5ea6f92ae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c974d01c-231c-4c69-82ba-292830ffbaaa
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1402313
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1402313 Sample: qIkoD44AUb.exe Startdate: 04/03/2024 Architecture: WINDOWS Score: 100 68 ipinfo.io 2->68 70 db-ip.com 2->70 78 Snort IDS alert for network traffic 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Antivirus detection for URL or domain 2->82 84 10 other signatures 2->84 8 MPGPH131.exe 76 2->8         started        12 qIkoD44AUb.exe 3 94 2->12         started        15 MPGPH131.exe 74 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 52 C:\Users\user\...\sZD26YNf3Lsb1oWkiTPB.exe, PE32 8->52 dropped 54 C:\Users\user\...\XByYyQE8tAJfZyOx8BpS.exe, PE32 8->54 dropped 56 C:\Users\user\...\MevFeEwrJXtHEbwyBjlj.exe, PE32 8->56 dropped 64 4 other malicious files 8->64 dropped 108 Multi AV Scanner detection for dropped file 8->108 110 Detected unpacking (changes PE section rights) 8->110 112 Tries to steal Mail credentials (via file / registry access) 8->112 114 Potentially malicious time measurement code found 8->114 19 MevFeEwrJXtHEbwyBjlj.exe 8->19         started        23 XByYyQE8tAJfZyOx8BpS.exe 8->23         started        25 sZD26YNf3Lsb1oWkiTPB.exe 8->25         started        72 193.233.132.62, 49729, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 12->72 74 185.215.113.46, 49738, 49739, 49740 WHOLESALECONNECTIONSNL Portugal 12->74 76 2 other IPs or domains 12->76 58 C:\Users\user\...\ygIHjPxbBM3ngZPbgr5u.exe, PE32 12->58 dropped 60 C:\Users\user\...\pIn9iaVe_jRHyn2tSUnF.exe, PE32 12->60 dropped 62 C:\Users\user\...\KaFZPkS1HsEQqlsIuJxz.exe, PE32 12->62 dropped 66 12 other malicious files 12->66 dropped 116 Found many strings related to Crypto-Wallets (likely being stolen) 12->116 118 Creates multiple autostart registry keys 12->118 120 Uses schtasks.exe or at.exe to add and modify task schedules 12->120 122 Tries to detect virtualization through RDTSC time measurements 12->122 27 ygIHjPxbBM3ngZPbgr5u.exe 12->27         started        29 KaFZPkS1HsEQqlsIuJxz.exe 12->29         started        37 6 other processes 12->37 124 Tries to harvest and steal browser information (history, passwords, etc) 15->124 132 2 other signatures 15->132 31 9LtAQNCm7iMB0Zd1XQnv.exe 15->31         started        33 DU98OYKGCWE0fJSeN5wT.exe 15->33         started        35 bnF5bj95PBGLwFaz0tSQ.exe 15->35         started        126 Machine Learning detection for dropped file 17->126 128 Tries to evade debugger and weak emulator (self modifying code) 17->128 130 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->130 file6 signatures7 process8 file9 50 C:\Users\user\AppData\Local\...\explorha.exe, PE32 19->50 dropped 86 Antivirus detection for dropped file 19->86 88 Detected unpacking (changes PE section rights) 19->88 90 Machine Learning detection for dropped file 19->90 39 explorha.exe 19->39         started        92 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 23->92 94 Tries to evade debugger and weak emulator (self modifying code) 27->94 96 Hides threads from debuggers 27->96 98 Tries to detect sandboxes / dynamic malware analysis system (registry check) 27->98 42 conhost.exe 37->42         started        44 conhost.exe 37->44         started        46 conhost.exe 37->46         started        48 3 other processes 37->48 signatures10 process11 signatures12 100 Antivirus detection for dropped file 39->100 102 Detected unpacking (changes PE section rights) 39->102 104 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->104 106 5 other signatures 39->106
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d572bbdb7b0b669ab8aae7eef3d99b783ce1ab2e7ed59910128223a5ea6f92ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d572bbdb7b0b669ab8aae7eef3d99b783ce1ab2e7ed59910128223a5ea6f92ae/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2024-03-04 04:01:05 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vzlxw33bntjvofk47xphwm3pa6odkzop3kzseasqir2l2tpskxa._file
Verdict:
malicious
Similar samples:
70c97e027b24107485559495445a4f81ba995658b2a86874915c49b3edbf2bb4
RiseProStealer
741cac1fdcce7cbbc1170134d10550d3cea47cb5b7d1053e87c422b0cb28d496
RiseProStealer
7458cd87185f80358d350fa8dbd4a9efcc072df17654ea87d93127fd598c3545
RiseProStealer
78a31734d06e1a4014f4345168b41625e0edb0c52edf1fc5529ccbb335ad0c78
RiseProStealer
869053664dd8c21379bcce2b6c8b35a301f1e5160e5ada0cb86ed349e9da487e
RiseProStealer
94b30db8541b572948aa278d3ce5890ed50c9a65bf7715575bf034cfb40b9209
RiseProStealer
b1be593f6f3d015a6261826b26d2baba7c5f3c86507509ac6d261357d5920113
RiseProStealer
cf1f60b1391cd05c9f4834206ee260aab02ee48de1027ea49ba02aa6e47d1075
RiseProStealer
e94841e8a97f82afe43ed6757137fb8427529100e16b7e7bbd6dd84efa0dad86
RiseProStealer
ff929610da21ce2107e91d87767e50dbbfd938d39e7e6ff0d4cc892e2cb78c2a
RiseProStealer
+ 408 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240304-ek7qraab47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
8b507cbe6c5e4944a62dfc66e6b57a323a21a55c4ecf7e79a211e53e60f399b9
MD5 hash:
91f2766422dd2a5c9cc896acb7b84509
SHA1 hash:
d64d1b8a2626f21c04119c287bc747cc5f32f6c6
Link:
https://www.unpac.me/results/c14a18ae-8a47-4a81-861a-58aa7fb21b0b/
SH256 hash:
d572bbdb7b0b669ab8aae7eef3d99b783ce1ab2e7ed59910128223a5ea6f92ae
MD5 hash:
32387d8e52fb3afd9948c9e1c3625350
SHA1 hash:
5e6739e828f65746678a3b04701e21c5727ae1d9
Link:
https://www.unpac.me/results/c14a18ae-8a47-4a81-861a-58aa7fb21b0b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d572bbdb7b0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe d572bbdb7b0b669ab8aae7eef3d99b783ce1ab2e7ed59910128223a5ea6f92ae

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2775398/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-03-04 04:00:51 UTC

url : hxxp://185.215.113.45/cost/random.exe