MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b
SHA3-384 hash: 5e22b09ff4d46ae3635952ff55047dfc3357b9d455f5f5568acfe73e6516b76915f92fc209ff6a220fa5bc3b9bd114e8
SHA1 hash: ccdaf9117ab6819490a11c6a0f0cdbf477a359de
MD5 hash: 8b9f61ab18bc3dbaa8cbee4baffa7798
humanhash: solar-echo-fruit-spaghetti
File name:8b9f61ab18bc3dbaa8cbee4baffa7798.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:6'717'952 bytes
First seen:2024-03-07 10:20:12 UTC
Last seen:2024-03-07 20:16:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fca035c1d9772fed59e3f04779695b2 (10 x RiseProStealer)
ssdeep 196608:3ZGrIK23Gw/XmKUO7uL8LbeaQyvhQwqaNXiiXYKf2e:IIZ3l/pfLbePOlriiXue
TLSH T13A66334DBAC259A4C0DE86B43ACFB87DB17329A017AAED0554497EC1FFF22616033097
TrID 45.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.1% (.SCR) Windows screen saver (13097/50/3)
9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
95.217.142.46:50500

Intelligence

File Origin
# of uploads :
3
# of downloads :
337
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b.exe
Verdict:
Malicious activity
Analysis date:
2024-03-07 10:21:17 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/1eeeb4c6-1d41-4673-955b-658044480131

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1315469.7842.11430.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Reading critical registry keys
Creating a file in the %temp% subdirectories
Creating a window
Creating a file
Launching a process
Creating a process from a recently created file
Stealing user critical data
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto lolbin packed setupapi shell32
Link:
https://www.filescan.io/uploads/65e99511757c624818a5201e/reports/19d1cec5-bba4-4595-be1d-b0305e3ae6be/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81d4fd8d-2816-4083-9885-ff8ff89be080
Result
Threat name:
PureLog Stealer, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1404635
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1404635 Sample: Q7r1Q0O2Wy.exe Startdate: 07/03/2024 Architecture: WINDOWS Score: 100 117 Antivirus detection for dropped file 2->117 119 Antivirus / Scanner detection for submitted sample 2->119 121 Multi AV Scanner detection for dropped file 2->121 123 7 other signatures 2->123 8 Q7r1Q0O2Wy.exe 2 83 2->8         started        13 MSIUpdaterV1.exe 77 2->13         started        15 AdobeUpdaterV1.exe 2->15         started        17 6 other processes 2->17 process3 dnsIp4 109 95.217.142.46 HETZNER-ASDE Germany 8->109 111 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->111 113 3 other IPs or domains 8->113 83 C:\Users\user\...\XNNKIt1MW9PWPGkjLOaF.exe, PE32 8->83 dropped 93 8 other malicious files 8->93 dropped 165 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->165 167 Tries to steal Mail credentials (via file / registry access) 8->167 169 Found many strings related to Crypto-Wallets (likely being stolen) 8->169 179 3 other signatures 8->179 19 XNNKIt1MW9PWPGkjLOaF.exe 75 8->19         started        23 Vh_3mEjodj70UTVViVBK.exe 8->23         started        35 4 other processes 8->35 85 C:\Users\user\...\jRAVYSXVAOaXUpY814On.exe, PE32 13->85 dropped 87 C:\Users\user\...\CP4CZjrqqCwTkczgwKG4.exe, PE32 13->87 dropped 95 3 other malicious files 13->95 dropped 171 Multi AV Scanner detection for dropped file 13->171 25 CP4CZjrqqCwTkczgwKG4.exe 13->25         started        27 jRAVYSXVAOaXUpY814On.exe 13->27         started        97 4 other malicious files 15->97 dropped 29 LWz75hULEbvjeVHdr113.exe 15->29         started        89 C:\Users\user\...\ol6UMw6gQzN_T691RvoD.exe, PE32 17->89 dropped 91 C:\Users\user\...\LKXOrBMS_ZPC6hPDEinu.exe, PE32 17->91 dropped 99 5 other malicious files 17->99 dropped 173 Antivirus detection for dropped file 17->173 175 Machine Learning detection for dropped file 17->175 177 Writes to foreign memory regions 17->177 181 2 other signatures 17->181 31 3Ks0IiPwPDDrMtJV7j_i.exe 17->31         started        33 ol6UMw6gQzN_T691RvoD.exe 17->33         started        37 14 other processes 17->37 file5 signatures6 process7 file8 65 C:\Users\user\...\qg7muIU7sX_ud1H6UtB7.exe, PE32 19->65 dropped 67 C:\Users\user\...\2yEbAU9vruNttx2yHINV.exe, PE32 19->67 dropped 73 3 other malicious files 19->73 dropped 125 Antivirus detection for dropped file 19->125 127 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->127 129 Tries to steal Mail credentials (via file / registry access) 19->129 39 qg7muIU7sX_ud1H6UtB7.exe 19->39         started        42 2yEbAU9vruNttx2yHINV.exe 19->42         started        131 Contains functionality to inject code into remote processes 23->131 133 Writes to foreign memory regions 23->133 135 Allocates memory in foreign processes 23->135 45 RegAsm.exe 23->45         started        48 conhost.exe 23->48         started        137 Injects a PE file into a foreign processes 25->137 50 RegAsm.exe 25->50         started        56 2 other processes 25->56 75 4 other malicious files 27->75 dropped 77 2 other malicious files 29->77 dropped 139 Multi AV Scanner detection for dropped file 29->139 141 Machine Learning detection for dropped file 29->141 143 Tries to harvest and steal browser information (history, passwords, etc) 29->143 69 C:\Users\user\...\yA6FcmeMesrTsRxCcU5b.exe, PE32 31->69 dropped 79 3 other malicious files 31->79 dropped 71 C:\Users\user\...\pMtMx5F6W2YroU9gNHeT.exe, PE32 33->71 dropped 81 3 other malicious files 33->81 dropped 52 conhost.exe 35->52         started        54 conhost.exe 35->54         started        58 2 other processes 35->58 145 Query firmware table information (likely to detect VMs) 37->145 147 Tries to steal Crypto Currency Wallets 37->147 signatures9 process10 dnsIp11 149 Writes to foreign memory regions 39->149 151 Allocates memory in foreign processes 39->151 153 Injects a PE file into a foreign processes 39->153 60 RegAsm.exe 39->60         started        63 conhost.exe 39->63         started        101 C:\Users\user\...\zIxGtlY52DWg6fXKQ_2V.exe, PE32 42->101 dropped 103 C:\Users\user\...\vnWzwg12bQIFBsxn7O04.exe, PE32 42->103 dropped 105 C:\Users\user\...\crypted_f961bb26[1].exe, PE32 42->105 dropped 107 C:\Users\user\...\IMvzavrD5CEPMA7ZaeXqPDk.zip, Zip 42->107 dropped 155 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 42->155 157 Tries to steal Mail credentials (via file / registry access) 42->157 115 172.67.195.126 CLOUDFLARENETUS United States 45->115 159 Query firmware table information (likely to detect VMs) 50->159 161 Tries to harvest and steal browser information (history, passwords, etc) 50->161 163 Tries to steal Crypto Currency Wallets 50->163 file12 signatures13 process14 signatures15 183 Query firmware table information (likely to detect VMs) 60->183 185 Tries to harvest and steal browser information (history, passwords, etc) 60->185 187 Tries to steal Crypto Currency Wallets 60->187
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2024-03-07 10:21:13 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3vfb5zqa7vnqpy25bruvh7vn4jknvfu6foll3v3f35x3xrlbcefq._file
Verdict:
unknown
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240307-mdncjaha88/
Behaviour
Suspicious behavior: EnumeratesProcesses
RisePro
Malware Config
C2 Extraction:
95.217.142.46:50500
Unpacked files
SH256 hash:
1c1495faf9e1df70756ba0678dc56a65b66d90ef66a79f4a58734ba3546c82d8
MD5 hash:
6f4ad44d0199855590e7096b76d6ad20
SHA1 hash:
52394fb6e4dcb23d1871b66969a679cfe27b3353
Link:
https://www.unpac.me/results/baf6068a-6487-43bb-969d-1431408b951d/
SH256 hash:
dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b
MD5 hash:
8b9f61ab18bc3dbaa8cbee4baffa7798
SHA1 hash:
ccdaf9117ab6819490a11c6a0f0cdbf477a359de
Link:
https://www.unpac.me/results/baf6068a-6487-43bb-969d-1431408b951d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd4a1ee600fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe dd4a1ee600fd5b07e35d0c6953feade254da969e2b96bdd765df6fbbc561110b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757109/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_CRED_APICan Manipute Windows CredentialsADVAPI32.dll::CredEnumerateA

Comments