MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df745498beb66de29aa9efa2356e6d18e59c37e498cfaa64d130551f0f96a5cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df745498beb66de29aa9efa2356e6d18e59c37e498cfaa64d130551f0f96a5cb
SHA3-384 hash: e1c79b5d810ea5eb281d44fb9373ab203550cc95109859f9a147d12c0e8efea1ef47ed42a1d28a7f956169ed026f7106
SHA1 hash: 410ef9ce65ef3182685f0b7089b60b4228beaf97
MD5 hash: 1f733cd5d76cf3cbb83c64d6f55fba40
humanhash: timing-friend-diet-helium
File name:SecuriteInfo.com.Win32.TrojanX-gen.4427.10990
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'540'064 bytes
First seen:2024-01-19 15:23:47 UTC
Last seen:2024-01-20 06:09:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:n+JbKhIA8jhCeERBXNx71TFJL4UOzCxbT+xrskA4BccVD69+zF3UNisXIkca:n+5s0h3E7N8URBT+Zsk3BjD6w3e9hf
Threatray 6 similar samples on MalwareBazaar
TLSH T1F16533931A1BD97CC53B7476F842D132BF56A3C94E47862AA189D9BECC0275B77C2023
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
352
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
c1a94b4836ce341261dafddcdd0b7f2fb0d8974418cfe37bfe4edac452966dcf.exe
Verdict:
Malicious activity
Analysis date:
2024-01-19 15:40:20 UTC
Tags:
loader smoke smokeloader risepro
Link:
https://app.any.run/tasks/970ac437-c61b-4673-a7f1-7d6223f73d3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471694/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.4427.10990.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Reading critical registry keys
Creating a process from a recently created file
Creating a window
Launching a service
Searching for synchronization primitives
Creating a process with a hidden window
Searching for the browser window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65aa9415d1ae2d05b96c56a4/reports/21b4c94b-5bd2-482a-aa88-9fd96b6e74d4/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/df745498beb66de29aa9efa2356e6d18e59c37e498cfaa64d130551f0f96a5cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f03e95a-1b56-4bc4-9d3d-ba179a7432e3
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1377534
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to check for running processes (XOR)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377534 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 19/01/2024 Architecture: WINDOWS Score: 100 109 telemetry-incoming.r53-2.services.mozilla.com 2->109 111 sni1gl.wpc.nucdn.net 2->111 113 14 other IPs or domains 2->113 145 Snort IDS alert for network traffic 2->145 147 Found malware configuration 2->147 149 Antivirus detection for URL or domain 2->149 151 12 other signatures 2->151 10 SecuriteInfo.com.Win32.TrojanX-gen.4427.10990.exe 1 2->10         started        13 msedge.exe 2->13         started        16 firefox.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 file5 177 Contains functionality to inject code into remote processes 10->177 179 Writes to foreign memory regions 10->179 181 Allocates memory in foreign processes 10->181 183 Injects a PE file into a foreign processes 10->183 20 RegAsm.exe 2 104 10->20         started        101 C:\Users\user\AppData\...\content_new.js, Unicode 13->101 dropped 103 C:\Users\user\AppData\Local\...\content.js, Unicode 13->103 dropped 105 C:\Users\user\...\page_embed_script.js, ASCII 13->105 dropped 107 C:\Users\user\...\eventpage_bin_prod.js, ASCII 13->107 dropped 25 msedge.exe 13->25         started        27 msedge.exe 13->27         started        29 firefox.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        37 5 other processes 18->37 signatures6 process7 dnsIp8 115 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 20->115 117 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 20->117 123 2 other IPs or domains 20->123 87 C:\Users\user\...\alPDwL1vSfQ2vpzwDeCv.exe, PE32 20->87 dropped 89 C:\Users\user\...\FePN1b9nIBSG43EvBV3i.exe, PE32 20->89 dropped 91 C:\Users\user\...\B2IBtlPrlgJJI0GahF0N.exe, PE32 20->91 dropped 97 10 other files (3 malicious) 20->97 dropped 153 Contains functionality to check for running processes (XOR) 20->153 155 Tries to steal Mail credentials (via file / registry access) 20->155 157 Found stalling execution ending in API Sleep call 20->157 159 5 other signatures 20->159 39 5kyIIkalJafyc2d4MAnc.exe 20->39         started        43 FePN1b9nIBSG43EvBV3i.exe 20->43         started        45 alPDwL1vSfQ2vpzwDeCv.exe 20->45         started        47 6 other processes 20->47 119 13.107.213.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->119 121 b-0005.b-dc-msedge.net 13.107.9.158 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->121 125 18 other IPs or domains 25->125 127 6 other IPs or domains 29->127 93 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 29->93 dropped 95 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 29->95 dropped file9 signatures10 process11 file12 99 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 39->99 dropped 161 Detected unpacking (changes PE section rights) 39->161 49 explorhe.exe 39->49         started        163 Modifies windows update settings 43->163 165 Disables Windows Defender Tamper protection 43->165 167 Disable Windows Defender notifications (registry) 43->167 169 Disable Windows Defender real time protection (registry) 43->169 171 Binary is likely a compiled AutoIt script file 45->171 173 Found API chain indicative of sandbox detection 45->173 53 chrome.exe 45->53         started        56 chrome.exe 45->56         started        58 chrome.exe 45->58         started        66 9 other processes 45->66 175 Hides threads from debuggers 47->175 60 conhost.exe 47->60         started        62 conhost.exe 47->62         started        64 conhost.exe 47->64         started        68 2 other processes 47->68 signatures13 process14 dnsIp15 83 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 49->83 dropped 85 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 49->85 dropped 139 Detected unpacking (changes PE section rights) 49->139 141 Creates an undocumented autostart registry key 49->141 143 Hides threads from debuggers 49->143 129 192.168.2.5 unknown unknown 53->129 131 239.255.255.250 unknown Reserved 53->131 70 chrome.exe 53->70         started        73 chrome.exe 56->73         started        75 chrome.exe 58->75         started        77 msedge.exe 66->77         started        79 msedge.exe 66->79         started        81 msedge.exe 66->81         started        file16 signatures17 process18 dnsIp19 133 108.177.122.93 GOOGLEUS United States 70->133 135 play.google.com 142.250.105.101 GOOGLEUS United States 70->135 137 33 other IPs or domains 70->137
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/df745498beb66de29aa9efa2356e6d18e59c37e498cfaa64d130551f0f96a5cb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df745498beb66de29aa9efa2356e6d18e59c37e498cfaa64d130551f0f96a5cb/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-19 15:24:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=352fjgf6wzw6fgvj56rdk3tnddszyn7etdh2uzgrgbkr6d4wuxfq._file
Verdict:
unknown
Similar samples:
0b891e136711ba923d7bc6e78591e3764354aa85b36e0157836c7d98979d72fd
RiseProStealer
4a821767c6ce723e6fb4b8d54efd52df6cbd63fc0de47a7b8b39a6ec72b4be69
RiseProStealer
ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144
RiseProStealer
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240119-ss2flageek/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
510e8661513dba0e7ec7b3071525847745575a2641c328b76d971b98738cce31
MD5 hash:
bc281a96587759e7af8d88f7ff8b9650
SHA1 hash:
139eaeb032ab0a44eab04715b9a6ce595caf1d64
Link:
https://www.unpac.me/results/f9049e3f-2def-4a38-94c5-a3e0490829d5/
SH256 hash:
df745498beb66de29aa9efa2356e6d18e59c37e498cfaa64d130551f0f96a5cb
MD5 hash:
1f733cd5d76cf3cbb83c64d6f55fba40
SHA1 hash:
410ef9ce65ef3182685f0b7089b60b4228beaf97
Link:
https://www.unpac.me/results/f9049e3f-2def-4a38-94c5-a3e0490829d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df745498beb6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df745498beb66de29aa9efa2356e6d18e59c37e498cfaa64d130551f0f96a5cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe df745498beb66de29aa9efa2356e6d18e59c37e498cfaa64d130551f0f96a5cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2749367/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2749079/
Cape
Cape
https://www.capesandbox.com/analysis/471694/

Comments