MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1
SHA3-384 hash: 3af07565a32c9b0744d1215b25571c7da890f7e6679576b633816463b7b2b6a2cf6a6c3d087c0357e7b3faad24b2fea8
SHA1 hash: ce4b54b604f7bbae2524bf53fef92c2f60f82656
MD5 hash: 42971155e95ad8ace7b6fc53d70fb952
humanhash: yankee-mango-idaho-louisiana
File name:42971155e95ad8ace7b6fc53d70fb952.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'365'440 bytes
First seen:2023-11-29 14:25:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:icjGiCymFeMBTyRF2dEKsLkGrRsIKoeu8iKEZU+ToWdHK+jUdIGKuYzKZ:fjGi4EYVdyzuowSZjTo+HrLt
Threatray 397 similar samples on MalwareBazaar
TLSH T176B5335BEAE85435F8B1133014F2239369383C52AE94427B8391D85B59B3FA19D373AB
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
194.49.94.80:29960

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/461207/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a service
Creating a window
Searching for synchronization primitives
Sending a UDP request
Behavior that indicates a threat
Forced shutdown of a system process
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8630611-94d0-4888-9239-e5029a02bd20
Result
Threat name:
Glupteba, PrivateLoader, RedLine, SmokeL
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349918
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check for running processes (XOR)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Glupteba
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1349918 Sample: KK2HUvguO3.exe Startdate: 29/11/2023 Architecture: WINDOWS Score: 100 138 pic.himanfast.com 2->138 140 ipinfo.io 2->140 162 Snort IDS alert for network traffic 2->162 164 Found malware configuration 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 19 other signatures 2->168 13 KK2HUvguO3.exe 1 4 2->13         started        16 XsdType.exe 2->16         started        19 svchost.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 file5 130 C:\Users\user\AppData\Local\...\vu4lC03.exe, PE32 13->130 dropped 132 C:\Users\user\AppData\Local\...\5Wv6Ec4.exe, PE32 13->132 dropped 23 vu4lC03.exe 1 4 13->23         started        154 Antivirus detection for dropped file 16->154 156 Multi AV Scanner detection for dropped file 16->156 158 Machine Learning detection for dropped file 16->158 160 3 other signatures 16->160 27 XsdType.exe 16->27         started        signatures6 process7 file8 114 C:\Users\user\AppData\Local\...\QF5gs54.exe, PE32 23->114 dropped 116 C:\Users\user\AppData\Local\...\4JL612kV.exe, PE32 23->116 dropped 218 Antivirus detection for dropped file 23->218 220 Multi AV Scanner detection for dropped file 23->220 222 Binary is likely a compiled AutoIt script file 23->222 224 Machine Learning detection for dropped file 23->224 29 QF5gs54.exe 1 4 23->29         started        226 Writes to foreign memory regions 27->226 228 Modifies the context of a thread in another process (thread injection) 27->228 230 Sample uses process hollowing technique 27->230 232 Injects a PE file into a foreign processes 27->232 33 InstallUtil.exe 27->33         started        signatures9 process10 file11 134 C:\Users\user\AppData\Local\...\eV4ZD90.exe, PE32 29->134 dropped 136 C:\Users\user\AppData\Local\...\3MT38rf.exe, PE32 29->136 dropped 248 Antivirus detection for dropped file 29->248 250 Machine Learning detection for dropped file 29->250 35 3MT38rf.exe 29->35         started        38 eV4ZD90.exe 1 4 29->38         started        252 Modifies the context of a thread in another process (thread injection) 33->252 254 Sample uses process hollowing technique 33->254 256 Injects a PE file into a foreign processes 33->256 signatures12 process13 file14 170 Antivirus detection for dropped file 35->170 172 Machine Learning detection for dropped file 35->172 174 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->174 178 4 other signatures 35->178 41 explorer.exe 35->41 injected 110 C:\Users\user\AppData\Local\...\2xP4922.exe, PE32 38->110 dropped 112 C:\Users\user\AppData\Local\...\1Pj26MZ2.exe, PE32 38->112 dropped 176 Multi AV Scanner detection for dropped file 38->176 46 1Pj26MZ2.exe 1 38->46         started        48 2xP4922.exe 1 38->48         started        signatures15 process16 dnsIp17 148 185.196.8.238, 49741, 80 SIMPLECARRER2IT Switzerland 41->148 150 5.42.65.80, 49743, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 41->150 152 2 other IPs or domains 41->152 118 C:\Users\user\AppData\Local\Temp\FC4E.exe, PE32 41->118 dropped 120 C:\Users\user\AppData\Local\Temp\D7DC.exe, PE32+ 41->120 dropped 122 C:\Users\user\AppData\Local\Temp\CF40.exe, PE32 41->122 dropped 124 4 other malicious files 41->124 dropped 234 System process connects to network (likely due to code injection or exploit) 41->234 236 Benign windows process drops PE files 41->236 50 FC4E.exe 41->50         started        54 D7DC.exe 41->54         started        56 CF40.exe 41->56         started        67 6 other processes 41->67 238 Multi AV Scanner detection for dropped file 46->238 240 Contains functionality to inject code into remote processes 46->240 242 Writes to foreign memory regions 46->242 59 AppLaunch.exe 11 16 46->59         started        61 conhost.exe 46->61         started        244 Allocates memory in foreign processes 48->244 246 Injects a PE file into a foreign processes 48->246 63 AppLaunch.exe 8 4 48->63         started        65 conhost.exe 48->65         started        file18 signatures19 process20 dnsIp21 92 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 50->92 dropped 94 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 50->94 dropped 96 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 50->96 dropped 108 2 other malicious files 50->108 dropped 180 Antivirus detection for dropped file 50->180 182 Multi AV Scanner detection for dropped file 50->182 184 Machine Learning detection for dropped file 50->184 69 31839b57a4f11171d6abc8bbc4451ee4.exe 50->69         started        72 toolspub2.exe 50->72         started        74 InstallSetup9.exe 50->74         started        77 InstallSetup9.exe 50->77         started        186 Found many strings related to Crypto-Wallets (likely being stolen) 54->186 188 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->188 190 Modifies the context of a thread in another process (thread injection) 54->190 192 Injects a PE file into a foreign processes 54->192 79 D7DC.exe 54->79         started        142 194.169.175.235, 42691, 49742 CLOUDCOMPUTINGDE Germany 56->142 194 Tries to harvest and steal browser information (history, passwords, etc) 56->194 144 194.49.94.152, 19053, 49736, 49737 EQUEST-ASNL unknown 59->144 146 ipinfo.io 34.117.59.81, 443, 49738 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 59->146 98 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 59->98 dropped 100 C:\Users\user\AppData\...\FANBooster131.exe, PE32 59->100 dropped 102 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 59->102 dropped 104 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 59->104 dropped 196 Contains functionality to check for running processes (XOR) 59->196 198 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->198 200 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 59->200 202 9 other signatures 59->202 81 schtasks.exe 1 59->81         started        83 schtasks.exe 1 59->83         started        106 C:\Users\user\AppData\Local\Temp\...\1A08.tmp, PE32 67->106 dropped file22 signatures23 process24 file25 204 Antivirus detection for dropped file 69->204 206 Multi AV Scanner detection for dropped file 69->206 208 Detected unpacking (changes PE section rights) 69->208 214 5 other signatures 69->214 210 Sample uses process hollowing technique 72->210 212 Injects a PE file into a foreign processes 72->212 126 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 74->126 dropped 85 Broom.exe 74->85         started        128 C:\Users\user\AppData\Local\...\XsdType.exe, PE32+ 79->128 dropped 88 conhost.exe 81->88         started        90 conhost.exe 83->90         started        signatures26 process27 signatures28 216 Multi AV Scanner detection for dropped file 85->216
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 14:26:05 UTC
File Type:
PE (Exe)
Extracted files:
174
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4eovth6xflmogoofc4qc3f4ynmoapl3eitq3jigh3cnxxpnjg6qq._file
Verdict:
malicious
Similar samples:
19b2a5a72d27f8841152bca2694ce3d720dca29885a588443a375dec9c0a7b52
RiseProStealer
1d63f406d5735152484a975a6aa536758f0cca2f890c04db8bc2cd2c372393fd
RiseProStealer
279cdbdbe98ad615ecf2f4d29117506258987b3c656ee983c88fb7d0830158f8
RiseProStealer
34a44460dfa558f27fdfc643168a0190092488bb868d6533d6bd3db8c6fa317f
RiseProStealer
5148d1d1fccca6226ee17d6abe0866e4f309b8d4144d99c4a37fd4b44809566d
RiseProStealer
74e7aa1e29eee9cdd26bb113031cad7d4a3b11b40a4ee72f9408626d35973a51
RiseProStealer
78de43325deb7060aa90f6c5ca1df33beb7d1e804ed96e74784f36727e6dc83b
RiseProStealer
8f682183913956c6d0414d2ee9165d9f31957934507b4fb010e1eafd29b3cf0e
RiseProStealer
bf513791b9fbdd123aa6ec497c2c01edbe629a195ab486a6be52a22a50afdeef
RiseProStealer
c92353fc93904cff5198ccddebdd3381d94a9a4f05e8256cd96fd4c3b00bddcf
RiseProStealer
+ 387 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:redline family:risepro family:smokeloader family:zgrat botnet:@ytlogsbot botnet:horda botnet:livetraffic botnet:up3 backdoor brand:paypal discovery evasion infostealer loader persistence phishing rat spyware stealer trojan
Link:
https://tria.ge/reports/231129-rrt5fsha2z/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Launches sc.exe
AutoIT Executable
Detected potential entity reuse from brand paypal.
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Detect ZGRat V1
PrivateLoader
RedLine
RedLine payload
RisePro
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Malware Config
C2 Extraction:
194.49.94.152
194.49.94.152:19053
http://194.49.94.210/fks/index.php
194.169.175.235:42691
195.10.205.16:2245
Unpacked files
SH256 hash:
f8898e203e5a0b2242e8e686eca34c08813a7787a61876a78639de4d513bddc4
MD5 hash:
401c61f75f6aed9240de329e2eb08bf7
SHA1 hash:
7552415527ad7bc24bcc33b438e14e4c953116ee
Link:
https://www.unpac.me/results/41945aff-ab8e-4587-af62-20bb4ac87f7a/
SH256 hash:
7121876e8168e62a62fca1a714c7def52d217be6bfb4f6113f2f3e60e231af16
MD5 hash:
21469c814b911de5f53d22e7b750b27a
SHA1 hash:
a883beb2e5faa30fd15f71f6b9f09641db7afc53
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/41945aff-ab8e-4587-af62-20bb4ac87f7a/
SH256 hash:
c3002f02c67efc1eb06594e9bc003112bc5d15fb7e48e68bf0877882c5c2f492
MD5 hash:
6c0bd47a9f009e42a0b01019dbe145a6
SHA1 hash:
6c68d16e3eb71018690b78b7ea7e708ba58c556f
Link:
https://www.unpac.me/results/41945aff-ab8e-4587-af62-20bb4ac87f7a/
SH256 hash:
e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1
MD5 hash:
42971155e95ad8ace7b6fc53d70fb952
SHA1 hash:
ce4b54b604f7bbae2524bf53fef92c2f60f82656
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/41945aff-ab8e-4587-af62-20bb4ac87f7a/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e11d599fd72a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2735406/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/461207/

Comments