MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e426483523272b12ad20e3e8caae7c0e2a889266b0845cacbefa6ca5c7312388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e426483523272b12ad20e3e8caae7c0e2a889266b0845cacbefa6ca5c7312388
SHA3-384 hash: 95b0fadb83b66cdd66db456197532d16d22744b1fdf6ced1758f4312730b37a90ed562fe289d8571a837abaa20f0183c
SHA1 hash: 30fba8de90ff7713a2bbc7653c59cf721b8e2fff
MD5 hash: f23b91db5b62d695eed024194e04ee74
humanhash: mango-mockingbird-montana-spaghetti
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:4'393'472 bytes
First seen:2024-02-10 11:44:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 110a9f45d4a7b5222808ebecd21907e8 (5 x RiseProStealer)
ssdeep 98304:RyedtYnOE8EZCbxtS/Fp5eHyvdJx72t5BAFkvidD6ze:RyecOE84EXY5HdnovgkvaD6
TLSH T1F7163390E349BD6FCFEEEEB318802617AF1C5575895740EDB80F361A05ABB5F4B109A0
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00d4c4c4cccc9400 (2 x RiseProStealer)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
url: https://vk.com/doc481075715_673623430?hash=ZgEb7ZPdlgyqKFCdkWoiiBayaLe95XePEKcv9tpgctc&dl=NfmlRoBZJBmaScHbx8AsZB92CB7lfqEoBSTQGIU8EXk&api=1&no_preview=1#retailer_rise

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
US US
Vendor Threat Intelligence
Malware family:
purplefox
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-02-11 02:00:22 UTC
Tags:
opendir loader purplefox backdoor rhadamanthys stealer hausbomber nitol azorult ammyy remote evasion risepro gcleaner dcrat rat stealc phorpiex trojan amadey redline asyncrat xworm lumma vidar arechclient2 vodkagats keylogger remcos
Link:
https://app.any.run/tasks/0b29c856-6200-47f5-93a5-6ea0dc4d10bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475685/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypto lolbin packed packed risepro setupapi shell32 themidawinlicense
Link:
https://www.filescan.io/uploads/65c761c3ac375bec15e2a787/reports/e5fd187a-ed20-4a4d-91b4-50ff1bb10b7d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e426483523272b12ad20e3e8caae7c0e2a889266b0845cacbefa6ca5c7312388
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b728ed2-33a7-480f-9956-88b3dc911e04
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1390154
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390154 Sample: file.exe Startdate: 10/02/2024 Architecture: WINDOWS Score: 100 38 ipinfo.io 2->38 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Antivirus detection for URL or domain 2->50 52 7 other signatures 2->52 8 file.exe 1 77 2->8         started        13 AdobeUpdaterV1.exe 2 2->13         started        15 MSIUpdaterV1.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 40 193.233.132.67, 49729, 49737, 49738 FREE-NET-ASFREEnetEU Russian Federation 8->40 42 ipinfo.io 34.117.186.192, 443, 49730, 49739 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->42 44 195.20.16.46, 49731, 80 EITADAT-ASFI Finland 8->44 30 C:\Users\user\...\ZBtadCmgcCmvkggqaX7p.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...\RetailerRise[1].exe, PE32 8->32 dropped 34 C:\Users\user\AppData\...\AdobeUpdaterV1.exe, PE32 8->34 dropped 36 2 other malicious files 8->36 dropped 62 Query firmware table information (likely to detect VMs) 8->62 64 Tries to steal Mail credentials (via file / registry access) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Tries to harvest and steal browser information (history, passwords, etc) 8->68 19 ZBtadCmgcCmvkggqaX7p.exe 2 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        70 Antivirus detection for dropped file 13->70 72 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->72 74 Machine Learning detection for dropped file 13->74 76 Hides threads from debuggers 15->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->78 80 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->80 82 Multi AV Scanner detection for dropped file 17->82 file6 signatures7 process8 signatures9 54 Antivirus detection for dropped file 19->54 56 Query firmware table information (likely to detect VMs) 19->56 58 Machine Learning detection for dropped file 19->58 60 3 other signatures 19->60 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e426483523272b12ad20e3e8caae7c0e2a889266b0845cacbefa6ca5c7312388
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e426483523272b12ad20e3e8caae7c0e2a889266b0845cacbefa6ca5c7312388/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qteqnjde4vrflja4pumvlt4byviretgwccfzlf67jwklrzreoea._file
Verdict:
unknown
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer themida trojan
Link:
https://tria.ge/reports/240210-nwqq2sdf28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.67:50500
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/e61a29c8-9b5d-47e2-951d-07cad7f4b7cf/
SH256 hash:
e497f31c9cebcac2b90695a6b53f552a9d581b119c2e8be3bf300c08169239d8
MD5 hash:
7d9da2d2190f5f7cfea593cc38994eb4
SHA1 hash:
f1f69320f5cc6146483e4d9bbdd0b6a9ab1853c6
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/e61a29c8-9b5d-47e2-951d-07cad7f4b7cf/
SH256 hash:
e426483523272b12ad20e3e8caae7c0e2a889266b0845cacbefa6ca5c7312388
MD5 hash:
f23b91db5b62d695eed024194e04ee74
SHA1 hash:
30fba8de90ff7713a2bbc7653c59cf721b8e2fff
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/e61a29c8-9b5d-47e2-951d-07cad7f4b7cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e426483523272b12ad20e3e8caae7c0e2a889266b0845cacbefa6ca5c7312388

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe e426483523272b12ad20e3e8caae7c0e2a889266b0845cacbefa6ca5c7312388

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/475685/
  
URLhaus
https://urlhaus.abuse.ch/url/2757109/

Comments