MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15
SHA3-384 hash: 6fc356bd5fb89b6120a720c07cc4b1d6fc790f1d96cd65688a9ef93beec6c267672421e74cb21a57e68e75eba6b27fac
SHA1 hash: 8586cba64216c10301b82fea8a90637b574c0540
MD5 hash: 4ee27e2086f3bae24a65d677185a98de
humanhash: violet-west-mirror-vegan
File name:SecuriteInfo.com.TScope.Malware-Cryptor.SB.26060.13321
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:3'616'768 bytes
First seen:2024-02-21 16:20:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 98304:pQGxD61kWfdBnwZrU2j7A6F+eRvSQCKZUxR:SGxABwZ5/Aq+eHhZUxR
TLSH T10DF533AA2A00D779D14FA636205FD51EA33DFFF065AFA4D90D4A0316C6902AE77013E6
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477329/
Detection(s):
SecuriteInfo.com.TScope.Malware-Cryptor.SB.26060.13321.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Launching a process
Searching for the browser window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/65d622fab7fbcf60a4761804/reports/8e37f995-5442-41ef-83bd-92b99e4a1a22/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86f96233-e717-4bcc-ba4f-aab5e022c213
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1396314
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Downloads suspicious files via Chrome
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
PE file contains section with special chars
PE file has nameless sections
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1396314 Sample: SecuriteInfo.com.TScope.Mal... Startdate: 21/02/2024 Architecture: WINDOWS Score: 100 122 Antivirus detection for URL or domain 2->122 124 Antivirus detection for dropped file 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 6 other signatures 2->128 8 SecuriteInfo.com.TScope.Malware-Cryptor.SB.26060.13321.exe 6 2->8         started        12 MPGPH131.exe 2->12         started        14 MPGPH131.exe 2->14         started        16 4 other processes 2->16 process3 dnsIp4 76 C:\Users\user\AppData\Local\...\sqls109.exe, PE32 8->76 dropped 78 C:\Users\user\AppData\Local\...\drivEn850.exe, PE32 8->78 dropped 140 Detected unpacking (changes PE section rights) 8->140 142 Binary is likely a compiled AutoIt script file 8->142 144 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->144 156 5 other signatures 8->156 19 drivEn850.exe 2 91 8->19         started        24 sqls109.exe 13 8->24         started        88 10 other malicious files 12->88 dropped 146 Tries to steal Mail credentials (via file / registry access) 12->146 148 Machine Learning detection for dropped file 12->148 80 C:\Users\user\...\yArMncF8xElS3I71wxNf.exe, PE32 14->80 dropped 82 C:\Users\user\...\n0jut4Mwil9iKztmhBqq.exe, PE32 14->82 dropped 90 9 other malicious files 14->90 dropped 150 Tries to harvest and steal browser information (history, passwords, etc) 14->150 94 18.160.213.123 MIT-GATEWAYSUS United States 16->94 96 142.250.65.238 GOOGLEUS United States 16->96 98 18 other IPs or domains 16->98 84 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 16->84 dropped 86 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 16->86 dropped 92 4 other malicious files 16->92 dropped 152 Overwrites Mozilla Firefox settings 16->152 154 Maps a DLL or memory area into another process 16->154 26 firefox.exe 16->26         started        28 msedge.exe 16->28         started        30 firefox.exe 16->30         started        32 10 other processes 16->32 file5 signatures6 process7 dnsIp8 100 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 19->100 102 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->102 68 C:\Users\user\...\lIrHyVckAMNK4IWti7tK.exe, PE32 19->68 dropped 70 C:\Users\user\...\RZuS8cvyM03rdiKFHSV7.exe, PE32 19->70 dropped 72 C:\Users\user\...\6fMdpwOenMOPeN0kZC5w.exe, PE32 19->72 dropped 74 11 other malicious files 19->74 dropped 130 Contains functionality to check for running processes (XOR) 19->130 132 Binary is likely a compiled AutoIt script file 19->132 134 Tries to steal Mail credentials (via file / registry access) 19->134 138 3 other signatures 19->138 34 schtasks.exe 19->34         started        36 schtasks.exe 19->36         started        136 Multi AV Scanner detection for dropped file 24->136 38 chrome.exe 24->38         started        41 chrome.exe 24->41         started        43 chrome.exe 24->43         started        47 10 other processes 24->47 45 firefox.exe 26->45         started        104 13.107.21.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->104 106 13.107.213.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->106 108 21 other IPs or domains 28->108 file9 signatures10 process11 dnsIp12 49 conhost.exe 34->49         started        116 192.168.2.4 unknown unknown 38->116 118 192.168.2.5 unknown unknown 38->118 120 2 other IPs or domains 38->120 51 chrome.exe 38->51         started        66 2 other processes 38->66 54 chrome.exe 41->54         started        56 chrome.exe 43->56         started        58 chrome.exe 47->58         started        60 msedge.exe 47->60         started        62 msedge.exe 47->62         started        64 msedge.exe 47->64         started        process13 dnsIp14 110 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->110 112 144.2.9.1 LINKEDINUS Netherlands 51->112 114 49 other IPs or domains 51->114
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-21 16:21:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wdl6f2wnoiyrojhicl534czz4qfng4hovhtrzdayl6yqsxirikq._file
Verdict:
unknown
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro brand:google evasion phishing stealer
Link:
https://tria.ge/reports/240221-ttmt9sag9w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detected google phishing page
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
ee3c5cd2b9229b2cd9a1f027fb11e633351b159c114c6778f926be34bde1a7bf
MD5 hash:
bee5186d252b3377c99c7fc919740162
SHA1 hash:
f7bc080ba9fab7dedfeabb2efd49168578a2152b
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/920df92c-1e9f-4114-8498-fa5eae5504fc/
SH256 hash:
1ebbafe5f133cc75dde1a3569c29258a9e41ea56fc7910e977a7eb003fe482e0
MD5 hash:
6602ff4af6144bfdbabada3c2edd2df4
SHA1 hash:
b15bccd4d631b6b203494f169131bf326fd7fd35
Link:
https://www.unpac.me/results/920df92c-1e9f-4114-8498-fa5eae5504fc/
SH256 hash:
e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15
MD5 hash:
4ee27e2086f3bae24a65d677185a98de
SHA1 hash:
8586cba64216c10301b82fea8a90637b574c0540
Link:
https://www.unpac.me/results/920df92c-1e9f-4114-8498-fa5eae5504fc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e586bf17566b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2766691/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/477329/

Comments