MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5b544bfecc90168093fca4e129c59d8676ae5f6220d537d3b7c46a2c985a765. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5b544bfecc90168093fca4e129c59d8676ae5f6220d537d3b7c46a2c985a765
SHA3-384 hash: 2e1a8e766d9b131c23641c4a7de687502d71c5039f1cfee03f9afeb883e7248607ef86660952fe1ba48f2b75d6146e01
SHA1 hash: 07bab78c76dc7625d03514d4f6aa6d453e862732
MD5 hash: c3926d2fcc1ad39cc7d0a18fc74f126c
humanhash: uniform-rugby-carbon-crazy
File name:plana.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'197'568 bytes
First seen:2024-02-04 07:18:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ab723dc8d5af21b79dc301ed6a56a64 (49 x RiseProStealer, 1 x Amadey)
ssdeep 24576:bEsbjnclwspQwsbhWblPCXxoX3qwQbsiK3rJRGvFW6:uX4hWblPQoHqls3GW6
TLSH T14D4533D24A2D0A44C175E6F0145737EDCAFCBBF4C81E1B06368B9EBA90341DEAF16A45
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:cre8ure exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474472/
Detection(s):
PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm crypto enigma lolbin obfuscated packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/65bf3a68b012cce0edbb8fd3/reports/4b965658-a4c6-4792-8f83-a0bcfa3f27e9/overview
Verdict:
Malicious
Labled as:
Ser.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/e5b544bfecc90168093fca4e129c59d8676ae5f6220d537d3b7c46a2c985a765
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e205b365-f7ef-4897-bdf1-d2f9306bff51
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386285
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to check for running processes (XOR)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386285 Sample: plana.exe Startdate: 04/02/2024 Architecture: WINDOWS Score: 100 85 youtube-ui.l.google.com 2->85 87 www3.l.google.com 2->87 89 38 other IPs or domains 2->89 121 Snort IDS alert for network traffic 2->121 123 Multi AV Scanner detection for domain / URL 2->123 125 Antivirus detection for URL or domain 2->125 127 8 other signatures 2->127 9 plana.exe 3 113 2->9         started        14 MPGPH131.exe 96 2->14         started        16 RageMP131.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 103 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->103 105 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->105 107 2 other IPs or domains 9->107 65 C:\Users\user\...\zwPhNdOQFWYgDHUr1HjI.exe, PE32 9->65 dropped 67 C:\Users\user\...\QlJg5AI34thyV5x88beP.exe, PE32 9->67 dropped 69 C:\Users\user\...OmvKa11OTqRv8n_2OOF.exe, PE32 9->69 dropped 77 13 other malicious files 9->77 dropped 141 Detected unpacking (changes PE section rights) 9->141 143 Contains functionality to check for running processes (XOR) 9->143 145 Binary is likely a compiled AutoIt script file 9->145 157 4 other signatures 9->157 20 QlJg5AI34thyV5x88beP.exe 9->20         started        23 zwPhNdOQFWYgDHUr1HjI.exe 9->23         started        25 0e6Lt6GHQ6jlAQ1_IQ8P.exe 9->25         started        35 3 other processes 9->35 71 C:\Users\user\...\oGvf23cY2B7HjduiO5lN.exe, PE32 14->71 dropped 73 C:\Users\user\...\jRe9_KillKagiciI6FRF.exe, PE32 14->73 dropped 75 C:\Users\user\...\f_nIfBTAGDQ_Pt08AJCL.exe, PE32 14->75 dropped 79 8 other malicious files 14->79 dropped 147 Multi AV Scanner detection for dropped file 14->147 149 Tries to steal Mail credentials (via file / registry access) 14->149 151 Machine Learning detection for dropped file 14->151 153 Hides threads from debuggers 16->153 155 Tries to harvest and steal browser information (history, passwords, etc) 18->155 27 firefox.exe 18->27         started        31 msedge.exe 18->31         started        33 firefox.exe 18->33         started        file6 signatures7 process8 dnsIp9 129 Multi AV Scanner detection for dropped file 20->129 131 Detected unpacking (changes PE section rights) 20->131 133 Detected unpacking (overwrites its own PE header) 20->133 139 4 other signatures 20->139 135 Binary is likely a compiled AutoIt script file 23->135 37 chrome.exe 23->37         started        40 chrome.exe 23->40         started        42 chrome.exe 23->42         started        50 9 other processes 23->50 137 Hides threads from debuggers 25->137 109 142.250.9.84 GOOGLEUS United States 27->109 111 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 27->111 117 9 other IPs or domains 27->117 81 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 27->81 dropped 83 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 27->83 dropped 113 104.76.210.77 SEABONE-NETTELECOMITALIASPARKLESpAIT United States 31->113 115 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->115 119 25 other IPs or domains 31->119 44 conhost.exe 35->44         started        46 conhost.exe 35->46         started        48 conhost.exe 35->48         started        file10 signatures11 process12 dnsIp13 97 192.168.2.7 unknown unknown 37->97 99 192.168.2.16 unknown unknown 37->99 101 3 other IPs or domains 37->101 52 chrome.exe 37->52         started        55 chrome.exe 40->55         started        57 chrome.exe 42->57         started        59 msedge.exe 50->59         started        61 msedge.exe 50->61         started        63 msedge.exe 50->63         started        process14 dnsIp15 91 142.250.105.101 GOOGLEUS United States 52->91 93 www.google.com 173.194.219.103 GOOGLEUS United States 52->93 95 16 other IPs or domains 52->95
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e5b544bfecc90168093fca4e129c59d8676ae5f6220d537d3b7c46a2c985a765
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5b544bfecc90168093fca4e129c59d8676ae5f6220d537d3b7c46a2c985a765/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2024-02-04 07:02:41 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4w2ujp7mzeawqcj7zjhbfhcz3btwvzpweigvg7j3prdkfsmfu5sq._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240204-h5htxacbh5/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
e5b544bfecc90168093fca4e129c59d8676ae5f6220d537d3b7c46a2c985a765
MD5 hash:
c3926d2fcc1ad39cc7d0a18fc74f126c
SHA1 hash:
07bab78c76dc7625d03514d4f6aa6d453e862732
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/02b30e6d-3717-4883-afb3-3d1847458210/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5b544bfecc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5b544bfecc90168093fca4e129c59d8676ae5f6220d537d3b7c46a2c985a765

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474472/

Comments