MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13
SHA3-384 hash: b2209e9854cabfab4522ac8dc5cac4b16894884ca1bcbe34270f2518eb907a9bfe33d3340f3f7b5616e2e6824fb052e2
SHA1 hash: 101c469f7b7ddb95aa60e0c0bec5511726683dc7
MD5 hash: a5df9676d4d3f2558d19e17a527f8bbd
humanhash: football-coffee-colorado-one
File name:A5DF9676D4D3F2558D19E17A527F8BBD.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'390'528 bytes
First seen:2023-11-30 08:30:13 UTC
Last seen:2023-11-30 10:29:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 49152:LoSQUYuqyBQJrpEpGhl5kRLjrvngD9z/npTjzTPOQt:8KYuHyzF3TO
Threatray 48 similar samples on MalwareBazaar
TLSH T103B5F523BE87C9E3C6891B37C696460403B7D5866713D73A398E23291843F7F5D4A98B
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
5.188.159.44:50500

Intelligence

File Origin
# of uploads :
2
# of downloads :
314
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461362/
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.15778.27460.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/219fb3a2-3019-429f-9b84-3071477b80e5
Result
Threat name:
RisePro Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1350428
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RisePro Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13/
Threat name:
ByteCode-MSIL.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 10:30:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42d6pywlokcrghk7afs6pkymihnwo6w23odxggimtunf22iudqjq._file
Verdict:
malicious
Similar samples:
04e3926ce6762b1dc0ce2ea8107a36e9bdda11673ae5b333bccb81a72690a3a1
RiseProStealer
268c6adab2d20b3c821fec7ecfdaf72fbe267d07f0e3da839626e67addfdffef
RiseProStealer
61af5cbcf8452d49cd6a2f9e562bebcd55a560a68aba7bf1d591f01bbb9c0290
RiseProStealer
a20f2623022bc0d5bdc49b235736cc791a3392198d7a601b2478c1974d5d9f17
RiseProStealer
e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13
RiseProStealer
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/231130-kepwmshf47/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
76e0994e1bec98c196a068671ce79a2e17e959d365f23613ca6b31492534099d
MD5 hash:
29b9398facf8f69b2f77847e8273b355
SHA1 hash:
fb0158afc883543d93e1f096c824bedb8507d7d6
Link:
https://www.unpac.me/results/5a016053-34c2-4f18-86c7-d64d61a353ed/
SH256 hash:
9ffef90376036f08a88b552c4f18c57776c28ad1ca6b6199386cfcff8f3e5563
MD5 hash:
7d6e4b678d9147e8595d20e22e9e78bf
SHA1 hash:
f87f30df9e3114953774a6e9ec984d8a310063df
Link:
https://www.unpac.me/results/5a016053-34c2-4f18-86c7-d64d61a353ed/
SH256 hash:
86b89d5dfc50d22533d3da6cadfd5e4a3a78fc31b35c7cde0456f0ffefa3da10
MD5 hash:
330f2051542210302acb65eda8f086e0
SHA1 hash:
ead0582bce5927262abce73f05edfcf81839ba46
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/5a016053-34c2-4f18-86c7-d64d61a353ed/
SH256 hash:
d05ddf27db00a056ebe81a7c22f01441b1f46b9340420f1cbde591e7c831312d
MD5 hash:
48ebd19875c4ff3a28964bdc50e2271b
SHA1 hash:
dcf268c2cc9d46299c74517d8b9272bb7c153e90
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/5a016053-34c2-4f18-86c7-d64d61a353ed/
SH256 hash:
b9989f727f81c841012e879895818f5dc1592ea16a303e5dd979d620b8118cfc
MD5 hash:
71dcd0712593923e442bd3bf4d6d7ef3
SHA1 hash:
b5160f678608d7be200c10f4be74148bfbe4bb49
Link:
https://www.unpac.me/results/5a016053-34c2-4f18-86c7-d64d61a353ed/
SH256 hash:
e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13
MD5 hash:
a5df9676d4d3f2558d19e17a527f8bbd
SHA1 hash:
101c469f7b7ddb95aa60e0c0bec5511726683dc7
Link:
https://www.unpac.me/results/5a016053-34c2-4f18-86c7-d64d61a353ed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e687e7e2cb72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e687e7e2cb7285131d5f0165e7ab0c41db677adadb8773190c9d1a5d69141c13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/461362/

Comments