MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb
SHA3-384 hash: 567ceb0af34c68ca561120209fa9d1919c15abf3905cbebebcc42b05200d27a58517f8a4e0aae364f9df42113e3f015e
SHA1 hash: 01ec2887f9273385d9614fc49ab12e4173d3c4f3
MD5 hash: b32bbdec2f4265130cc68c72064f8762
humanhash: connecticut-echo-summer-oven
File name:SecuriteInfo.com.Win32.TrojanX-gen.27291.31609
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'349'568 bytes
First seen:2024-01-31 18:22:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:XcOYMy/6LPyvl+uAf61DgwqL4LMgDTbKlw70dalV25UGfCqr:sOYMhLKMN6GwqLCMgD3Rn
Threatray 88 similar samples on MalwareBazaar
TLSH T1B1B533F744F35084C16743B47A5EDE00880BBC9F40268269B929F593D3BFAB5E19AE53
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc31e8cccce833cc (116 x RiseProStealer, 1 x Amadey)
Reporter SecuriteInfoCom
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473852/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.27291.31609.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed risepro themidawinlicense
Link:
https://www.filescan.io/uploads/65ba900f814c2aeb14867649/reports/45273e9a-f193-4fab-afe0-6f1ffaf07540/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cb743195-7dac-4ba0-9873-9c277cf3cb0a
Result
Threat name:
Amadey, PureLog Stealer, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384303
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384303 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 93 youtube-ui.l.google.com 2->93 95 www.youtube.com 2->95 97 34 other IPs or domains 2->97 131 Snort IDS alert for network traffic 2->131 133 Antivirus detection for URL or domain 2->133 135 Antivirus / Scanner detection for submitted sample 2->135 137 9 other signatures 2->137 9 SecuriteInfo.com.Win32.TrojanX-gen.27291.31609.exe 1 114 2->9         started        14 MPGPH131.exe 102 2->14         started        16 RageMP131.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 111 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 9->111 113 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->113 117 2 other IPs or domains 9->117 69 C:\Users\user\...\yZQbtCcX7TGs2QqektsY.exe, PE32 9->69 dropped 71 C:\Users\user\...\yBYQfunosHQmJFngOXGA.exe, PE32 9->71 dropped 73 C:\Users\user\...\y4ajLkIKBreBVZ9tiU5Q.exe, PE32 9->73 dropped 81 10 other malicious files 9->81 dropped 157 Detected unpacking (changes PE section rights) 9->157 159 Binary is likely a compiled AutoIt script file 9->159 161 Tries to steal Mail credentials (via file / registry access) 9->161 181 3 other signatures 9->181 20 3iD5EsFp0lCqhlOWxIV8.exe 9->20         started        23 yZQbtCcX7TGs2QqektsY.exe 9->23         started        25 kXIvdLXaEL9W9PQ_YcLC.exe 9->25         started        35 4 other processes 9->35 75 C:\Users\user\...\dveMO4rwl_AVekdbci4_.exe, PE32 14->75 dropped 77 C:\Users\user\...\XwbT44m0qZv2Jx7R6AQg.exe, PE32 14->77 dropped 79 C:\Users\user\AppData\Local\...\niks[1].exe, PE32 14->79 dropped 83 5 other malicious files 14->83 dropped 163 Antivirus detection for dropped file 14->163 165 Multi AV Scanner detection for dropped file 14->165 167 Machine Learning detection for dropped file 14->167 169 Tries to detect sandboxes and other dynamic analysis tools (window names) 16->169 171 Tries to evade debugger and weak emulator (self modifying code) 16->171 173 Hides threads from debuggers 16->173 115 db-ip.com 104.26.5.15 CLOUDFLARENETUS United States 18->115 85 5 other malicious files 18->85 dropped 175 Tries to harvest and steal browser information (history, passwords, etc) 18->175 177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->177 179 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->179 27 firefox.exe 18->27         started        31 msedge.exe 18->31         started        33 firefox.exe 18->33         started        file6 signatures7 process8 dnsIp9 139 Detected unpacking (changes PE section rights) 20->139 141 Tries to evade debugger and weak emulator (self modifying code) 20->141 143 Hides threads from debuggers 20->143 155 2 other signatures 20->155 145 Modifies windows update settings 23->145 147 Disables Windows Defender Tamper protection 23->147 149 Disable Windows Defender notifications (registry) 23->149 151 Disable Windows Defender real time protection (registry) 23->151 153 Binary is likely a compiled AutoIt script file 25->153 37 chrome.exe 25->37         started        40 chrome.exe 25->40         started        42 chrome.exe 25->42         started        52 9 other processes 25->52 119 172.217.215.84 GOOGLEUS United States 27->119 121 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 27->121 127 10 other IPs or domains 27->127 87 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 27->87 dropped 89 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 27->89 dropped 44 firefox.exe 27->44         started        46 firefox.exe 27->46         started        54 4 other processes 27->54 123 23.96.180.189 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->123 125 ssl.bingadsedgeextension-prod-centralus.azurewebsites.net 52.153.155.231 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->125 129 22 other IPs or domains 31->129 91 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 35->91 dropped 48 conhost.exe 35->48         started        50 conhost.exe 35->50         started        file10 signatures11 process12 dnsIp13 99 192.168.2.5 unknown unknown 37->99 101 192.168.2.7 unknown unknown 37->101 103 2 other IPs or domains 37->103 56 chrome.exe 37->56         started        59 chrome.exe 40->59         started        61 chrome.exe 42->61         started        63 msedge.exe 52->63         started        65 msedge.exe 52->65         started        67 msedge.exe 52->67         started        process14 dnsIp15 105 108.177.122.84 GOOGLEUS United States 56->105 107 142.250.9.101 GOOGLEUS United States 56->107 109 22 other IPs or domains 56->109
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 18:23:09 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47fz62pi2zx2pgigskjc362hg5m6bqih7ll5evxyox2vwnqyj7vq._file
Verdict:
malicious
Similar samples:
0b2c728149c97d33786ad31a01a4ef95fcf7d5f5043fec43f067d7bacb12dc1b
RiseProStealer
127320b6f35c9014ba3fd5f97ba6e8317c444fb0d907c8cc5b2fad053d9fa51a
RiseProStealer
2d26c9addd870990575938be5423a5f5ba6b67a63f90f8af322f848808a96142
RiseProStealer
4627c39174d9e902993cadc68aaa3a9feb7addabc77277eee6d88cd989b5472f
RiseProStealer
5239eb589ac4d96a633db9d7031f4e04b3d07268aa42822a228a0eaa6d94c1bf
RiseProStealer
5cf41546232059b45ae02f5aacccf38e7efd99e122414dbeceea2a85b16a38c1
RiseProStealer
98d57e3ac4cde0cc27eb00b7fa1be7d1a826f1fb94d9f99da5460ed486c979c5
RiseProStealer
cb9c4d1d3bdec4066ee2ab596cbbe4846a28130e42ffae0b0a336b26e29a8a37
RiseProStealer
f30ab6d6ca6ef00ba665588e4170bc2619a07efbe76de6e17888004aa3e3af44
RiseProStealer
+ 78 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240131-w1gypsbgdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
94b235be39ad791d0ed6d2b5c8e462624cae00f294d94af9f0a8d82f2dd78ddf
MD5 hash:
bc894958e5b0fe263799055bcd579117
SHA1 hash:
c6c14767b1d237b6dceedbfd61bc9757eaf3754b
Link:
https://www.unpac.me/results/445a7b74-1271-40b7-8643-8c77d8118c41/
SH256 hash:
e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb
MD5 hash:
b32bbdec2f4265130cc68c72064f8762
SHA1 hash:
01ec2887f9273385d9614fc49ab12e4173d3c4f3
Link:
https://www.unpac.me/results/445a7b74-1271-40b7-8643-8c77d8118c41/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7cb9f69e8d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe e7cb9f69e8d66fa7990692922dfb473759e0c107fad7d256f875f55b36184feb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2754196/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473852/

Comments