MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea560ecb6f7e6bbf73cc70b5fc1268509d89bf6162d6ff9bd775de831a1250a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea560ecb6f7e6bbf73cc70b5fc1268509d89bf6162d6ff9bd775de831a1250a2
SHA3-384 hash: a7a53f1eeb2f5f069579055eec3b1134d670e9fbf349ffda420dfb3cb898cf3fa1f4a84d53aa993f99849357832b8d7d
SHA1 hash: 9d8805acbfde18ecd9d3925411f175947cddc5d4
MD5 hash: 1fb54a25a79c11ed71b7d59efc00e3f5
humanhash: romeo-paris-bravo-angel
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'732'544 bytes
First seen:2023-12-01 03:12:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fe9e3404bebf8b23e1a17d6558da6aa8 (14 x RiseProStealer, 2 x RedLineStealer, 1 x DarkCloud)
ssdeep 24576:8PuV4kGv046jmG9eKN96qgPt9W3O0wI4uIOP3+Hgg4jrjOKqdTza/NN/zYzMd0wu:NGv046xRS9t9TI4+QIj/OKqdTu/NN/
Threatray 902 similar samples on MalwareBazaar
TLSH T16EC5CF2574684338F8F23DB3CAE9672945EE9924DB1699E3CBF7EFE0C5481D046310A9
TrID 56.8% (.EXE) InstallShield setup (43053/19/16)
13.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RiseProStealer


Avatar
andretavare5
Sample downloaded from http://109.107.182.45/trend/home.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461547/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Forced shutdown of a system process
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ea560ecb6f7e6bbf73cc70b5fc1268509d89bf6162d6ff9bd775de831a1250a2
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3b7c5e4c-2456-46a3-aeab-700df74acbb7
Result
Threat name:
PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1351047
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea560ecb6f7e6bbf73cc70b5fc1268509d89bf6162d6ff9bd775de831a1250a2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea560ecb6f7e6bbf73cc70b5fc1268509d89bf6162d6ff9bd775de831a1250a2/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 03:13:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jla5s3ppzv3646moc27yetikcoytp3bmllp7g6xoxpiggqskcra._file
Verdict:
unknown
Similar samples:
110a1826313185da59d2a2828662928e85d66d47fc9cd767bc5f595619ca9d67
RiseProStealer
249847f390214f0dc9ac17ec86ce90f4d85b09443aee2f5676b99c91ebf41ebc
RiseProStealer
63883d488acc679cb4e281d5d9221b8f5551900c72be3f3b77d01749bb824612
RiseProStealer
9518bc3f3049b98afe86b1d2b349938682cd218c98c3a13d8954794f8f7c0435
RiseProStealer
99215afa87182496b8365d4a9a8a8e899aaae5db367d76fd56b264d815f249e4
RiseProStealer
b28bd08fb873d88c2659bdd281337a5bc9a14224a8fcc889b685c13341d7f186
RiseProStealer
b2ce4969d9a32bb0825f61ae01a0b789f6fefab7cec1cd3eb155c2d098ac8b0b
RiseProStealer
ba5e60bcabdf755de321c87e52fb92406421d978268686b8e2a57997c2d9f25c
RiseProStealer
+ 892 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro loader persistence stealer
Link:
https://tria.ge/reports/231201-dqlvssee81/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
PrivateLoader
RisePro
Malware Config
C2 Extraction:
194.49.94.152
Unpacked files
SH256 hash:
b43761ce35b1253b4b9dda987d6d58f0a68b1be30cc4d575e752a6712ae3723d
MD5 hash:
39eed45a2a1b6d6b7e0de271a9480942
SHA1 hash:
353e8d977e5c85c00102d2bd9573b4122c2c7d8c
Link:
https://www.unpac.me/results/ba5b8b29-d50c-4696-a9e5-db03d44635eb/
SH256 hash:
ea560ecb6f7e6bbf73cc70b5fc1268509d89bf6162d6ff9bd775de831a1250a2
MD5 hash:
1fb54a25a79c11ed71b7d59efc00e3f5
SHA1 hash:
9d8805acbfde18ecd9d3925411f175947cddc5d4
Link:
https://www.unpac.me/results/ba5b8b29-d50c-4696-a9e5-db03d44635eb/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea560ecb6f7e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea560ecb6f7e6bbf73cc70b5fc1268509d89bf6162d6ff9bd775de831a1250a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2735202/
Cape
Cape
https://www.capesandbox.com/analysis/461547/

Comments