MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea7975f780dd74ea5e9f3b98ac42c989fbbf614404e908b5dbd3cd1cb05ab6ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea7975f780dd74ea5e9f3b98ac42c989fbbf614404e908b5dbd3cd1cb05ab6ea
SHA3-384 hash: 6d65034d17060dc50127816d02725049d57d801a5cebf74396edb1bcc1a5dc0d8dea20e8cdc7d781efeb06c254d0ff0d
SHA1 hash: bfc746722d564c4d66c6f57b45d522cee7ce27f3
MD5 hash: 63451753004bc1ab0766995f6bb6df5f
humanhash: spring-social-delaware-kansas
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:821'248 bytes
First seen:2023-12-16 18:01:14 UTC
Last seen:2023-12-16 19:28:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:vKtrEjLmF/l8oBimvYPD1FlsAYtLJp3tPBU3QEQWJ9Ts4HaSv4MehIPViF2cMFqU:ytruAl8oBi
Threatray 88 similar samples on MalwareBazaar
TLSH T1A205999D765071DFC86BC972CEA82C64FA6074BB931B9207901315EDAE0D99BDF180F2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter jstrosch
Tags:.NET exe MSIL RiseProStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
109.107.182.3
Verdict:
Malicious activity
Analysis date:
2023-12-16 17:51:47 UTC
Tags:
risepro stealer evasion
Link:
https://app.any.run/tasks/b50694e5-bd23-49e4-a691-a2b6d2d810b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468082/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25223.7734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file
Creating a file in the %temp% subdirectories
Running batch commands
Searching for the window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex crypto lolbin lolbin packed replace setupapi
Link:
https://www.filescan.io/uploads/657de61f6b1c246046f71cae/reports/ea82c5cc-0b7b-4830-9e19-2bd954c59320/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ea7975f780dd74ea5e9f3b98ac42c989fbbf614404e908b5dbd3cd1cb05ab6ea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd60cb02-277b-4c60-b49c-0e5f034d8785
Result
Threat name:
RisePro Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363464
Signature
.NET source code contains very large array initializations
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1363464 Sample: file.exe Startdate: 16/12/2023 Architecture: WINDOWS Score: 100 74 ipinfo.io 2->74 80 Snort IDS alert for network traffic 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected RisePro Stealer 2->84 86 3 other signatures 2->86 8 file.exe 21 72 2->8         started        13 OfficeTrackerNMP131.exe 2->13         started        15 FANBooster131.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 76 91.92.249.253, 49704, 49707, 49713 THEZONEBG Bulgaria 8->76 78 ipinfo.io 34.117.186.192, 443, 49705, 49709 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->78 56 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 8->56 dropped 68 4 other malicious files 8->68 dropped 92 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->92 94 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->94 96 Found many strings related to Crypto-Wallets (likely being stolen) 8->96 112 2 other signatures 8->112 19 cmd.exe 8->19         started        22 powershell.exe 19 8->22         started        24 cmd.exe 8->24         started        32 12 other processes 8->32 58 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 13->58 dropped 60 C:\...\xHkWjRGzcKhzud93R1SuH1IFudUim1Zj.zip, Zip 13->60 dropped 98 Multi AV Scanner detection for dropped file 13->98 100 Machine Learning detection for dropped file 13->100 102 Modifies Windows Defender protection settings 13->102 26 powershell.exe 13->26         started        34 12 other processes 13->34 70 2 other malicious files 15->70 dropped 104 Tries to steal Mail credentials (via file / registry access) 15->104 106 Tries to harvest and steal browser information (history, passwords, etc) 15->106 108 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 15->108 28 WerFault.exe 15->28         started        62 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->62 dropped 64 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->64 dropped 66 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->66 dropped 72 3 other malicious files 17->72 dropped 110 Queries memory information (via WMI often done to detect virtual machines) 17->110 30 powershell.exe 17->30         started        36 14 other processes 17->36 file6 signatures7 process8 signatures9 88 Uses schtasks.exe or at.exe to add and modify task schedules 19->88 46 2 other processes 19->46 90 Found many strings related to Crypto-Wallets (likely being stolen) 22->90 38 conhost.exe 22->38         started        48 2 other processes 24->48 40 conhost.exe 26->40         started        42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        50 10 other processes 32->50 52 11 other processes 34->52 54 11 other processes 36->54 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea7975f780dd74ea5e9f3b98ac42c989fbbf614404e908b5dbd3cd1cb05ab6ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea7975f780dd74ea5e9f3b98ac42c989fbbf614404e908b5dbd3cd1cb05ab6ea/
Threat name:
ByteCode-MSIL.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-16 18:02:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5j4xl54a3v2ouxu7homkyqwjrh536ykeatuqrno32pgrzmc2w3va._file
Verdict:
malicious
Similar samples:
25b01c01be6785c8779e7a68dbbc002e1228dda16874aad8f552b39f63cb2bea
RiseProStealer
38b996babe91a3ea4fac1e349e0723d40621107dfd34f14bd2d4764fbb695b31
RiseProStealer
4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30
RiseProStealer
ada55b3992eec712e70558797f967f29de65052612874b3455b9230d847ed219
RiseProStealer
af1a26b503f91e02a849536f18cc7dc1557e6e370e91406bdc35026133747fa0
RiseProStealer
fec610ca26bf6c17e72f75f72a5ba1ccf4500fb3510420b29686e09338d14128
RiseProStealer
+ 78 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/231216-wmftgscdhr/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
ea7975f780dd74ea5e9f3b98ac42c989fbbf614404e908b5dbd3cd1cb05ab6ea
MD5 hash:
63451753004bc1ab0766995f6bb6df5f
SHA1 hash:
bfc746722d564c4d66c6f57b45d522cee7ce27f3
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/8a7118d7-da0e-4552-980e-d370521a5ccf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea7975f780dd74ea5e9f3b98ac42c989fbbf614404e908b5dbd3cd1cb05ab6ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe ea7975f780dd74ea5e9f3b98ac42c989fbbf614404e908b5dbd3cd1cb05ab6ea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2741066/
Cape
Cape
https://www.capesandbox.com/analysis/468082/

Comments