MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec7ff734cf045b4323fb6796f58fd8e184c4975d25a8dc86c6ec5dda68557835. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RiseProStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	ec7ff734cf045b4323fb6796f58fd8e184c4975d25a8dc86c6ec5dda68557835
SHA3-384 hash:	eea040f805015473bfd20a7c839b973d096a04bf2627d512ea72cc970227a583f39e6448b9a97156e00b6c94bc70b80a
SHA1 hash:	ca91eedb5e526689df3aa57b14e73cb767170a1b
MD5 hash:	4155520471d9fc535e2c951d93e848cf
humanhash:	march-jig-high-texas
File name:	4155520471d9fc535e2c951d93e848cf.exe
Download:	download sample
Signature	RiseProStealer Create hunting rule
File size:	808'960 bytes
First seen:	2023-08-15 06:01:34 UTC
Last seen:	2023-08-15 06:33:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1e9f8c80f7736eb1ac6d7b21abe9e53a (1 x RiseProStealer, 1 x Smoke Loader, 1 x Loki)
ssdeep	12288:Hz1jZC5wLIM8rIC/noR9JG5eWpi2m8EHDwI6Y1w8f:TzCuIMqICwRLGEWUSEHDwRF8
Threatray	3 similar samples on MalwareBazaar
TLSH	T18805011373E07C63E5219B328E2A86F8772DB9184F192756223BAF2F1BB11B1C572751
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	bc9c4c4d69e8bcae (1 x RiseProStealer)
Reporter	abuse_ch
Tags:	exe RiseProStealer

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4155520471d9fc535e2c951d93e848cf.exe

Verdict:

Malicious activity

Analysis date:

2023-08-15 06:03:10 UTC

Tags:

risepro stealer evasion

Link:

https://app.any.run/tasks/0f29db77-3f4e-41d9-9814-d47cbba7ff05

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/442720/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.29715.5779.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

DNS request

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ec7ff734cf045b4323fb6796f58fd8e184c4975d25a8dc86c6ec5dda68557835

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b820d3ff-a4c8-47be-860c-ddf8a7b1e4b3

Result

Threat name:

PrivateLoader, RisePro Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1291261

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected PrivateLoader

Yara detected RisePro Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec7ff734cf045b4323fb6796f58fd8e184c4975d25a8dc86c6ec5dda68557835/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2023-08-15 06:02:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5r77ongparnugi73m6lpld6y4gcmjf25ewunzbwg5ro5u2cvpa2q._file

Verdict:

malicious

RiseProStealer

25ef0f7912798ce382c529a802d817926761bb52450b2e7f74db7c7788fe6ca7

RiseProStealer

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader spyware stealer

Link:

https://tria.ge/reports/230815-grfxqaha69/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

PrivateLoader

Malware Config

C2 Extraction:

1.1.1.1

Unpacked files

SH256 hash:

4e66999f301d51f214225313a6d1ca09a34d0747b885dd59f151a9401036eb89

MD5 hash:

e5e58b4470143d84467a140d2887597f

SHA1 hash:

aa15ada4796924a7b98b37c948df4fbadd20cf43

Detections:

RiseProXorStr

win_privateloader_w0

Link:

https://www.unpac.me/results/04a4c34a-c8be-4ada-8ea6-0495b23f186e/

SH256 hash:

ec7ff734cf045b4323fb6796f58fd8e184c4975d25a8dc86c6ec5dda68557835

MD5 hash:

4155520471d9fc535e2c951d93e848cf

SHA1 hash:

ca91eedb5e526689df3aa57b14e73cb767170a1b

Link:

https://www.unpac.me/results/04a4c34a-c8be-4ada-8ea6-0495b23f186e/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ec7ff734cf04/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	privateloader Create hunting rule
Author:	andretavare5
Description:	PrivateLoader pay-per-install malware

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_privateloader Create hunting rule
Author:	andretavare5
Reference:	https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

Rule name:	win_privateloader_w0 Create hunting rule
Author:	andretavare5
Reference:	https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/442720/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample