MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RisePro

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a
SHA3-384 hash:	d79b122049251f8e02a4d4df962ff04b3d8ac231aa99453fa7bdd3d709a6e6a2c59f06d7f6d2fa8e7af5bbcfbb334e39
SHA1 hash:	6acd54d3554972894ad1641e95ef3b93d5df1798
MD5 hash:	37ce0f548dd7b78e8537ed6a60a05e46
humanhash:	ink-october-four-mars
File name:	WEXTRACT.exe
Download:	download sample
Signature	RisePro Create hunting rule
File size:	1'260'032 bytes
First seen:	2023-12-24 20:29:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:XyPiVln+nzdnhmM2d6/k9oBlQTWnlpvluaAvdy09jfmp0m:iPiVl+12dFelDnlBUaAly0Bf
Threatray	122 similar samples on MalwareBazaar
TLSH	T1AD452363A7D0547AC8B12BB098F717831B36FDA64D74879E331265AD1C325A4B73232B
TrID	41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 7.5% (.EXE) Win64 Executable (generic) (10523/12/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	adm1n_usa32
Tags:	exe RisePro RiseProStealer WEXTRACT

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

wextract2.exe

Verdict:

Malicious activity

Analysis date:

2023-12-24 20:37:15 UTC

Tags:

risepro

Link:

https://app.any.run/tasks/30f3ba15-43d7-4f8c-bf94-fb71af23c202

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RisePro

Link:

https://www.capesandbox.com/analysis/469262/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

Win.Packed.Stealerc-10017072-0

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Launching a process

Behavior that indicates a threat

Searching for the browser window

DNS request

Sending a custom TCP request

Running batch commands

Setting a single autorun event

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack anti-vm azorult CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32 smokeloader

Link:

https://www.filescan.io/uploads/658894cbeabaed070172d864/reports/709890db-e39c-4fbf-9cee-2424a00a8a89/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7994ff0-c8fd-4abf-b731-cb3e10bb1f60

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a/

Threat name:

ByteCode-MSIL.Trojan.RiseProStealer

Status:

Malicious

First seen:

2023-12-23 20:09:35 UTC

File Type:

PE (Exe)

Extracted files:

165

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5vz4d5bl55guosqoxhmc74jfp4urxgytwpp2opjxrl56aylwn5na._file

Verdict:

malicious

RisePro

42d5c8af3500e1d4979045b84efe4fe7f901e8b5bcdb46a0a8ef9e2fcb7320ef

RisePro

50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73

RisePro

550e893759da573a62c1c16144f5e8fa65e6df3eabd53c60648b9ac6748c1b8c

RisePro

7cf7c98e508d3ebb85cd2a13b716c7eb6d4363feba08a9d091838d6a4a982a82

RisePro

c4841f0dbc222ec7aca0ef48abbadf84ad429d2ec8aeaa87eadf35ac2cd55ba7

RisePro

c79312f090906bcbcb1cab713e8b0ec17cc6f040e1f5cb4bdac4827eb0fd9603

RisePro

e4c6952ea4b5812039fa6a741b66b151afd1863b926b1697dabe7b5605f4dd5a

RisePro

+ 112 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

brand:paypal persistence phishing

Link:

https://tria.ge/reports/231224-y946psccg6/

Behaviour

Creates scheduled task(s)

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

AutoIT Executable

Detected potential entity reuse from brand paypal.

Adds Run key to start application

Drops startup file

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

fb2ffd61b1600b318a5814d60601afd0d9b4602b6fb4bf8e13f21da7fff2cabd

MD5 hash:

51056dd7b1a40e49623a28e27ef8aa19

SHA1 hash:

4f603d1c71429f03a7762347845ba1d0f8c47b10

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/3def8201-1e08-400d-a02c-16b60d903fa7/

Parent samples :

f127cc97b1804964609ab8d528fd50cb1f3310ec2e710eb55c443c8d53362d98
af1a26b503f91e02a849536f18cc7dc1557e6e370e91406bdc35026133747fa0
70d432aaae6f900cb7d7e8cc0d4b78551d905d1ac9e208d4c73c4ead3b4f97a4
860a74f2c49fc7e3fc54b1d244a477a590a4410c583455eacd59772127842db4
1521933f23997a26e16971725acdeb119b82ab21f50283ee04aa7d73ce7484e5
d6bf6348e3239e54a171e41be3c23d4a515a44c495075afa639a9d2946f4ce2a
dfac5e31b117e359591781d0e6614b49226d3ef3461f2d020133f5044be3befc
aa6109131f311c7ec4cbd993ac6fb997dda5beefee5863895e36608288fcac8a
b3193fd6b06a6a466c077456ba004201be106d617aae73498c3f518b3f7f57f2
8c1bedb10049179dfe9df52eb7611d6e18ac8339b184f50a6bcbaf9a89854cf2
fec610ca26bf6c17e72f75f72a5ba1ccf4500fb3510420b29686e09338d14128
c1ffd458cc441fe5d967825862acbc540728517d0f8ec95621bd6edd1a724767
2a57a5e703adac0bd9c5a0b9a710dfe8700a1dfb21af471b9883e6d6b86c78cc
b90fc851dee3bbb480aac668be792e552bde6c4571ec9f1847da7da7f964a24f
0cd714e33c9ebb3b55d89c349099a96bf4540512eac2baee479503303116e3a8
58c5ece596efec8db43e1ab97c35ac8253b761d518a7a8ef5e311a8e274fd1a7
c085fb1e6d999dd96f4213e5f1d3d0ae061ddccc571d20eb86e645149d4fc494
953ed6e4cb1aa5d21a529c8de8c3f06176a623388810e9549f3bd91a8715c9b2
d9ad55fb79af764ef60e3508973f162266bc8a2db17155612c6b5b7155e12c1d
9f6a32eebd13b63b6f6c79c282d6059419db613fa8ac78015cc8f99bfff8a124
291c90471067e7f436eb304a29c3df2b25a0176b370453d41c218202abec8e08
82bf998ee07f0549a68b9904d760f7b0fd47ee68f08a59a26de171b6dc8ea3db
01497dea122f92d36b4e0ae4eade31511b2db302e6f7f87a695e817065834281
486271a3873f946e14f5662e2498d75c29323402c778bdf6ce0905b37619fc3a
fc1af115d47f4f6f00b3c2a06c64b4b580b76a16f8e1c122670ced300f4abf57
7d43625f6587b6539d7bc6037dcb8b0eb317a035c5deb69f79e307afa4ac4d45
949edc5ede31cf9316dedc155d8d4ca93f8da0464d2ef0d8bff52dfddcac8e41
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
8957d43878c36ee0ae11246393c9c1ce600536ab817435417e50af86a3f1b055
e96789d697301017c3c5f2332f7f74fd5aabbee70373e2d7af8c7ebd24ab22e0
be71f36ddea88c4ba342394e20352d60fa7cd61cba70454eba270f9f4996b293
a58ffa444d6514a0b092f8fa84c0a15853f5141c86abcbcf0c5b4dcc312aaf3c
44365f98d16e475a1638df59aca02415388a327b2f3738acbea8dfddec202654
7cfa46dfb53c0efee3d57af2aa83f9513c27c91e569e952c22e4b022d16e6e27
433895b81e5ef461f97327e064b25cb40284a44049e6231c0c60e6f54517138a
ce55ffbc3e022895e8e50711a4daf9b3afa4b83f42c6f0c98e76a710ae03821d
689a8c848e6cf7d5ddbdceb90aa8513c1b83a9dbe72f57a70ab419264819d107
93bb322e419ca964ae2a6340febd60d216ce342706ca4efe9c6df1fec38d238e
550e893759da573a62c1c16144f5e8fa65e6df3eabd53c60648b9ac6748c1b8c
ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a
5fa66d59f80ba0bb65efc157dc43cc0eeab813bfe110ef92a3765edceba281cc

SH256 hash:

3365df6ea03370f06aa9337845c4374f886d15928b9726de09d95d0b4e1efe58

MD5 hash:

0dd4f2b96d9929310687eefb22646867

SHA1 hash:

20db6ec462a5bc61e9035bbfbbfdb11291cf8ded

Detections:

INDICATOR_EXE_Packed_ConfuserEx

Link:

https://www.unpac.me/results/3def8201-1e08-400d-a02c-16b60d903fa7/

Parent samples :

ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a
5fa66d59f80ba0bb65efc157dc43cc0eeab813bfe110ef92a3765edceba281cc

SH256 hash:

918652eaaa329fde0f2eb1e2bc016fb2353a6215969ca488bf890552ea1ce76e

MD5 hash:

213631cef60898dff8a719094ac1b7b2

SHA1 hash:

b4b87a2caccbb458854f4438c60b42e853d7e593

Link:

https://www.unpac.me/results/3def8201-1e08-400d-a02c-16b60d903fa7/

SH256 hash:

ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a

MD5 hash:

37ce0f548dd7b78e8537ed6a60a05e46

SHA1 hash:

6acd54d3554972894ad1641e95ef3b93d5df1798

Link:

https://www.unpac.me/results/3def8201-1e08-400d-a02c-16b60d903fa7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/e9020565-37f5-411e-81a4-a0b1a5a4e3fa

Cape

https://www.capesandbox.com/analysis/469262/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required