MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0a25e484d3aa6d6fa1c5cb397d4b8bbb968c2ddaaf21b0a930d8edc12099925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0a25e484d3aa6d6fa1c5cb397d4b8bbb968c2ddaaf21b0a930d8edc12099925
SHA3-384 hash: 02fd4c36b2bfa2a133c2bfe826b96ebb94213749bcf5ad8a6ace897135abde11506c0cf8b42271edc6e998e744e0f5b8
SHA1 hash: 5b4becf77e6eefe07178a23672019ee96a34bb95
MD5 hash: 46fb64b81ad095181093f7bebea75264
humanhash: fifteen-floor-may-johnny
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'411'520 bytes
First seen:2024-02-12 12:14:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:fwaPhUC+YgXDZ40GPwOs7rtb1JLnFyNTDHjt5MxhlwB3AG/NYcTSDMKztcnqrQaO:fzUXhDZ49D2b7pyt7MxAlhTO5eqrQa5I
Threatray 2'271 similar samples on MalwareBazaar
TLSH T114B523CAFD454017E984373465D3F778076EAC59A8A250CE3CDC7BBBB6B3A19042352A
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
url: http://193.233.132.216:38324/india/mono.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475827/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.28740.26945.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Launching a process
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a process from a recently created file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/65ca0bcaac375bec15e5116b/reports/b45d44ba-9feb-4fba-806e-00e23bc0bfd3/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/f0a25e484d3aa6d6fa1c5cb397d4b8bbb968c2ddaaf21b0a930d8edc12099925
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/748339f0-c3d9-4e1a-b25b-47796a03e8d9
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1390715
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1390715 Sample: file.exe Startdate: 12/02/2024 Architecture: WINDOWS Score: 100 128 Multi AV Scanner detection for domain / URL 2->128 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 8 other signatures 2->134 8 file.exe 2 115 2->8         started        13 MPGPH131.exe 107 2->13         started        15 MPGPH131.exe 103 2->15         started        17 8 other processes 2->17 process3 dnsIp4 114 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 8->114 116 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->116 118 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 8->118 86 C:\Users\user\...\wY72zaHnq03pharzRy6a.exe, PE32 8->86 dropped 88 C:\Users\user\...\qQYDKh0NAPMXd9kLLKbZ.exe, PE32 8->88 dropped 90 C:\Users\user\...\pO0bLpimcz9hIOZVMxjy.exe, PE32 8->90 dropped 98 14 other malicious files 8->98 dropped 150 Detected unpacking (changes PE section rights) 8->150 152 Binary is likely a compiled AutoIt script file 8->152 154 Tries to steal Mail credentials (via file / registry access) 8->154 174 6 other signatures 8->174 19 nksz94k3sU0gpDhXdpiB.exe 8->19         started        23 AccgUoIOrNMRQRmODVVl.exe 8->23         started        25 schtasks.exe 1 8->25         started        36 3 other processes 8->36 156 Multi AV Scanner detection for dropped file 13->156 158 Machine Learning detection for dropped file 13->158 160 Tries to harvest and steal browser information (history, passwords, etc) 13->160 27 ZtPo7_uoICjTLhlMvm3H.exe 13->27         started        29 BDhvmiF28sSEMjhxqTXq.exe 13->29         started        92 C:\Users\user\...\nc9ET4VS5msUWcW1RDDl.exe, PE32 15->92 dropped 94 C:\Users\user\...\gOyTmtsxmZdpu4HBIQ4D.exe, PE32 15->94 dropped 96 C:\Users\user\...\I8TmAbt9HqcEwO7VGe3J.exe, PE32 15->96 dropped 100 9 other malicious files 15->100 dropped 162 Hides threads from debuggers 15->162 164 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->164 166 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->166 31 nc9ET4VS5msUWcW1RDDl.exe 15->31         started        168 Antivirus detection for dropped file 17->168 170 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 17->172 33 firefox.exe 17->33         started        38 3 other processes 17->38 file5 signatures6 process7 dnsIp8 78 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 19->78 dropped 136 Detected unpacking (changes PE section rights) 19->136 138 Tries to evade debugger and weak emulator (self modifying code) 19->138 140 Hides threads from debuggers 19->140 142 Multi AV Scanner detection for dropped file 23->142 144 Binary is likely a compiled AutoIt script file 23->144 40 chrome.exe 23->40         started        43 chrome.exe 23->43         started        51 11 other processes 23->51 45 conhost.exe 25->45         started        146 Tries to detect sandboxes / dynamic malware analysis system (registry check) 27->146 148 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 27->148 47 chrome.exe 29->47         started        49 chrome.exe 29->49         started        53 3 other processes 29->53 102 18.160.60.35 MIT-GATEWAYSUS United States 33->102 104 18.64.155.114 MIT-GATEWAYSUS United States 33->104 110 17 other IPs or domains 33->110 80 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 33->80 dropped 82 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 33->82 dropped 84 C:\Users\user\AppData\Local\Mozilla\...\7723, COM 33->84 dropped 55 3 other processes 33->55 57 3 other processes 36->57 106 23.34.82.12 SAUDINETSTC-ASSA United States 38->106 108 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->108 112 33 other IPs or domains 38->112 file9 signatures10 process11 dnsIp12 120 239.255.255.250 unknown Reserved 40->120 59 chrome.exe 40->59         started        72 2 other processes 40->72 62 chrome.exe 43->62         started        64 chrome.exe 47->64         started        66 chrome.exe 49->66         started        68 chrome.exe 51->68         started        70 chrome.exe 51->70         started        74 2 other processes 51->74 76 2 other processes 53->76 process13 dnsIp14 122 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->122 124 144.2.9.1 LINKEDINUS Netherlands 59->124 126 39 other IPs or domains 59->126
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f0a25e484d3aa6d6fa1c5cb397d4b8bbb968c2ddaaf21b0a930d8edc12099925
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0a25e484d3aa6d6fa1c5cb397d4b8bbb968c2ddaaf21b0a930d8edc12099925/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-02-12 12:15:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6crf4scnhktnn6q4lszzpvfyxo4wrqw5vlzbwcutbwhnyeqjtesq._file
Verdict:
malicious
Similar samples:
3db2217ad77f7ab6e9c494bf2a4ef5607a17fa4e6920aa716906e85252cd51ea
RiseProStealer
44ae5bcd4f1efbb30cf46e88b8fe6ff722c38d7101aeb2cb381b9f108312978c
RiseProStealer
4b77afc2c93fc493b97111ad3e0cb3d1622483091855d5207f37ab9a8acb2d25
RiseProStealer
722b697b069f14055f310f1fce742889c4207dea00f0cb912a4d105c1403f72e
RiseProStealer
7da7d8176b9c386e2102b47341b29817c3ac5f2fb4f27a26ec70b3a00c900019
RiseProStealer
953ed6e4cb1aa5d21a529c8de8c3f06176a623388810e9549f3bd91a8715c9b2
RiseProStealer
c2d5ecee9d45f9114796c2a94b95c0b55963534e9e0f1f71d53802287d38322b
RiseProStealer
d6be3ce60c7585b89ff180e61027f1c0259975b5c4b3d315fc9a70ee46e5392e
RiseProStealer
ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc
RiseProStealer
f9aa5c8b66fdab9dad594bf1b84aa90193efe5e5c4317f76118dd2e06b6202ae
RiseProStealer
+ 2'261 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240212-pew26sch5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
15396493e3273251fe956c0eb0e644d558e2ab061eaeea40db0f8cbbae951161
MD5 hash:
6a2d9f38887fd66bb5f116389ff30436
SHA1 hash:
e50cf95f63cea2c86d4e860bd5fd9efedcd9d916
Link:
https://www.unpac.me/results/ddcde378-4d40-4389-b73e-2b2f57f1c0c8/
SH256 hash:
f0a25e484d3aa6d6fa1c5cb397d4b8bbb968c2ddaaf21b0a930d8edc12099925
MD5 hash:
46fb64b81ad095181093f7bebea75264
SHA1 hash:
5b4becf77e6eefe07178a23672019ee96a34bb95
Link:
https://www.unpac.me/results/ddcde378-4d40-4389-b73e-2b2f57f1c0c8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0a25e484d3a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0a25e484d3aa6d6fa1c5cb397d4b8bbb968c2ddaaf21b0a930d8edc12099925

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_e5f4703f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe f0a25e484d3aa6d6fa1c5cb397d4b8bbb968c2ddaaf21b0a930d8edc12099925

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/475827/
  
URLhaus
https://urlhaus.abuse.ch/url/2760121/

Comments