MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3
SHA3-384 hash: ef532170cd9fcf88eec7511be9b927d2ca101ba96f0d146fed61b798e74b050360c197b7ae4f4cb15ad1212ef6d65b90
SHA1 hash: e295eac92937f9bf5e9fcac18134bc63990ff5ff
MD5 hash: 5d5aab234367c4952264beb5299f671f
humanhash: neptune-gee-minnesota-carolina
File name:5d5aab234367c4952264beb5299f671f.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'022'912 bytes
First seen:2023-11-29 06:45:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:wLi6UqJgl040+m9iCSRvC07hv80O3E73yVH:ai61Jgmy/hyV
TLSH T1649523466BEC8035D2786B318CB757631831FC83EAB0D7631645AA9E1C33A45F97236B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
194.49.94.80:29960

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461119/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/71310267-bee8-4858-960a-59e5a9179754
Result
Threat name:
PrivateLoader, RedLine, RisePro Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349732
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1349732 Sample: lsgA6gVSHf.exe Startdate: 29/11/2023 Architecture: WINDOWS Score: 100 84 ipinfo.io 2->84 90 Snort IDS alert for network traffic 2->90 92 Found malware configuration 2->92 94 Antivirus detection for dropped file 2->94 96 12 other signatures 2->96 12 lsgA6gVSHf.exe 1 4 2->12         started        15 OfficeTrackerNMP131.exe 501 2->15         started        18 OfficeTrackerNMP131.exe 2->18         started        20 7 other processes 2->20 signatures3 process4 file5 76 C:\Users\user\AppData\Local\...\mY0kr26.exe, PE32 12->76 dropped 78 C:\Users\user\AppData\Local\...\5TH2Si4.exe, PE32 12->78 dropped 22 mY0kr26.exe 1 4 12->22         started        132 Multi AV Scanner detection for dropped file 15->132 134 Contains functionality to check for running processes (XOR) 15->134 136 Tries to steal Mail credentials (via file / registry access) 15->136 144 2 other signatures 15->144 26 WerFault.exe 15->26         started        138 Found many strings related to Crypto-Wallets (likely being stolen) 18->138 140 Tries to harvest and steal browser information (history, passwords, etc) 18->140 28 WerFault.exe 18->28         started        142 Machine Learning detection for dropped file 20->142 signatures6 process7 file8 66 C:\Users\user\AppData\Local\...\Ay1rq21.exe, PE32 22->66 dropped 68 C:\Users\user\AppData\Local\...\4Xy877gC.exe, PE32 22->68 dropped 110 Antivirus detection for dropped file 22->110 112 Multi AV Scanner detection for dropped file 22->112 114 Binary is likely a compiled AutoIt script file 22->114 116 Machine Learning detection for dropped file 22->116 30 Ay1rq21.exe 1 4 22->30         started        signatures9 process10 file11 80 C:\Users\user\AppData\Local\...\Lw6Va59.exe, PE32 30->80 dropped 82 C:\Users\user\AppData\Local\...\3Kw64wR.exe, PE32 30->82 dropped 146 Antivirus detection for dropped file 30->146 148 Multi AV Scanner detection for dropped file 30->148 150 Machine Learning detection for dropped file 30->150 34 Lw6Va59.exe 1 4 30->34         started        signatures12 process13 file14 62 C:\Users\user\AppData\Local\...\2ds1108.exe, PE32 34->62 dropped 64 C:\Users\user\AppData\Local\...\1Ej79Lc4.exe, PE32 34->64 dropped 98 Multi AV Scanner detection for dropped file 34->98 100 Machine Learning detection for dropped file 34->100 38 1Ej79Lc4.exe 1 503 34->38         started        43 2ds1108.exe 34->43         started        signatures15 process16 dnsIp17 86 194.49.94.152, 19053, 49704, 49705 EQUEST-ASNL unknown 38->86 88 ipinfo.io 34.117.59.81, 443, 49707, 49708 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 38->88 70 C:\Users\user\AppData\...\FANBooster131.exe, PE32 38->70 dropped 72 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 38->72 dropped 74 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 38->74 dropped 118 Multi AV Scanner detection for dropped file 38->118 120 Contains functionality to check for running processes (XOR) 38->120 122 Tries to steal Mail credentials (via file / registry access) 38->122 130 4 other signatures 38->130 45 schtasks.exe 1 38->45         started        47 schtasks.exe 1 38->47         started        49 WerFault.exe 38->49         started        124 Writes to foreign memory regions 43->124 126 Allocates memory in foreign processes 43->126 128 Injects a PE file into a foreign processes 43->128 51 AppLaunch.exe 43->51         started        54 AppLaunch.exe 43->54         started        56 conhost.exe 43->56         started        file18 signatures19 process20 signatures21 58 conhost.exe 45->58         started        60 conhost.exe 47->60         started        102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 51->104 106 Found many strings related to Crypto-Wallets (likely being stolen) 54->106 108 Tries to harvest and steal browser information (history, passwords, etc) 54->108 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 06:46:07 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6noh3n4f7jlnjeizxcawl5pltdeyigv76rwvtizgst2ngggszwzq._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro loader persistence stealer
Link:
https://tria.ge/reports/231129-hjmwqseg5v/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Executes dropped EXE
PrivateLoader
RisePro
Malware Config
C2 Extraction:
194.49.94.152
Unpacked files
SH256 hash:
72ef20477f8afeb8e656347a4bb714abcb951eb3ef1dd917e566541a39d863ed
MD5 hash:
56c74003c55c09616cb43878fed6ceff
SHA1 hash:
4d129155a484eaf20d13d832fd27459ea5b18dac
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/90d300b3-7a77-4f21-8b55-e5fae960b153/
Parent samples :
bfc3adcb457934b1ee81d91c114ca2c110d23f0790d518a9512399905dc02f5b
81a1d77fca365fcf24d423c48a333a79ef780362b5ebdb3d60680225c14cedc7
bf513791b9fbdd123aa6ec497c2c01edbe629a195ab486a6be52a22a50afdeef
87252d3c1de3dcefbd12de44b7345b00b9bdace2e4b5f00d02d197078cf8e9c3
730da91d79807f62ec1353624681856dc3e5b60740c409649d0c57c891f83715
f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3
SH256 hash:
4aabcfe51f8a8b5db97037fcc99dacb4d6c98856601f84fe8304a7a8bd1f2bfb
MD5 hash:
dd3da82b27239175e7c98327f8b01af9
SHA1 hash:
e06c60dfe16dbca69f35db619358b3266bb83dc5
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/90d300b3-7a77-4f21-8b55-e5fae960b153/
Parent samples :
6f3fe26c6cb07dd2a98a408f9aaf738d71ece7c6eb46934ebb682d5eded37fa8
b27ac4a4ddea7a284058640f68a2e70ec0da37c37fb7884b581d1a748debfea1
bfc3adcb457934b1ee81d91c114ca2c110d23f0790d518a9512399905dc02f5b
7b556e42d07215442e9c2b9abb4d7ea808b599467d4f8ecd9167a44d90bf928c
1d63f406d5735152484a975a6aa536758f0cca2f890c04db8bc2cd2c372393fd
bf513791b9fbdd123aa6ec497c2c01edbe629a195ab486a6be52a22a50afdeef
87252d3c1de3dcefbd12de44b7345b00b9bdace2e4b5f00d02d197078cf8e9c3
730da91d79807f62ec1353624681856dc3e5b60740c409649d0c57c891f83715
74e7aa1e29eee9cdd26bb113031cad7d4a3b11b40a4ee72f9408626d35973a51
f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3
SH256 hash:
bc896f85e1fd125469cde31a0dcb8a7b4dd1109e50e47515466448db3782b5fd
MD5 hash:
7f7fd5bd5e9ff739205c86f78813d641
SHA1 hash:
b0f0647dd791de898d484257f788830cf5e7f6f5
Link:
https://www.unpac.me/results/90d300b3-7a77-4f21-8b55-e5fae960b153/
SH256 hash:
f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3
MD5 hash:
5d5aab234367c4952264beb5299f671f
SHA1 hash:
e295eac92937f9bf5e9fcac18134bc63990ff5ff
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/90d300b3-7a77-4f21-8b55-e5fae960b153/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f35c7db785fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe f35c7db785fa56d49119b88165f5eb98c9841abff46d59a32694f4d318d2cdb3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2735406/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/461119/

Comments