MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18
SHA3-384 hash: 33b845901c61e9be066a93fb19a3c96d5b778d85872e64127d9eb2c379d2be03081b5e2c450d0dd57e6a2c7e35d12d28
SHA1 hash: 71ac5d567f1485454b0a3b04cece2d40cf8c0fa0
MD5 hash: 5fe48966c2f11e09fd518e77118d6b1e
humanhash: oklahoma-white-wisconsin-artist
File name:file
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:4'173'312 bytes
First seen:2024-04-16 14:21:04 UTC
Last seen:2024-04-16 15:32:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f93cd80e5dfeca07d7e8b0f35545fb5 (7 x RiseProStealer)
ssdeep 98304:R+++MEQcFUcyrwHeeLn/I9QJo+W9NKdj5tskdoNr+OqWl:sMN9MeeLn/hJoZNKLtskdoNr+Za
Threatray 16 similar samples on MalwareBazaar
TLSH T1CC163302FF85461BD46B447AD8BB82007A45D41ABF49712B73AA971F3EFB3F2134A152
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f8f8f8e0e8d8c4d4 (1 x RiseProStealer)
Reporter Bitsight
Tags:exe RiseProStealer


Avatar
Bitsight
url: https://vk.com/doc5294803_668615845?hash=SGzZsgHoSwx51gMiHLY3vC8BH4EQX7FTvL8fAHiMFZ4&dl=t1NzBv6j7K2lyvsyjgPK0ROI2hLuqZn9pxqLzKGP03T&api=1&no_preview=1#otr

Intelligence

File Origin
# of uploads :
2
# of downloads :
357
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18.exe
Verdict:
Malicious activity
Analysis date:
2024-04-16 14:21:43 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/fc7b3f7a-3d6e-438a-92a8-8416edf5f488

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Forced system process termination
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto epmpress lolbin mpress packed packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/661e898914ba3ce8289539b4/reports/46b86c68-b076-44f8-a3f8-7199c1b84916/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d3dbb26-9b3c-4683-8741-8ffd4c748ac0
Result
Threat name:
Clipboard Hijacker, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1426792
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to implement multi-threaded time evasion
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426792 Sample: file.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 72 ipinfo.io 2->72 74 easy2buy.ae 2->74 76 db-ip.com 2->76 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 7 other signatures 2->90 9 file.exe 2 106 2->9         started        14 AdobeUpdaterV2.exe 2->14         started        16 MSIUpdaterV2.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 78 193.233.132.175, 49709, 80 FREE-NET-ASFREEnetEU Russian Federation 9->78 80 193.233.132.47, 49706, 49715, 50500 FREE-NET-ASFREEnetEU Russian Federation 9->80 82 3 other IPs or domains 9->82 64 C:\Users\user\...\VkHLTH_m2kErRb6vpA5n.exe, MS-DOS 9->64 dropped 66 C:\Users\user\...\IQUKpYR1BFFsqw1YWBOv.exe, MS-DOS 9->66 dropped 68 C:\Users\user\AppData\Local\...dgeMS2.exe, MS-DOS 9->68 dropped 70 8 other malicious files 9->70 dropped 98 Detected unpacking (changes PE section rights) 9->98 100 Query firmware table information (likely to detect VMs) 9->100 102 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->102 108 12 other signatures 9->108 20 VkHLTH_m2kErRb6vpA5n.exe 1 9->20         started        24 IQUKpYR1BFFsqw1YWBOv.exe 9->24         started        26 schtasks.exe 1 9->26         started        36 3 other processes 9->36 104 Antivirus detection for dropped file 14->104 106 Multi AV Scanner detection for dropped file 14->106 28 schtasks.exe 1 14->28         started        30 schtasks.exe 1 16->30         started        32 schtasks.exe 1 18->32         started        34 schtasks.exe 1 18->34         started        38 2 other processes 18->38 file6 signatures7 process8 file9 62 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 20->62 dropped 92 Antivirus detection for dropped file 20->92 94 Multi AV Scanner detection for dropped file 20->94 96 Detected unpacking (changes PE section rights) 20->96 40 schtasks.exe 1 20->40         started        42 schtasks.exe 1 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 3 other processes 36->54 56 2 other processes 38->56 signatures10 process11 process12 58 conhost.exe 40->58         started        60 conhost.exe 42->60         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-04-16 12:51:00 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6onpk6iz2yizqr7g5tlkssk72cyjs2uvwc67dusebnww6kllduma._file
Verdict:
malicious
Similar samples:
37aef611ec814af2cdcfa198e200cb21ecb46caa30f84d0221a47db1265b889d
RiseProStealer
68e5335ef6066297ae018a6ed5071c38659d8edad80f79099a17f6fb7b2f07d4
RiseProStealer
7447858ba629883749bfa27f7a6deb01ece420e0f4168ff1eea533d275b2e9d3
RiseProStealer
9ac899e08b378dd2b4e5169c01597c988cf2a1396b5dfab12e97cb46156b0263
RiseProStealer
a84bfb4e378224cce70975bcfc0e3dd82ee09fc107d8e1f697ec99bf4e778858
RiseProStealer
b49dbf4ccc6fcc620965e1f38df9f0253c48004b44dd4f7d57f732c057469253
RiseProStealer
c24ff96b950f3bff58f53396fe1aae0764209db72ee6489abffeba8855a7bd3f
RiseProStealer
e1ad2e9d0d5bb255bf8d3f2fe86594aad1d0660f081832ae7752acd4832c0617
RiseProStealer
ec03a903cb74030622ac957e6aaefbb7437b032a4e6db82c33126016ac6c7d06
RiseProStealer
+ 6 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer trojan
Link:
https://tria.ge/reports/240416-rpjkyacb64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.47:50500
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/4b706192-0849-40cf-bfa9-b32d4fa242eb/
SH256 hash:
223ff96581ab1d98ff16171219200ed17157dbf4143717e53e6562797b3dd488
MD5 hash:
bd9fa6d9e7e15fc72af968b36386b243
SHA1 hash:
fc763c097c42a95254fba88160befde13895dff7
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/4b706192-0849-40cf-bfa9-b32d4fa242eb/
SH256 hash:
f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18
MD5 hash:
5fe48966c2f11e09fd518e77118d6b1e
SHA1 hash:
71ac5d567f1485454b0a3b04cece2d40cf8c0fa0
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/4b706192-0849-40cf-bfa9-b32d4fa242eb/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f39af57919d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:mpress_2_xx_x86
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX x86 - no .NET
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdipGetImageEncoders
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegQueryValueExA

Comments