MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f60de73720434f0a8a96dea4e1126ff7f726da511fb5befa4166bbdfd11bca56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f60de73720434f0a8a96dea4e1126ff7f726da511fb5befa4166bbdfd11bca56
SHA3-384 hash: 63acf3117f5132baf4075ce35b49f6269289d36d4a597749cc8c8d5fd132f7e65e6f32cbe540f537e28e9471c5c3714e
SHA1 hash: 4f123717a885b2b519e9d665438ae03fbb427868
MD5 hash: 62888e93e8a9b835451bd3371d4b5218
humanhash: august-august-purple-beryllium
File name:62888e93e8a9b835451bd3371d4b5218
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:2'412'544 bytes
First seen:2024-02-10 23:26:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:fpm/QHN3IB9f+S/SqqwfCyy0Hpvc0r5IWRNGFJZhMW:fpKiN3IBF/nqcjJkghcDoW
TLSH T124B523C9BD410867D799773048C2FBBD126EDE52B99190DA3CEC7FA3BA33609091B458
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d4e8e8e8f0d4c8 (58 x RiseProStealer, 3 x Worm.Ramnit)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475713/
Detection(s):
SecuriteInfo.com.Trojan.Siggen26.908.29712.25386.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c8064694e713aa5298cbf7/reports/126d529f-71b2-4af2-8b82-957199338166/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/f60de73720434f0a8a96dea4e1126ff7f726da511fb5befa4166bbdfd11bca56
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/192f0c56-b41e-4900-8b43-d29f3a86f3b3
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1390227
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390227 Sample: 8vPg8GbGtV.exe Startdate: 11/02/2024 Architecture: WINDOWS Score: 100 100 yt3.ggpht.com 2->100 102 youtube.com 2->102 104 52 other IPs or domains 2->104 134 Snort IDS alert for network traffic 2->134 136 Multi AV Scanner detection for domain / URL 2->136 138 Antivirus detection for URL or domain 2->138 140 10 other signatures 2->140 9 8vPg8GbGtV.exe 2 122 2->9         started        14 MPGPH131.exe 108 2->14         started        16 MPGPH131.exe 22 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 116 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 9->116 118 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 9->118 120 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 9->120 82 C:\Users\user\...\rvCLBUwMEOKNX5z2wXpD.exe, PE32 9->82 dropped 84 C:\Users\user\...\jaE9HClCIIU3_zUcrN8r.exe, PE32 9->84 dropped 86 C:\Users\user\...\OOILivU02u7jpZMBvNFj.exe, PE32 9->86 dropped 94 13 other malicious files 9->94 dropped 158 Detected unpacking (changes PE section rights) 9->158 160 Binary is likely a compiled AutoIt script file 9->160 162 Tries to steal Mail credentials (via file / registry access) 9->162 180 3 other signatures 9->180 20 HKxn1aHUoi222GbZYzpU.exe 9->20         started        23 0Sc1F77JzGSTjxW46MAx.exe 9->23         started        26 rvCLBUwMEOKNX5z2wXpD.exe 9->26         started        35 5 other processes 9->35 88 C:\Users\user\...\V6R5J6HcxrhEN67rP9Bn.exe, PE32 14->88 dropped 90 C:\Users\user\...\UprWWuD3xoMBOpAGGEbb.exe, PE32 14->90 dropped 92 C:\Users\user\...\ImfTBk1vHRTqj7Du7N0T.exe, PE32 14->92 dropped 96 8 other malicious files 14->96 dropped 164 Tries to harvest and steal browser information (history, passwords, etc) 14->164 166 Hides threads from debuggers 14->166 168 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->168 170 Multi AV Scanner detection for dropped file 16->170 172 Machine Learning detection for dropped file 16->172 174 Tries to evade debugger and weak emulator (self modifying code) 16->174 98 4 other malicious files 18->98 dropped 176 Antivirus detection for dropped file 18->176 178 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->178 28 msedge.exe 18->28         started        31 firefox.exe 18->31         started        33 firefox.exe 18->33         started        file6 signatures7 process8 dnsIp9 142 Multi AV Scanner detection for dropped file 20->142 144 Detected unpacking (changes PE section rights) 20->144 146 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->146 156 5 other signatures 20->156 80 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 23->80 dropped 148 Tries to evade debugger and weak emulator (self modifying code) 23->148 150 Hides threads from debuggers 23->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->152 154 Binary is likely a compiled AutoIt script file 26->154 37 firefox.exe 26->37         started        41 chrome.exe 26->41         started        43 chrome.exe 26->43         started        55 10 other processes 26->55 128 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->128 130 part-0013.t-0009.t-msedge.net 13.107.246.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->130 132 30 other IPs or domains 28->132 45 firefox.exe 31->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        51 conhost.exe 35->51         started        53 conhost.exe 35->53         started        file10 signatures11 process12 dnsIp13 106 172.217.215.84 GOOGLEUS United States 37->106 108 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 37->108 114 9 other IPs or domains 37->114 76 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 37->76 dropped 78 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 37->78 dropped 57 firefox.exe 37->57         started        60 firefox.exe 37->60         started        62 firefox.exe 37->62         started        110 192.168.2.5 unknown unknown 41->110 112 239.255.255.250 unknown Reserved 41->112 64 chrome.exe 41->64         started        66 chrome.exe 43->66         started        68 chrome.exe 55->68         started        70 chrome.exe 55->70         started        72 msedge.exe 55->72         started        74 2 other processes 55->74 file14 process15 dnsIp16 122 clients.l.google.com 108.177.122.102 GOOGLEUS United States 64->122 124 www3.l.google.com 142.250.105.113 GOOGLEUS United States 64->124 126 40 other IPs or domains 64->126
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f60de73720434f0a8a96dea4e1126ff7f726da511fb5befa4166bbdfd11bca56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f60de73720434f0a8a96dea4e1126ff7f726da511fb5befa4166bbdfd11bca56/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-10 23:21:29 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yg6onzainhqvcuw32socetp673snwsrd62356sbm2557ui3zjla._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro evasion stealer
Link:
https://tria.ge/reports/240210-3fd5mshh3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RisePro
Malware Config
C2 Extraction:
193.233.132.62
Unpacked files
SH256 hash:
38ddd3a46fba837d13aea3601450ab41e45a327bc4af518ce321396e8736bb6d
MD5 hash:
d5a47cad05fdca4ea41c8ee0d271adbf
SHA1 hash:
35e348254f0ca048a840dc175e82f39d0c35de26
Link:
https://www.unpac.me/results/5a9fbdcb-c184-4c8e-a8b1-e179f83fe04a/
SH256 hash:
f60de73720434f0a8a96dea4e1126ff7f726da511fb5befa4166bbdfd11bca56
MD5 hash:
62888e93e8a9b835451bd3371d4b5218
SHA1 hash:
4f123717a885b2b519e9d665438ae03fbb427868
Link:
https://www.unpac.me/results/5a9fbdcb-c184-4c8e-a8b1-e179f83fe04a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f60de7372043/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f60de73720434f0a8a96dea4e1126ff7f726da511fb5befa4166bbdfd11bca56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe f60de73720434f0a8a96dea4e1126ff7f726da511fb5befa4166bbdfd11bca56

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2759307/
Cape
Cape
https://www.capesandbox.com/analysis/475713/

Comments


Avatar
zbet commented on 2024-02-10 23:26:35 UTC

url : hxxp://91.92.254.184/penza/loster.exe