MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
SHA3-384 hash: 4d888c6656227181cc6c7a7d31830b6c5da5d9fc926e8dbe0a6cb1c6ddb2b11570d22976102f3564805839997a6a23c3
SHA1 hash: 8ffa300ebca3ad064d99b590956be68703b8dcc9
MD5 hash: c0061cc9028a73844f3121fe399ad621
humanhash: green-four-solar-arkansas
File name:c0061cc9028a73844f3121fe399ad621.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'015'808 bytes
First seen:2023-12-18 18:30:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:JMrGy90p8E2wB06puJG1TP/XtLgM0VCND/4BW9whUI/l+22w2Z4pTqUt/ZacIa9s:DyU92wAJuLDd/4k9X29yZCT4cz2mur
Threatray 597 similar samples on MalwareBazaar
TLSH T17A252303A9E180B7E8B427B135F717871A323CB648348B27239AA6651C737A5793177F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
77.105.132.87:17066

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468339/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
Searching for the window
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Reading critical registry keys
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65808fe8b4e856b7281ec252/reports/0f6f21cf-6576-434d-9410-211b616f8a9b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10c438a8-269c-49ee-b8ae-31fcf1ebed95
Result
Threat name:
Glupteba, RedLine, RisePro Stealer, Smok
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364106
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
DLL side loading technique detected
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Powershell downloading file from url shortener site
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1364106 Sample: HMK6TwkL34.exe Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 193 Found malware configuration 2->193 195 Malicious sample detected (through community Yara rule) 2->195 197 Antivirus detection for URL or domain 2->197 199 18 other signatures 2->199 11 HMK6TwkL34.exe 1 4 2->11         started        14 svchost.exe 1 1 2->14         started        17 svchost.exe 2->17         started        19 3 other processes 2->19 process3 dnsIp4 135 C:\Users\user\AppData\Local\...\fp6Ij83.exe, PE32 11->135 dropped 137 C:\Users\user\AppData\Local\...\6Pb5oD2.exe, PE32 11->137 dropped 21 6Pb5oD2.exe 11->21         started        24 fp6Ij83.exe 1 4 11->24         started        179 23.204.76.112 AKAMAI-ASN1EU United States 14->179 181 127.0.0.1 unknown unknown 14->181 27 WerFault.exe 17->27         started        file5 process6 file7 201 Antivirus detection for dropped file 21->201 203 Machine Learning detection for dropped file 21->203 205 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->205 209 3 other signatures 21->209 29 explorer.exe 21->29 injected 131 C:\Users\user\AppData\Local\...\4Ww523Sj.exe, PE32 24->131 dropped 133 C:\Users\user\AppData\Local\...\1Zo80ii2.exe, PE32 24->133 dropped 207 Binary is likely a compiled AutoIt script file 24->207 34 4Ww523Sj.exe 24->34         started        36 1Zo80ii2.exe 12 24->36         started        signatures8 process9 dnsIp10 169 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 29->169 171 5.42.65.125 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 29->171 173 5 other IPs or domains 29->173 139 C:\Users\user\AppData\Roaming\vjecaud, PE32 29->139 dropped 141 C:\Users\user\AppData\Local\Temp\FC9B.exe, PE32+ 29->141 dropped 143 C:\Users\user\AppData\Local\Temp151.exe, PE32 29->143 dropped 145 3 other malicious files 29->145 dropped 255 System process connects to network (likely due to code injection or exploit) 29->255 257 Benign windows process drops PE files 29->257 259 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->259 38 E151.exe 29->38         started        42 B1F3.exe 29->42         started        44 9DFD.exe 29->44         started        55 5 other processes 29->55 261 Multi AV Scanner detection for dropped file 34->261 263 Machine Learning detection for dropped file 34->263 265 Contains functionality to inject code into remote processes 34->265 273 3 other signatures 34->273 47 AppLaunch.exe 21 40 34->47         started        267 Binary is likely a compiled AutoIt script file 36->267 269 Found API chain indicative of sandbox detection 36->269 271 Contains functionality to modify clipboard data 36->271 49 chrome.exe 36->49         started        51 chrome.exe 36->51         started        53 chrome.exe 36->53         started        57 6 other processes 36->57 file11 signatures12 process13 dnsIp14 113 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 38->113 dropped 115 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 38->115 dropped 117 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 38->117 dropped 119 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 38->119 dropped 211 Antivirus detection for dropped file 38->211 213 Multi AV Scanner detection for dropped file 38->213 215 Machine Learning detection for dropped file 38->215 59 toolspub2.exe 38->59         started        66 4 other processes 38->66 121 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 42->121 dropped 217 Sample uses process hollowing technique 42->217 70 2 other processes 42->70 161 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 44->161 219 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->219 163 91.92.249.253 THEZONEBG Bulgaria 47->163 165 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 47->165 123 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 47->123 dropped 125 C:\...\UzTx1SA49hsd4APUYdi6dZ70xp9bjivW.zip, Zip 47->125 dropped 127 C:\Users\user\AppData\...\FANBooster131.exe, PE32 47->127 dropped 129 2 other files (none is malicious) 47->129 dropped 221 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->221 223 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 47->223 225 Found many strings related to Crypto-Wallets (likely being stolen) 47->225 227 7 other signatures 47->227 72 15 other processes 47->72 167 239.255.255.250 unknown Reserved 49->167 74 3 other processes 49->74 62 chrome.exe 51->62         started        64 chrome.exe 53->64         started        76 2 other processes 55->76 78 6 other processes 57->78 file15 signatures16 process17 dnsIp18 229 Multi AV Scanner detection for dropped file 59->229 231 Detected unpacking (changes PE section rights) 59->231 233 Injects a PE file into a foreign processes 59->233 80 toolspub2.exe 59->80         started        147 173.231.16.77 WEBNXUS United States 66->147 157 2 other IPs or domains 66->157 103 C:\Users\user\AppData\...\nsrFE4.tmp.exe, PE32 66->103 dropped 105 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 66->105 dropped 107 C:\Users\user\AppData\Local\...\INetC.dll, PE32 66->107 dropped 109 3 other malicious files 66->109 dropped 235 Antivirus detection for dropped file 66->235 237 Detected unpacking (overwrites its own PE header) 66->237 239 UAC bypass detected (Fodhelper) 66->239 251 3 other signatures 66->251 83 BroomSetup.exe 66->83         started        85 tuc3.tmp 66->85         started        149 195.20.16.103 EITADAT-ASFI Finland 70->149 241 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->241 243 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 70->243 253 2 other signatures 70->253 151 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 72->151 245 Found many strings related to Crypto-Wallets (likely being stolen) 72->245 247 Uses schtasks.exe or at.exe to add and modify task schedules 72->247 87 conhost.exe 72->87         started        89 conhost.exe 72->89         started        91 conhost.exe 72->91         started        98 13 other processes 72->98 153 104.244.42.133 TWITTERUS United States 74->153 155 104.244.42.2 TWITTERUS United States 74->155 159 73 other IPs or domains 74->159 249 Suspicious powershell command line found 76->249 93 powershell.exe 76->93         started        96 conhost.exe 76->96         started        file19 signatures20 process21 dnsIp22 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 80->183 185 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 80->185 187 Maps a DLL or memory area into another process 80->187 191 2 other signatures 80->191 189 Multi AV Scanner detection for dropped file 83->189 100 tuc3.exe 85->100         started        175 67.199.248.11 GOOGLE-PRIVATE-CLOUDUS United States 93->175 177 93.184.216.34 EDGECASTUS European Union 93->177 signatures23 process24 file25 111 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 100->111 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-18 18:31:06 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=66bjgp5wuvi43f5kxlyedtuvefuueayzt7ukmlx57xm53iafjdqa._file
Verdict:
malicious
Similar samples:
0f592a77b60030b75ce1df1312bd60095115a60af6270f07a703932ff2b44a8c
RiseProStealer
68cdb9386a731d632b95fa312510d802ea16e1faad66411795e2b407c19809c0
RiseProStealer
72f29919f78f53956692e212fe8bbff32e153e88a93ec3aa72576e5b440a2f85
RiseProStealer
949edc5ede31cf9316dedc155d8d4ca93f8da0464d2ef0d8bff52dfddcac8e41
RiseProStealer
a79b66630563a29a21dd21531e3e605d801eb2fb821522b6b9815dc8f269a7aa
RiseProStealer
b90fc851dee3bbb480aac668be792e552bde6c4571ec9f1847da7da7f964a24f
RiseProStealer
bf747d7d7e3824b80a05d2988b5163729fb1b8c280f4ea5e2d638ab421f5c9d4
RiseProStealer
f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556
RiseProStealer
f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e
RiseProStealer
f9e70f08b45a835123e4239ecf4af774377671e342f13a35ceebf9ed55260b2d
RiseProStealer
+ 587 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:zgrat botnet:livetraffic botnet:up3 backdoor brand:google brand:paypal collection discovery evasion infostealer persistence phishing rat spyware stealer trojan
Link:
https://tria.ge/reports/231218-w5175scbbn/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Detected potential entity reuse from brand paypal.
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect ZGRat V1
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
77.105.132.87:17066
Unpacked files
SH256 hash:
78decf71dbe1c699ca74811a5a9c0d3697a156969b2ed40168ecacff0d590730
MD5 hash:
bb275dbccd853320c7e30ee9575a7abf
SHA1 hash:
2f1f323aa3a6e2a9cda2962b2f3a69e5150819e7
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/e60914ef-7a29-4cac-84a2-727898f8ab86/
Parent samples :
949edc5ede31cf9316dedc155d8d4ca93f8da0464d2ef0d8bff52dfddcac8e41
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
8957d43878c36ee0ae11246393c9c1ce600536ab817435417e50af86a3f1b055
e96789d697301017c3c5f2332f7f74fd5aabbee70373e2d7af8c7ebd24ab22e0
be71f36ddea88c4ba342394e20352d60fa7cd61cba70454eba270f9f4996b293
44365f98d16e475a1638df59aca02415388a327b2f3738acbea8dfddec202654
7cfa46dfb53c0efee3d57af2aa83f9513c27c91e569e952c22e4b022d16e6e27
433895b81e5ef461f97327e064b25cb40284a44049e6231c0c60e6f54517138a
ce55ffbc3e022895e8e50711a4daf9b3afa4b83f42c6f0c98e76a710ae03821d
689a8c848e6cf7d5ddbdceb90aa8513c1b83a9dbe72f57a70ab419264819d107
93bb322e419ca964ae2a6340febd60d216ce342706ca4efe9c6df1fec38d238e
SH256 hash:
21334153eb6df3eda7b85c54562d0488978334739856693c1c980e7345506364
MD5 hash:
e5892daba2945979e1329fea82f4b2f1
SHA1 hash:
5856f5b8378bc914d2de3dedf01b65a715f6dd6d
Link:
https://www.unpac.me/results/e60914ef-7a29-4cac-84a2-727898f8ab86/
SH256 hash:
fb2ffd61b1600b318a5814d60601afd0d9b4602b6fb4bf8e13f21da7fff2cabd
MD5 hash:
51056dd7b1a40e49623a28e27ef8aa19
SHA1 hash:
4f603d1c71429f03a7762347845ba1d0f8c47b10
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e60914ef-7a29-4cac-84a2-727898f8ab86/
Parent samples :
f127cc97b1804964609ab8d528fd50cb1f3310ec2e710eb55c443c8d53362d98
af1a26b503f91e02a849536f18cc7dc1557e6e370e91406bdc35026133747fa0
70d432aaae6f900cb7d7e8cc0d4b78551d905d1ac9e208d4c73c4ead3b4f97a4
860a74f2c49fc7e3fc54b1d244a477a590a4410c583455eacd59772127842db4
1521933f23997a26e16971725acdeb119b82ab21f50283ee04aa7d73ce7484e5
d6bf6348e3239e54a171e41be3c23d4a515a44c495075afa639a9d2946f4ce2a
dfac5e31b117e359591781d0e6614b49226d3ef3461f2d020133f5044be3befc
aa6109131f311c7ec4cbd993ac6fb997dda5beefee5863895e36608288fcac8a
b3193fd6b06a6a466c077456ba004201be106d617aae73498c3f518b3f7f57f2
8c1bedb10049179dfe9df52eb7611d6e18ac8339b184f50a6bcbaf9a89854cf2
fec610ca26bf6c17e72f75f72a5ba1ccf4500fb3510420b29686e09338d14128
c1ffd458cc441fe5d967825862acbc540728517d0f8ec95621bd6edd1a724767
2a57a5e703adac0bd9c5a0b9a710dfe8700a1dfb21af471b9883e6d6b86c78cc
b90fc851dee3bbb480aac668be792e552bde6c4571ec9f1847da7da7f964a24f
0cd714e33c9ebb3b55d89c349099a96bf4540512eac2baee479503303116e3a8
58c5ece596efec8db43e1ab97c35ac8253b761d518a7a8ef5e311a8e274fd1a7
c085fb1e6d999dd96f4213e5f1d3d0ae061ddccc571d20eb86e645149d4fc494
953ed6e4cb1aa5d21a529c8de8c3f06176a623388810e9549f3bd91a8715c9b2
d9ad55fb79af764ef60e3508973f162266bc8a2db17155612c6b5b7155e12c1d
9f6a32eebd13b63b6f6c79c282d6059419db613fa8ac78015cc8f99bfff8a124
291c90471067e7f436eb304a29c3df2b25a0176b370453d41c218202abec8e08
82bf998ee07f0549a68b9904d760f7b0fd47ee68f08a59a26de171b6dc8ea3db
01497dea122f92d36b4e0ae4eade31511b2db302e6f7f87a695e817065834281
486271a3873f946e14f5662e2498d75c29323402c778bdf6ce0905b37619fc3a
fc1af115d47f4f6f00b3c2a06c64b4b580b76a16f8e1c122670ced300f4abf57
7d43625f6587b6539d7bc6037dcb8b0eb317a035c5deb69f79e307afa4ac4d45
949edc5ede31cf9316dedc155d8d4ca93f8da0464d2ef0d8bff52dfddcac8e41
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
8957d43878c36ee0ae11246393c9c1ce600536ab817435417e50af86a3f1b055
e96789d697301017c3c5f2332f7f74fd5aabbee70373e2d7af8c7ebd24ab22e0
be71f36ddea88c4ba342394e20352d60fa7cd61cba70454eba270f9f4996b293
a58ffa444d6514a0b092f8fa84c0a15853f5141c86abcbcf0c5b4dcc312aaf3c
44365f98d16e475a1638df59aca02415388a327b2f3738acbea8dfddec202654
7cfa46dfb53c0efee3d57af2aa83f9513c27c91e569e952c22e4b022d16e6e27
433895b81e5ef461f97327e064b25cb40284a44049e6231c0c60e6f54517138a
ce55ffbc3e022895e8e50711a4daf9b3afa4b83f42c6f0c98e76a710ae03821d
689a8c848e6cf7d5ddbdceb90aa8513c1b83a9dbe72f57a70ab419264819d107
93bb322e419ca964ae2a6340febd60d216ce342706ca4efe9c6df1fec38d238e
550e893759da573a62c1c16144f5e8fa65e6df3eabd53c60648b9ac6748c1b8c
ed73c1f42bef4d474a0eb9d82ff1257f291b9b13b3dfa73d378afbe061766f5a
5fa66d59f80ba0bb65efc157dc43cc0eeab813bfe110ef92a3765edceba281cc
SH256 hash:
d574502735f62c929f2441243be8e6df71391e99407c6f95b367c28df92975ee
MD5 hash:
d8e2d772f9c6cb735691778d05d5a037
SHA1 hash:
ec081597a180f312e2c73abb019e9b349ebe3584
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/e60914ef-7a29-4cac-84a2-727898f8ab86/
Parent samples :
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
8957d43878c36ee0ae11246393c9c1ce600536ab817435417e50af86a3f1b055
be71f36ddea88c4ba342394e20352d60fa7cd61cba70454eba270f9f4996b293
7cfa46dfb53c0efee3d57af2aa83f9513c27c91e569e952c22e4b022d16e6e27
ce55ffbc3e022895e8e50711a4daf9b3afa4b83f42c6f0c98e76a710ae03821d
689a8c848e6cf7d5ddbdceb90aa8513c1b83a9dbe72f57a70ab419264819d107
SH256 hash:
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
MD5 hash:
c0061cc9028a73844f3121fe399ad621
SHA1 hash:
8ffa300ebca3ad064d99b590956be68703b8dcc9
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/e60914ef-7a29-4cac-84a2-727898f8ab86/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f782933fb6a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/468339/

Comments