MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
SHA3-384 hash: ef17ab319b4bace30fdc5c013d40edbdeffec119d6753d5466b095ddefe96c8f743224d97b7f5d8803f6957ae175a879
SHA1 hash: a558c428f099bf1926024aceb6fcae7c20c6d416
MD5 hash: 4953dfa650b558bbea8017237611139b
humanhash: quebec-bacon-river-connecticut
File name:4953dfa650b558bbea8017237611139b.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'657'344 bytes
First seen:2023-12-16 06:10:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:lrlvscth7rnUplPlWeibSUwpub2qNy5HBoR:TvsXlribdEukH6R
Threatray 577 similar samples on MalwareBazaar
TLSH T11275338371DC6637CCB31FB844BA079369367CB26AA897572D455C8508B38C0EE397A7
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
91.92.249.253:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467922/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
Searching for the window
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Reading critical registry keys
Running batch commands
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657d3f776b1c246046f640f8/reports/b57b3dac-6688-4b8f-8e83-7c933bed7c08/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Healer AVKiller
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bdf56703-2e82-4a8b-a3f6-867128dd857d
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363264
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Connects to many IPs within the same subnet mask (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Phishing site detected (based on logo match)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1363264 Sample: N3u1p6Gdf5.exe Startdate: 16/12/2023 Architecture: WINDOWS Score: 100 82 Antivirus detection for dropped file 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 9 other signatures 2->88 10 N3u1p6Gdf5.exe 1 4 2->10         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 file4 68 C:\Users\user\AppData\Local\...\rg6uF52.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\Local\...\5Xm5qM4.exe, PE32 10->70 dropped 19 rg6uF52.exe 1 4 10->19         started        process5 file6 60 C:\Users\user\AppData\Local\...\ge7NV82.exe, PE32 19->60 dropped 62 C:\Users\user\AppData\Local\...\3KS30Ce.exe, PE32 19->62 dropped 90 Multi AV Scanner detection for dropped file 19->90 92 Machine Learning detection for dropped file 19->92 23 ge7NV82.exe 1 4 19->23         started        signatures7 process8 file9 64 C:\Users\user\AppData\Local\...\2Ms5281.exe, PE32 23->64 dropped 66 C:\Users\user\AppData\Local\...\1gy69Uc4.exe, PE32 23->66 dropped 94 Multi AV Scanner detection for dropped file 23->94 96 Binary is likely a compiled AutoIt script file 23->96 98 Machine Learning detection for dropped file 23->98 27 2Ms5281.exe 10 2 23->27         started        30 1gy69Uc4.exe 12 23->30         started        signatures10 process11 signatures12 100 Multi AV Scanner detection for dropped file 27->100 102 Detected unpacking (changes PE section rights) 27->102 104 Detected unpacking (overwrites its own PE header) 27->104 112 7 other signatures 27->112 106 Binary is likely a compiled AutoIt script file 30->106 108 Machine Learning detection for dropped file 30->108 110 Found API chain indicative of sandbox detection 30->110 32 chrome.exe 9 30->32         started        35 chrome.exe 30->35         started        37 chrome.exe 30->37         started        39 7 other processes 30->39 process13 dnsIp14 72 192.168.2.5 unknown unknown 32->72 74 239.255.255.250 unknown Reserved 32->74 41 chrome.exe 32->41         started        44 chrome.exe 32->44         started        46 chrome.exe 6 32->46         started        48 chrome.exe 35->48         started        50 chrome.exe 37->50         started        52 chrome.exe 39->52         started        54 chrome.exe 39->54         started        56 chrome.exe 39->56         started        58 4 other processes 39->58 process15 dnsIp16 76 104.244.42.194 TWITTERUS United States 41->76 78 t.co 104.244.42.197 TWITTERUS United States 41->78 80 86 other IPs or domains 41->80
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-16 05:56:02 UTC
File Type:
PE (Exe)
Extracted files:
139
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7f35wlkd7rddixzhchmpnlpjcowya6vzwhyjrdrp2ap4ivag7kqa._file
Verdict:
unknown
Similar samples:
1521933f23997a26e16971725acdeb119b82ab21f50283ee04aa7d73ce7484e5
RiseProStealer
70d432aaae6f900cb7d7e8cc0d4b78551d905d1ac9e208d4c73c4ead3b4f97a4
RiseProStealer
860a74f2c49fc7e3fc54b1d244a477a590a4410c583455eacd59772127842db4
RiseProStealer
af1a26b503f91e02a849536f18cc7dc1557e6e370e91406bdc35026133747fa0
RiseProStealer
d6bf6348e3239e54a171e41be3c23d4a515a44c495075afa639a9d2946f4ce2a
RiseProStealer
f127cc97b1804964609ab8d528fd50cb1f3310ec2e710eb55c443c8d53362d98
RiseProStealer
+ 567 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader botnet:@oleh_ps backdoor brand:google collection discovery evasion infostealer persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/231216-gxledscbc3/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Detect Lumma Stealer payload V4
Detected google phishing page
Lumma Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
http://soupinterestoe.fun/api
http://dayfarrichjwclik.fun/api
http://neighborhoodfeelsa.fun/api
Unpacked files
SH256 hash:
6e9d1b6e5b09b06dc74fba4e0a8cd3236563cec93f1c4e5486683924a5cfa6cc
MD5 hash:
79625ef5017cd8883ec5a17faf691f09
SHA1 hash:
16fb0df383be2027f9f1367c0787c22eca701343
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/30da5b3d-5aa7-4b98-a94b-de6d04d2fe6a/
Parent samples :
78a2c197dcb65883cebc38339dd08b21f6dffb020d7cbb33a734ed969b1a5fb3
bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862
f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
SH256 hash:
affde838adcd4a717336f007207014d9db0281094ee77f02fafeefa162932c8a
MD5 hash:
2403667c9d93d9d8fb49e67641d6679b
SHA1 hash:
8781f266192527c22455e8ea11c7de8b76794f33
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/30da5b3d-5aa7-4b98-a94b-de6d04d2fe6a/
SH256 hash:
f143396015db245f7229fff51e7c7e0b624e871ef31f3ab2092fef842dbe589f
MD5 hash:
a059a941503bc6c9c3db642777ee20ff
SHA1 hash:
2d1e6372abfe27e6d5ca0f56390969751f5d5130
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/30da5b3d-5aa7-4b98-a94b-de6d04d2fe6a/
Parent samples :
af1a26b503f91e02a849536f18cc7dc1557e6e370e91406bdc35026133747fa0
70d432aaae6f900cb7d7e8cc0d4b78551d905d1ac9e208d4c73c4ead3b4f97a4
d6bf6348e3239e54a171e41be3c23d4a515a44c495075afa639a9d2946f4ce2a
f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
dfac5e31b117e359591781d0e6614b49226d3ef3461f2d020133f5044be3befc
aa6109131f311c7ec4cbd993ac6fb997dda5beefee5863895e36608288fcac8a
b3193fd6b06a6a466c077456ba004201be106d617aae73498c3f518b3f7f57f2
fec610ca26bf6c17e72f75f72a5ba1ccf4500fb3510420b29686e09338d14128
b90fc851dee3bbb480aac668be792e552bde6c4571ec9f1847da7da7f964a24f
0cd714e33c9ebb3b55d89c349099a96bf4540512eac2baee479503303116e3a8
c085fb1e6d999dd96f4213e5f1d3d0ae061ddccc571d20eb86e645149d4fc494
d9ad55fb79af764ef60e3508973f162266bc8a2db17155612c6b5b7155e12c1d
550e893759da573a62c1c16144f5e8fa65e6df3eabd53c60648b9ac6748c1b8c
SH256 hash:
f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
MD5 hash:
4953dfa650b558bbea8017237611139b
SHA1 hash:
a558c428f099bf1926024aceb6fcae7c20c6d416
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/30da5b3d-5aa7-4b98-a94b-de6d04d2fe6a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467922/

Comments