MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a
SHA3-384 hash: 1f3cf31c857fd59f78d54a339f0fc3dba0d55cc576ca328e8001083a43ed17c5e443474e9828039faafb67a451fe8b00
SHA1 hash: 6b2613bc458e8c09c81c10977a8e3f20cfa30bb9
MD5 hash: a9504f03b04d581cd601af67b8becd3f
humanhash: yankee-seventeen-maryland-single
File name:WEXXTRACT.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:825'344 bytes
First seen:2023-12-27 04:13:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:0MrGy90qlrZ/Y4KJX2jzRDqCegsIrHCOzxpU4ybbUr1tLjEiULkbX:ayYrCe54xpU4eu1BjPr
Threatray 849 similar samples on MalwareBazaar
TLSH T175052322B2E8D567DDB1437018F602570B3ABD609D78935F3F986C1B18F2A946A313B7
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RiseProStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469423/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Creating a file
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm autoit CAB confuserex control explorer greyware installer keylogger lolbin lolbin packed packed replace rundll32 setupapi sfx shell32 zusy
Link:
https://www.filescan.io/uploads/658ba48bb4e856b728296387/reports/9dc2aa73-e930-452e-b998-c7259db5c96d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/795ee5e8-fa12-477a-9c2d-fbb526b49f4e
Result
Threat name:
RisePro Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367252
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Phishing site detected (based on logo match)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1367252 Sample: WEXXTRACT.exe Startdate: 27/12/2023 Architecture: WINDOWS Score: 100 109 stun.l.google.com 2->109 111 ipinfo.io 2->111 123 Snort IDS alert for network traffic 2->123 125 Multi AV Scanner detection for submitted file 2->125 127 Yara detected RisePro Stealer 2->127 129 4 other signatures 2->129 9 WEXXTRACT.exe 1 4 2->9         started        13 FANBooster131.exe 2->13         started        15 OfficeTrackerNMP131.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 99 2 other malicious files 9->99 dropped 149 Binary is likely a compiled AutoIt script file 9->149 19 4LG486qW.exe 16 70 9->19         started        24 1PC30lx1.exe 12 9->24         started        85 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 13->85 dropped 87 C:\...\JjQxYAT89BS6lcNnwQ517f4BmUveCoa1.zip, Zip 13->87 dropped 151 Multi AV Scanner detection for dropped file 13->151 153 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->153 155 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 13->155 157 Tries to harvest and steal browser information (history, passwords, etc) 13->157 26 WerFault.exe 13->26         started        89 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 15->89 dropped 91 C:\...behaviorgraphIQyoEMesuL9W0kFQRmN5uWElRPx0Rd5.zip, Zip 15->91 dropped 159 Tries to steal Mail credentials (via file / registry access) 15->159 161 Machine Learning detection for dropped file 15->161 163 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 15->163 28 WerFault.exe 15->28         started        30 WerFault.exe 15->30         started        93 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->93 dropped 95 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->95 dropped 97 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->97 dropped 101 3 other malicious files 17->101 dropped 165 Queries memory information (via WMI often done to detect virtual machines) 17->165 32 WerFault.exe 17->32         started        34 WerFault.exe 17->34         started        36 WerFault.exe 17->36         started        38 WerFault.exe 17->38         started        signatures6 process7 dnsIp8 113 193.233.132.74 FREE-NET-ASFREEnetEU Russian Federation 19->113 115 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->115 77 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->77 dropped 79 C:\Users\user\AppData\...\FANBooster131.exe, PE32 19->79 dropped 81 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 19->81 dropped 83 2 other malicious files 19->83 dropped 131 Multi AV Scanner detection for dropped file 19->131 133 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->133 135 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 19->135 145 3 other signatures 19->145 40 cmd.exe 19->40         started        43 cmd.exe 19->43         started        45 WerFault.exe 19->45         started        47 WerFault.exe 19->47         started        137 Binary is likely a compiled AutoIt script file 24->137 139 Machine Learning detection for dropped file 24->139 141 Found API chain indicative of sandbox detection 24->141 143 Contains functionality to modify clipboard data 24->143 49 chrome.exe 9 24->49         started        52 chrome.exe 24->52         started        54 chrome.exe 24->54         started        56 6 other processes 24->56 file9 signatures10 process11 dnsIp12 147 Uses schtasks.exe or at.exe to add and modify task schedules 40->147 69 2 other processes 40->69 71 2 other processes 43->71 103 192.168.2.5 unknown unknown 49->103 105 192.168.2.6 unknown unknown 49->105 107 239.255.255.250 unknown Reserved 49->107 58 chrome.exe 49->58         started        73 2 other processes 49->73 61 chrome.exe 52->61         started        63 chrome.exe 54->63         started        65 chrome.exe 56->65         started        67 chrome.exe 56->67         started        75 4 other processes 56->75 signatures13 process14 dnsIp15 117 twitter.com 104.244.42.129 TWITTERUS United States 58->117 119 tpop-api.twitter.com 104.244.42.194 TWITTERUS United States 58->119 121 115 other IPs or domains 58->121
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-25 07:21:37 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oc2nieqxw3b7whtye726ic2yop5m346yaiclscvawfzvcfuggfa._file
Verdict:
malicious
Similar samples:
0f3d5594200f4cd0b3945bb7cc68ca39a73c0afbc5c443e585bd0fbafafe230c
RiseProStealer
42d5c8af3500e1d4979045b84efe4fe7f901e8b5bcdb46a0a8ef9e2fcb7320ef
RiseProStealer
50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73
RiseProStealer
550e893759da573a62c1c16144f5e8fa65e6df3eabd53c60648b9ac6748c1b8c
RiseProStealer
99d96ff0355fdbfa9a1633f5d2dfde806238bc50f0cf452ef58924679c584f3c
RiseProStealer
b928d37ab77db12ed05e85b0eb21829639369b27dccaf37ddbd056c9457f7319
RiseProStealer
+ 839 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google brand:paypal collection discovery persistence phishing spyware stealer
Link:
https://tria.ge/reports/231227-etm3pscce7/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Detected potential entity reuse from brand paypal.
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detected google phishing page
Unpacked files
SH256 hash:
20aa0a34ac28fac713848fb565bc98d21baffb359034ca713fb1f5c30a84ac00
MD5 hash:
14a637673041cdfea755d26a802d4273
SHA1 hash:
ec476390c9200d594ff75e546124a35dda41f990
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/09b4d54d-d05e-478e-b11d-38f498f2afec/
SH256 hash:
e3c83ad6d2ac42df511537e24d406c3af4102c0c112b81809b92b21cd3b88b07
MD5 hash:
6abc9edfd742d10429c6a6ba5bb73232
SHA1 hash:
e6f06c33a82687d71f1f807cdfcc1c53e82ae60b
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/09b4d54d-d05e-478e-b11d-38f498f2afec/
Parent samples :
059b4c4f4e698f682bddbaecb0c94ac2b856d65a2c5c7943a3869c507c08d556
c21cfe990b2202b1d2cc45e60ad7c5085513f5c7b44c8c267759b056771d5765
44ae5bcd4f1efbb30cf46e88b8fe6ff722c38d7101aeb2cb381b9f108312978c
6e18c0aac85e435eced23988b5c0365e52840f244f91b0aba4520d0a3c42ea64
b87531a1fbc40e8ada603a797fde0ce06ba4d86e984cd9c7fb03a2635dfd6803
233fdd885db94f2bf61ecf71049c5bce72378edcec5e65f824422052922f394c
b9f69c03f5d2f0190f98375d442160b4bf00071f5f4845a1152299c0430f8744
2fe1c7f6fd2a372cbee37cea22872936df4fe02d94cbf75f0115167b2ee14982
fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a
9d5a3aba415f4bbdf2490d85a206125ab9ff69b1d0898e852dae701d02138815
SH256 hash:
fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a
MD5 hash:
a9504f03b04d581cd601af67b8becd3f
SHA1 hash:
6b2613bc458e8c09c81c10977a8e3f20cfa30bb9
Link:
https://www.unpac.me/results/09b4d54d-d05e-478e-b11d-38f498f2afec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb85a6a090bdb61fd8f3c13faf205ac39fd66f9ec01025c855058b9a88b4318a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469423/

Comments