MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff63976d5cc3f2965ef707e4073440ca0fd9d976a02ccc766bf7a4d9af9144e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff63976d5cc3f2965ef707e4073440ca0fd9d976a02ccc766bf7a4d9af9144e9
SHA3-384 hash: cede34094c1d06633cd5c11db616ec3fc84a784a086d9c82a7641d2e9e6e30b16dafa727ded1957e0d7b9a0736454f1f
SHA1 hash: 54adfcc0e9da25aea9966ea76ddfc7e4940af1a3
MD5 hash: 12f4b96090bb7a1aa45768f68870ef90
humanhash: nitrogen-whiskey-freddie-king
File name:12f4b96090bb7a1aa45768f68870ef90.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:55'906'304 bytes
First seen:2023-11-07 23:05:17 UTC
Last seen:2023-11-08 00:38:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 46afc61b34fb8e20ac7399f0df86ba31 (4 x PrivateLoader, 2 x RiseProStealer, 1 x Amadey)
ssdeep 98304:rmeKmPZ9WvNXNaY2JCoFkHCfeyV1SMvxvy:rKmPZ+XP2Jbkim4SwJy
Threatray 621 similar samples on MalwareBazaar
TLSH T174C723827F425BFBD05EC73A952A841F32577F938AB441473B8A7A09CD733114C7A29A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e4c8e890dacce4a4 (1 x RiseProStealer)
Reporter abuse_ch
Tags:exe RiseProStealer


Avatar
abuse_ch
RiseProStealer C2:
185.216.70.232:28121

Intelligence

File Origin
# of uploads :
2
# of downloads :
3'575
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Modifying a system file
Replacing files
Launching a service
Launching a process
DNS request
Sending a custom TCP request
Sending a UDP request
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Changing a file
Creating a window
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed packed vmprotect
Link:
https://www.filescan.io/uploads/654ac2dd641154c7e3edee8a/reports/5fa905d7-bebd-4ed8-9f4c-231fd968bc16/overview
Verdict:
Malicious
Labled as:
Win64/GenKryptik.GPOI trojan
Link:
https://www.hybrid-analysis.com/sample/ff63976d5cc3f2965ef707e4073440ca0fd9d976a02ccc766bf7a4d9af9144e9
Result
Verdict:
MALICIOUS
Result
Threat name:
Djvu, PrivateLoader, RedLine, RisePro St
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338646
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Djvu Ransomware
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1338646 Sample: l5GCQ2fOuD.exe Startdate: 08/11/2023 Architecture: WINDOWS Score: 100 124 Found malware configuration 2->124 126 Malicious sample detected (through community Yara rule) 2->126 128 Antivirus detection for URL or domain 2->128 130 27 other signatures 2->130 9 l5GCQ2fOuD.exe 10 55 2->9         started        14 WinTrackerSP.exe 2->14         started        16 svchost.exe 2->16         started        18 6 other processes 2->18 process3 dnsIp4 118 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 9->118 120 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 9->120 122 17 other IPs or domains 9->122 86 C:\Users\...\zJFDeaPvIyts8RxVoZG2_nWk.exe, PE32 9->86 dropped 88 C:\Users\...\upSBLZ4NIfc7QnNPtAkDYCEi.exe, PE32 9->88 dropped 90 C:\Users\...\rk3kOtqdyYG2rVeqZH8kKAFN.exe, PE32 9->90 dropped 92 22 other malicious files 9->92 dropped 172 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->172 174 Creates HTML files with .exe extension (expired dropper behavior) 9->174 176 Disables Windows Defender (deletes autostart) 9->176 182 2 other signatures 9->182 20 zJFDeaPvIyts8RxVoZG2_nWk.exe 39 9->20         started        25 upSBLZ4NIfc7QnNPtAkDYCEi.exe 9->25         started        27 HjgWthpsPwiHHN09GXaVtcpK.exe 9->27         started        31 14 other processes 9->31 178 Antivirus detection for dropped file 14->178 180 Multi AV Scanner detection for dropped file 14->180 29 WerFault.exe 16->29         started        file5 signatures6 process7 dnsIp8 106 5.182.38.138 VMAGE-ASRU Russian Federation 20->106 108 149.154.167.99 TELEGRAMRU United Kingdom 20->108 110 116.203.165.60 HETZNER-ASDE Germany 20->110 68 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->68 dropped 70 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->70 dropped 80 10 other files (6 malicious) 20->80 dropped 146 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->146 148 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->148 150 Tries to harvest and steal ftp login credentials 20->150 152 Tries to harvest and steal browser information (history, passwords, etc) 20->152 154 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->154 166 3 other signatures 25->166 33 explorer.exe 25->33 injected 72 C:\Users\user\AppData\...\FANBooster1.exe, PE32 27->72 dropped 82 2 other malicious files 27->82 dropped 156 Query firmware table information (likely to detect VMs) 27->156 158 Creates multiple autostart registry keys 27->158 168 2 other signatures 27->168 112 194.33.191.60 AQUA-ASRO unknown 31->112 114 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 31->114 116 11 other IPs or domains 31->116 74 C:\Users\...\Vwuxsm0Qtg_iLW2faA8s0596.exe, PE32+ 31->74 dropped 76 C:\Users\...\TQo62q8ox9HuRXfRt8AkIGzm.exe, PE32 31->76 dropped 78 C:\Users\user\AppData\Local\...\mtsfnnvz.exe, PE32 31->78 dropped 84 13 other files (11 malicious) 31->84 dropped 160 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->160 162 Tries to steal Mail credentials (via file / registry access) 31->162 164 Found many strings related to Crypto-Wallets (likely being stolen) 31->164 170 6 other signatures 31->170 38 AppLaunch.exe 31->38         started        40 18uwFUuKdGkT6_YB3fIMB5ro.exe 31->40         started        42 cmd.exe 31->42         started        44 8 other processes 31->44 file9 signatures10 process11 dnsIp12 94 91.215.85.17 PINDC-ASRU Russian Federation 33->94 96 34.143.166.163 ATGS-MMD-ASUS United States 33->96 104 2 other IPs or domains 33->104 60 C:\Users\user\AppData\Roaming\ivcagde, PE32 33->60 dropped 62 C:\Users\user\AppData\Local\Temp\1721.exe, PE32 33->62 dropped 132 System process connects to network (likely due to code injection or exploit) 33->132 134 Benign windows process drops PE files 33->134 136 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->136 98 185.216.70.232 CLOUDCOMPUTINGDE Germany 38->98 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->138 140 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->140 142 Tries to harvest and steal browser information (history, passwords, etc) 38->142 46 Conhost.exe 38->46         started        100 104.21.65.24 CLOUDFLARENETUS United States 40->100 64 C:\Users\...\18uwFUuKdGkT6_YB3fIMB5ro.exe, PE32 40->64 dropped 144 Creates multiple autostart registry keys 40->144 66 (copy), PE32 42->66 dropped 48 conhost.exe 42->48         started        102 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->102 50 control.exe 44->50         started        52 conhost.exe 44->52         started        54 conhost.exe 44->54         started        56 4 other processes 44->56 file13 signatures14 process15 process16 58 rundll32.exe 50->58         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff63976d5cc3f2965ef707e4073440ca0fd9d976a02ccc766bf7a4d9af9144e9
Gathering data
Threat name:
Win64.Trojan.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-03 21:26:04 UTC
File Type:
PE+ (Exe)
Extracted files:
144
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75rzo3k4ypzjmxxxa7saoncazih5twlwuawmy5tl66sntl4rituq._file
Verdict:
malicious
Similar samples:
5708789b5fb5f47fa7a4f585344620ca294a6c8f3c26a5b27064ce9ddfd19803
RiseProStealer
58a63ea446ddd8bd4bbda56a139157b04997ce2ee7cb36645c4cb0cadf3d872d
RiseProStealer
6f12232e159de661dadd56f6f17a36a0d4e6ae24eba5c06f54fd2f7a8763feb0
RiseProStealer
880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
RiseProStealer
ac66279c745d403846dac0ec03b6e36aeea2a217959fe1172f989341d7343510
RiseProStealer
d2e07f0516d7df039709a274495a90d5ddcedc96a4bd7240a7593ca55c9a7383
RiseProStealer
eba4766b6e31c7176ca556adaa1e6803d3ffba4e6801dcd4e9b1926393c1faf9
RiseProStealer
+ 611 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/231107-23d8gsbd99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff63976d5cc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments