MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144
SHA3-384 hash: e4f0e84c24c51d254c629bfa937fdd68073befe13f33def97804e6b86a7a2405b0b608c9860c1bf1be8764c1aa654050
SHA1 hash: bb1f3c97e58729b476f19d4c70a825eeaacdb9cd
MD5 hash: b716baea0866421f013912e77e5db815
humanhash: snake-gee-chicken-cup
File name:b716baea0866421f013912e77e5db815
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'539'552 bytes
First seen:2024-01-18 21:32:33 UTC
Last seen:2024-01-19 05:34:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:Zj9bjkIP9yCNPPZW1XCzQ4J0vbl9bK/0NfmafPpLrloEJzU1WwlIiYTJiOV2Exwu:1ZBZrq1DusNfxPpJJzUceRYTXgEuu
Threatray 4 similar samples on MalwareBazaar
TLSH T14E6533EB29830D3AEC2E187D20D70215603FA791F9579FE9D86E0FC19882F6E1725126
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RiseProStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
340
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471576/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.24589.20634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Reading critical registry keys
Creating a process from a recently created file
Searching for the window
Creating a window
Searching for synchronization primitives
Launching a service
Creating a process with a hidden window
Searching for the browser window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65a9990f59502c0e7b3a12f8/reports/38d48917-49ab-4556-a648-8a1d430681e2/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Craxs RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a4ff12b-0d7c-47af-9133-4325d156892d
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1377069
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to check for running processes (XOR)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377069 Sample: w9KEWt56fo.exe Startdate: 18/01/2024 Architecture: WINDOWS Score: 100 98 yt3.ggpht.com 2->98 100 youtube-ui.l.google.com 2->100 102 25 other IPs or domains 2->102 126 Snort IDS alert for network traffic 2->126 128 Antivirus detection for URL or domain 2->128 130 Multi AV Scanner detection for submitted file 2->130 132 8 other signatures 2->132 10 w9KEWt56fo.exe 1 2->10         started        13 msedge.exe 2->13         started        16 firefox.exe 2->16         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 158 Contains functionality to inject code into remote processes 10->158 160 Writes to foreign memory regions 10->160 162 Allocates memory in foreign processes 10->162 164 Injects a PE file into a foreign processes 10->164 21 RegAsm.exe 1 95 10->21         started        80 C:\Users\user\...\page_embed_script.js, ASCII 13->80 dropped 82 C:\Users\user\...\eventpage_bin_prod.js, ASCII 13->82 dropped 84 C:\Users\user\AppData\...\content_new.js, Unicode 13->84 dropped 86 C:\Users\user\AppData\Local\...\content.js, Unicode 13->86 dropped 26 msedge.exe 13->26         started        92 services.addons.mozilla.org 18.172.170.2 MIT-GATEWAYSUS United States 16->92 94 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 16->94 96 3 other IPs or domains 16->96 88 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 16->88 dropped 90 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 16->90 dropped 28 conhost.exe 19->28         started        30 conhost.exe 19->30         started        32 conhost.exe 19->32         started        34 3 other processes 19->34 file6 signatures7 process8 dnsIp9 104 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 21->104 106 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 21->106 112 2 other IPs or domains 21->112 70 C:\Users\user\...\zsZPurNTVomie9T3NZw8.exe, PE32 21->70 dropped 72 C:\Users\user\...\SLB58kcNRKBdv0CB4h3S.exe, PE32 21->72 dropped 74 C:\Users\user\...\AzjfAH4fKDBbhbuM6TEz.exe, PE32 21->74 dropped 76 8 other files (1 malicious) 21->76 dropped 150 Contains functionality to check for running processes (XOR) 21->150 152 Tries to steal Mail credentials (via file / registry access) 21->152 154 Found stalling execution ending in API Sleep call 21->154 156 5 other signatures 21->156 36 SLB58kcNRKBdv0CB4h3S.exe 21->36         started        39 AzjfAH4fKDBbhbuM6TEz.exe 13 21->39         started        41 zsZPurNTVomie9T3NZw8.exe 21->41         started        44 2 other processes 21->44 108 13.107.21.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->108 110 13.107.246.70 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->110 114 22 other IPs or domains 26->114 file10 signatures11 process12 file13 134 Modifies windows update settings 36->134 136 Disables Windows Defender Tamper protection 36->136 138 Disable Windows Defender notifications (registry) 36->138 140 Disable Windows Defender real time protection (registry) 36->140 142 Binary is likely a compiled AutoIt script file 39->142 144 Found API chain indicative of sandbox detection 39->144 46 chrome.exe 1 39->46         started        49 chrome.exe 39->49         started        51 chrome.exe 39->51         started        57 9 other processes 39->57 78 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 41->78 dropped 146 Detected unpacking (changes PE section rights) 41->146 148 Hides threads from debuggers 41->148 53 conhost.exe 44->53         started        55 conhost.exe 44->55         started        signatures14 process15 dnsIp16 122 192.168.2.7 unknown unknown 46->122 124 239.255.255.250 unknown Reserved 46->124 59 chrome.exe 46->59         started        62 chrome.exe 49->62         started        64 chrome.exe 51->64         started        66 msedge.exe 57->66         started        68 msedge.exe 57->68         started        process17 dnsIp18 116 142.250.107.84 GOOGLEUS United States 59->116 118 youtube-ui.l.google.com 142.250.217.110 GOOGLEUS United States 59->118 120 46 other IPs or domains 59->120
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-18 21:33:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75wr4lth567v5ls2nakmqzkuepth6sh4rqrxluky4da7ry7j4fca._file
Verdict:
unknown
Similar samples:
0b891e136711ba923d7bc6e78591e3764354aa85b36e0157836c7d98979d72fd
RiseProStealer
4a821767c6ce723e6fb4b8d54efd52df6cbd63fc0de47a7b8b39a6ec72b4be69
RiseProStealer
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240118-1d6qrsaeb9/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RisePro
Malware Config
C2 Extraction:
193.233.132.62:50500
Unpacked files
SH256 hash:
510e8661513dba0e7ec7b3071525847745575a2641c328b76d971b98738cce31
MD5 hash:
bc281a96587759e7af8d88f7ff8b9650
SHA1 hash:
139eaeb032ab0a44eab04715b9a6ce595caf1d64
Link:
https://www.unpac.me/results/839f80f2-2f6b-4928-9011-02f17442983b/
SH256 hash:
ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144
MD5 hash:
b716baea0866421f013912e77e5db815
SHA1 hash:
bb1f3c97e58729b476f19d4c70a825eeaacdb9cd
Link:
https://www.unpac.me/results/839f80f2-2f6b-4928-9011-02f17442983b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff6d1e2e67ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe ff6d1e2e67efbf5eae5a6814c8655423e67f48fc8c2375d158e0c1f8e3e9e144

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/471576/
  
URLhaus
https://urlhaus.abuse.ch/url/2749367/
  
URLhaus
https://urlhaus.abuse.ch/url/2749079/

Comments


Avatar
zbet commented on 2024-01-18 21:32:34 UTC

url : hxxp://109.107.182.40/holm/room.exe