Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

RisePro

53
Global rank
78 infographic chevron month
Month rank
118 infographic chevron week
Week rank
0
IOCs

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Stealer
Type
ex-USSR
Origin
1 December, 2022
First seen
6 January, 2025
Last seen

How to analyze RisePro with ANY.RUN

Type
ex-USSR
Origin
1 December, 2022
First seen
6 January, 2025
Last seen

IOCs

IP addresses
95.214.25.205
5.42.65.117
3.36.173.8
193.233.132.74
77.91.77.66
194.49.94.152
194.169.175.123
193.233.132.253
118.194.235.187
193.233.132.67
101.99.92.169
5.42.92.51
147.45.47.126
77.91.77.180
77.105.132.27
77.91.77.117
193.233.132.62
5.42.67.8
5.42.65.116
147.45.47.93
Domains
filefactory.com
api.my-rise.cc
api.db-ip.com
URLs
http://content.elite-hacks.ru/test/setStats.php
https://t.me/RiseProSUPPORT
http://108.174.200.11/MWTSL
Last Seen at

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4958
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 680
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 557
comments 0

What is RisePro malware?

RisePro is a malware program primarily designed to exfiltrate sensitive information from compromised devices. It is often distributed through deceptive methods, such as fake cracks sites or malicious email attachments. Once installed, RisePro infiltrates the target system and silently collects a variety of personal and financial data.

First detected in late 2022, the malware continues to be actively updated and developed by its creators. It is sold openly online, including via a Telegram bot, where users can choose a preferred subscription plan and control the malware.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the RisePro malicious software

RisePro's underlying architecture is similar to Vidar’s, another well-known password-stealing malware. It employs a system of embedded DLL dependencies to achieve its malicious goals.

The malware's typically focuses on stealing the following types of information:

  • Web browser credentials: RisePro can steal login credentials and cookies from various web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge.
  • Crypto wallets: The malware can identify and steal cryptocurrency wallet addresses and private keys, granting attackers access to victims' digital assets.
  • Credit card information: RisePro may collect credit card numbers, expiration dates, and CVV codes.

Additionally, RisePro gathers information about the compromised system, including operating system, installed software, and hardware specifications. It can also capture screenshots of the victim's desktop, providing attackers with visual insights into their activities.

Once collected, the stolen data is bundled and sent to the attacker's command and control (C2) server. As mentioned, RisePro is constantly evolving, as its creators continue to enhance its capabilities. In a recent development, the malware has transitioned from HTTP-based C2 communication to a custom TCP protocol.

Check out a comprehensive analysis of RisePro’s C2 communication.

RisePro employs various obfuscation techniques to evade detection by security software, making it more challenging for antivirus and anti-malware solutions to identify and neutralize the threat.

Execution process of RisePro

To see how RisePro behaves on an actual system, let’s upload its sample to ANY.RUN sandbox for detailed analysis.

Like most malware, RisePro's execution chain can vary significantly even within one version. It can be either a single process performing all malicious activities or multiple processes involving the operating system's system utilities.

In our case, using the Static discovering function, we can see that a macro launches a process named crome.exe, which was downloaded from a remote server with the address 89.23.98.22.

Subsequently, we can use Script Tracer to verify this information and ensure that this process was also launched after the download. The WINWORD process, through macros, downloaded and initiated the crome process, which was the RisePro stealer, and carried out the main malicious activity. Additionally, the malware added itself to the Task Scheduler to ensure persistence on the infected system.

RisePro process graph shown in ANY.RUN RisePro`s process graph demonstrated in ANY.RUN

Distribution methods of the RisePro malware

RisePro is often spread by a loader called PrivateLoader. PrivateLoader is a pay-per-install service that charges malware distributors for each installation of their harmful software.

PrivateLoader's most common tactic is to disguise itself as pirated software. This means that they create websites that look like they are offering free downloads of popular programs.

One way that PrivateLoader makes its websites look legitimate is by using SEO poisoning. This is a technique that involves manipulating search engines to rank websites higher in search results.

Conclusion

As RisePro is constantly changing, it's important for individuals and organizations to take steps to protect themselves from its attacks. To make sure you avoid downloading any suspicious files or clicking links, it’s crucial you check them in a malware analysis sandbox.

ANY.RUN helps you identify if a suspicious file or link is safe by analyzing it in seconds. It provides detailed threat reports with all the necessary information, such as indicators of compromise (IOCs), for effective prevention and incident response.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More