BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

RisePro

43
Global rank
12 infographic chevron month
Month rank
5 infographic chevron week
Week rank
168
IOCs

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Stealer
Type
ex-USSR
Origin
1 December, 2022
First seen
18 June, 2024
Last seen

How to analyze RisePro with ANY.RUN

Type
ex-USSR
Origin
1 December, 2022
First seen
18 June, 2024
Last seen

IOCs

IP addresses
95.214.25.205
147.45.47.126
3.36.173.8
77.91.77.117
5.42.67.8
147.45.47.93
193.233.132.253
77.91.77.122
5.42.65.116
118.194.235.187
193.233.254.16
193.233.132.74
185.172.128.136
5.42.96.55
193.233.132.226
193.233.132.67
193.233.132.62
5.42.96.64
5.42.96.64
5.42.96.54
Hashes
e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1
b61877825d8cff4454bab969656df67196bdf02d86704ab3821845d57023bc5e
d4163f1179d58f842ba3b9cd28cd315de031669b93d87111c40fbc13167e42ab
eff0ff1a9186ca9d78eeb78f24b97d2a7e558f57bae5f3e1de7b0a7283e78e37
cc408445bd7856d4a94e8e70d6dd3952e45f43b3fba07b254af15f948138c9c5
5e0be577617f189eb5f85f6e7d8040742b22c6dd806d0a1ae06db7a730361e27
ccdaed2d99d145ec6354aad6e431fc60e16bc99f2126911ee3ac56ac7159dcaf
25ef0f7912798ce382c529a802d817926761bb52450b2e7f74db7c7788fe6ca7
69010ca4bc815b6422d4985a311a1331aacc1881003ce25e6fe9ef0ee48e0a38
fc009caa63a3078fcb6bab7ed6b372a075574c3621242310850f59e80cb1d03e
e55c90dbd62ac351eed18acd582568a7ce5e3428621797190dad972a2eb4702f
71962e346aff1abde8b22e80fc99df7d7704b03dc5cad2c9404ee8df80619b5b
ee7133b9044b292b9a84879a4c81856517c147d994e6565f7250c2981849f6fc
1a8a10e6d2ab1702de995a09fc5342d0b6106a6fc3bee8efd666138f0a013f3f
26a628697a9933f66c951e2a3d6130a3ebaf0b5f777c7c5d8cc87f4b14225d6e
3d9d9746dab8d68d2149a28c8790910c9f0593a75bc42d61652b09ae97a3d691
cc77a43a7cca1fc62ef3a991f3e02e7611e56bc1e1322e80dc5db57a092e1221
4f97a7f893939680bf36ccc03af19cc2d9ae3e4c7696fefc79ff5750ace15bae
ec7ff734cf045b4323fb6796f58fd8e184c4975d25a8dc86c6ec5dda68557835
392974827e51b30aeb6400a7aff9760d8eceee69d1977b886f06c8315ab7b7d5
Domains
filefactory.com
api.my-rise.cc
api.db-ip.com
URLs
https://t.me/RiseProSUPPORT
http://content.elite-hacks.ru/test/setStats.php
http://108.174.200.11/MWTSL
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 142
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 188
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 339
comments 0

What is RisePro malware?

RisePro is a malware program primarily designed to exfiltrate sensitive information from compromised devices. It is often distributed through deceptive methods, such as fake cracks sites or malicious email attachments. Once installed, RisePro infiltrates the target system and silently collects a variety of personal and financial data.

First detected in late 2022, the malware continues to be actively updated and developed by its creators. It is sold openly online, including via a Telegram bot, where users can choose a preferred subscription plan and control the malware.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Technical details of the RisePro malicious software

RisePro's underlying architecture is similar to Vidar’s, another well-known password-stealing malware. It employs a system of embedded DLL dependencies to achieve its malicious goals.

The malware's typically focuses on stealing the following types of information:

  • Web browser credentials: RisePro can steal login credentials and cookies from various web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge.
  • Crypto wallets: The malware can identify and steal cryptocurrency wallet addresses and private keys, granting attackers access to victims' digital assets.
  • Credit card information: RisePro may collect credit card numbers, expiration dates, and CVV codes.

Additionally, RisePro gathers information about the compromised system, including operating system, installed software, and hardware specifications. It can also capture screenshots of the victim's desktop, providing attackers with visual insights into their activities.

Once collected, the stolen data is bundled and sent to the attacker's command and control (C2) server. As mentioned, RisePro is constantly evolving, as its creators continue to enhance its capabilities. In a recent development, the malware has transitioned from HTTP-based C2 communication to a custom TCP protocol.

Check out a comprehensive analysis of RisePro’s C2 communication.

RisePro employs various obfuscation techniques to evade detection by security software, making it more challenging for antivirus and anti-malware solutions to identify and neutralize the threat.

Execution process of RisePro

To see how RisePro behaves on an actual system, let’s upload its sample to ANY.RUN sandbox for detailed analysis.

Like most malware, RisePro's execution chain can vary significantly even within one version. It can be either a single process performing all malicious activities or multiple processes involving the operating system's system utilities.

In our case, using the Static discovering function, we can see that a macro launches a process named crome.exe, which was downloaded from a remote server with the address 89.23.98.22.

Subsequently, we can use Script Tracer to verify this information and ensure that this process was also launched after the download. The WINWORD process, through macros, downloaded and initiated the crome process, which was the RisePro stealer, and carried out the main malicious activity. Additionally, the malware added itself to the Task Scheduler to ensure persistence on the infected system.

RisePro process graph shown in ANY.RUN RisePro`s process graph demonstrated in ANY.RUN

Distribution methods of the RisePro malware

RisePro is often spread by a loader called PrivateLoader. PrivateLoader is a pay-per-install service that charges malware distributors for each installation of their harmful software.

PrivateLoader's most common tactic is to disguise itself as pirated software. This means that they create websites that look like they are offering free downloads of popular programs.

One way that PrivateLoader makes its websites look legitimate is by using SEO poisoning. This is a technique that involves manipulating search engines to rank websites higher in search results.

Conclusion

As RisePro is constantly changing, it's important for individuals and organizations to take steps to protect themselves from its attacks. To make sure you avoid downloading any suspicious files or clicking links, it’s crucial you check them in a malware analysis sandbox.

ANY.RUN helps you identify if a suspicious file or link is safe by analyzing it in seconds. It provides detailed threat reports with all the necessary information, such as indicators of compromise (IOCs), for effective prevention and incident response.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy