BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

RisePro

risepro
50
Global rank
89 infographic chevron month
Month rank
111 infographic chevron week
Week rank
0
IOCs

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Stealer
Type
ex-USSR
Origin
1 December, 2022
First seen
11 November, 2024
Last seen

How to analyze RisePro with ANY.RUN

Stealer
Type
ex-USSR
Origin
1 December, 2022
First seen
11 November, 2024
Last seen

IOCs

IP addresses
95.214.25.205
193.233.132.74
77.91.77.66
194.49.94.152
194.169.175.123
193.233.132.253
118.194.235.187
3.36.173.8
193.233.132.67
101.99.92.169
5.42.92.51
147.45.47.126
77.91.77.180
77.105.132.27
77.91.77.117
193.233.132.62
5.42.67.8
5.42.65.116
147.45.47.93
77.91.77.122
Domains
filefactory.com
api.my-rise.cc
api.db-ip.com
URLs
http://content.elite-hacks.ru/test/setStats.php
https://t.me/RiseProSUPPORT
http://108.174.200.11/MWTSL
Last Seen at
11 November, 2024
Malicious activity
4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5
arch-exec
pastebin
risepro
stealer
privateloader
gcleaner
loader
9 November, 2024
Malicious activity
4363463463464363463463463.exe
evasion
ammyy
remote
loader
github
meduza
stealer
opendir
exfiltration
phorpiex
hausbomber
miner
rat
njrat
bladabindi
dcrat
risepro
4 November, 2024
Malicious activity
ddffe5e1068e1cee8b909e9074352ff5.exe
stealer
risepro
confuser
growtopia
4 November, 2024
Malicious activity
4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c
stealer
risepro
3 November, 2024
Malicious activity
000a645626a3a63590af8890be4d2bd3ea32490b8844a68f3ada493b97e98c48
themida
risepro
21 October, 2024
Malicious activity
3a85101e32db2b212b7049f09ac7d3c910af0871bcae69456321de198454bf3a
themida
risepro
17 October, 2024
Malicious activity
5a38fd050fda5f392478698c1b623bb1.exe
stealer
risepro
redline
confuser
loader
smokeloader
xor-url
generic
16 October, 2024
Malicious activity
testitsoft.com
risepro
stealer
16 October, 2024
Malicious activity
testitsoft.com
risepro
stealer
14 October, 2024
Malicious activity
2333a83bfd543d45bb945d6b879216b8505398258f2dc43571708393189419a7.exe
risepro
stealer
TRACK THEM ALL AT
Public Submissions
Last Seen at
11 November, 2024
Malicious activity
4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5
arch-exec
pastebin
risepro
stealer
privateloader
gcleaner
loader
9 November, 2024
Malicious activity
4363463463464363463463463.exe
evasion
ammyy
remote
loader
github
meduza
stealer
opendir
exfiltration
phorpiex
hausbomber
miner
rat
njrat
bladabindi
dcrat
risepro
4 November, 2024
Malicious activity
ddffe5e1068e1cee8b909e9074352ff5.exe
stealer
risepro
confuser
growtopia
4 November, 2024
Malicious activity
4bcda1e7eec29867c9afe2542e496db6a6c1e6a8e2708442c5d4c3c49157058c
stealer
risepro
3 November, 2024
Malicious activity
000a645626a3a63590af8890be4d2bd3ea32490b8844a68f3ada493b97e98c48
themida
risepro
21 October, 2024
Malicious activity
3a85101e32db2b212b7049f09ac7d3c910af0871bcae69456321de198454bf3a
themida
risepro
17 October, 2024
Malicious activity
5a38fd050fda5f392478698c1b623bb1.exe
stealer
risepro
redline
confuser
loader
smokeloader
xor-url
generic
16 October, 2024
Malicious activity
testitsoft.com
risepro
stealer
16 October, 2024
Malicious activity
testitsoft.com
risepro
stealer
14 October, 2024
Malicious activity
2333a83bfd543d45bb945d6b879216b8505398258f2dc43571708393189419a7.exe
risepro
stealer
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 323
comments 0
post image
Automated Interactivity: Stage 2
watchers 2186
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3149
comments 0

Contents

  • What is RisePro malware?
  • Technical details of the RisePro malicious software
  • Execution process of RisePro
  • Distribution methods of the RisePro malware
  • Conclusion

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 323
comments 0
post image
Automated Interactivity: Stage 2
watchers 2186
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3149
comments 0

What is RisePro malware?

RisePro is a malware program primarily designed to exfiltrate sensitive information from compromised devices. It is often distributed through deceptive methods, such as fake cracks sites or malicious email attachments. Once installed, RisePro infiltrates the target system and silently collects a variety of personal and financial data.

First detected in late 2022, the malware continues to be actively updated and developed by its creators. It is sold openly online, including via a Telegram bot, where users can choose a preferred subscription plan and control the malware.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the RisePro malicious software

RisePro's underlying architecture is similar to Vidar’s, another well-known password-stealing malware. It employs a system of embedded DLL dependencies to achieve its malicious goals.

The malware's typically focuses on stealing the following types of information:

  • Web browser credentials: RisePro can steal login credentials and cookies from various web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge.
  • Crypto wallets: The malware can identify and steal cryptocurrency wallet addresses and private keys, granting attackers access to victims' digital assets.
  • Credit card information: RisePro may collect credit card numbers, expiration dates, and CVV codes.

Additionally, RisePro gathers information about the compromised system, including operating system, installed software, and hardware specifications. It can also capture screenshots of the victim's desktop, providing attackers with visual insights into their activities.

Once collected, the stolen data is bundled and sent to the attacker's command and control (C2) server. As mentioned, RisePro is constantly evolving, as its creators continue to enhance its capabilities. In a recent development, the malware has transitioned from HTTP-based C2 communication to a custom TCP protocol.

Check out a comprehensive analysis of RisePro’s C2 communication.

RisePro employs various obfuscation techniques to evade detection by security software, making it more challenging for antivirus and anti-malware solutions to identify and neutralize the threat.

Execution process of RisePro

To see how RisePro behaves on an actual system, let’s upload its sample to ANY.RUN sandbox for detailed analysis.

Like most malware, RisePro's execution chain can vary significantly even within one version. It can be either a single process performing all malicious activities or multiple processes involving the operating system's system utilities.

In our case, using the Static discovering function, we can see that a macro launches a process named crome.exe, which was downloaded from a remote server with the address 89.23.98.22.

Subsequently, we can use Script Tracer to verify this information and ensure that this process was also launched after the download. The WINWORD process, through macros, downloaded and initiated the crome process, which was the RisePro stealer, and carried out the main malicious activity. Additionally, the malware added itself to the Task Scheduler to ensure persistence on the infected system.

RisePro process graph shown in ANY.RUN RisePro`s process graph demonstrated in ANY.RUN

Distribution methods of the RisePro malware

RisePro is often spread by a loader called PrivateLoader. PrivateLoader is a pay-per-install service that charges malware distributors for each installation of their harmful software.

PrivateLoader's most common tactic is to disguise itself as pirated software. This means that they create websites that look like they are offering free downloads of popular programs.

One way that PrivateLoader makes its websites look legitimate is by using SEO poisoning. This is a technique that involves manipulating search engines to rank websites higher in search results.

Conclusion

As RisePro is constantly changing, it's important for individuals and organizations to take steps to protect themselves from its attacks. To make sure you avoid downloading any suspicious files or clicking links, it’s crucial you check them in a malware analysis sandbox.

ANY.RUN helps you identify if a suspicious file or link is safe by analyzing it in seconds. It provides detailed threat reports with all the necessary information, such as indicators of compromise (IOCs), for effective prevention and incident response.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Bluesky Ransomware screenshot
Bluesky Ransomware
bluesky
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More