SYMBOLCOMMON_NAMEaka. SYNONYMS
win.risepro (Back to overview)

RisePro

VTCollection    

RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data.

References
2024-07-24Check Point ResearchAntonis Terefos
Stargazers Ghost Network
Atlantida Lumma Stealer RedLine Stealer Rhadamanthys RisePro Stargazer Goblin
2024-07-09SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2024
Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver
2024-06-10MandiantMandiant
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Lumma Stealer MetaStealer Raccoon RedLine Stealer RisePro Vidar UNC5537
2024-04-01ThreatMonKerime Gencay
RisePro Stealer Malware Analysis Report
RisePro
2024-03-13GdataGDATA Security Lab
RisePro stealer targets Github users in “gitgub” campaign
RisePro
2024-02-27BitSightAndré Tavares
Hunting PrivateLoader: The malware behind InstallsKey PPI service
PrivateLoader RisePro
2024-01-30ANY.RUNLena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP
2023-11-28ANY.RUNMaksim Mikhailov
RisePro Malware Analysis: Exploring C2 Communication of a New Version
RisePro
2023-11-15Twitter (@embee_research)Embee_research
Identifying Simple Pivot Points in Malware Infrastructure - RisePro Stealer
RedLine Stealer RisePro
2022-12-22SekoiaPierre Le Bourhis, Quentin Bourgue, Threat & Detection Research Team
New RisePro Stealer distributed by the prominent PrivateLoader
RisePro
Yara Rules
[TLP:WHITE] win_risepro_auto (20260504 | Detects win.risepro.)
rule win_risepro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.risepro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f4 8b55f8 8b4df4 e8???????? 8b4508 8b4810 894df0 }
            // n = 7, score = 100
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

        $sequence_1 = { 687c24e453 e8???????? 8945e8 8955ec 33c0 8845df }
            // n = 6, score = 100
            //   687c24e453           | push                0x53e4247c
            //   e8????????           |                     
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   33c0                 | xor                 eax, eax
            //   8845df               | mov                 byte ptr [ebp - 0x21], al

        $sequence_2 = { 8b95f4feffff 03511c 899598feffff c785dcfeffff00000000 eb0f }
            // n = 5, score = 100
            //   8b95f4feffff         | mov                 edx, dword ptr [ebp - 0x10c]
            //   03511c               | add                 edx, dword ptr [ecx + 0x1c]
            //   899598feffff         | mov                 dword ptr [ebp - 0x168], edx
            //   c785dcfeffff00000000     | mov    dword ptr [ebp - 0x124], 0
            //   eb0f                 | jmp                 0x11

        $sequence_3 = { 034dec e8???????? 8945b8 8b45bc 50 8b55b8 }
            // n = 6, score = 100
            //   034dec               | add                 ecx, dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   50                   | push                eax
            //   8b55b8               | mov                 edx, dword ptr [ebp - 0x48]

        $sequence_4 = { 807c182900 741c 8d45fc 50 8b04bd00ef4100 ff741818 ff15???????? }
            // n = 7, score = 100
            //   807c182900           | cmp                 byte ptr [eax + ebx + 0x29], 0
            //   741c                 | je                  0x1e
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8b04bd00ef4100       | mov                 eax, dword ptr [edi*4 + 0x41ef00]
            //   ff741818             | push                dword ptr [eax + ebx + 0x18]
            //   ff15????????         |                     

        $sequence_5 = { 8b55f8 8911 eb1f 8b45ec 50 8b4df4 51 }
            // n = 7, score = 100
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8911                 | mov                 dword ptr [ecx], edx
            //   eb1f                 | jmp                 0x21
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx

        $sequence_6 = { 894df0 8b45f0 83780800 7504 33c0 eb35 c745f800000000 }
            // n = 7, score = 100
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb35                 | jmp                 0x37
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0

        $sequence_7 = { f20f59db 660f282d???????? 660f59f5 660f28aaa0b14100 660f54e5 660f58fe 660f58fc }
            // n = 7, score = 100
            //   f20f59db             | mulsd               xmm3, xmm3
            //   660f282d????????     |                     
            //   660f59f5             | mulpd               xmm6, xmm5
            //   660f28aaa0b14100     | movapd              xmm5, xmmword ptr [edx + 0x41b1a0]
            //   660f54e5             | andpd               xmm4, xmm5
            //   660f58fe             | addpd               xmm7, xmm6
            //   660f58fc             | addpd               xmm7, xmm4

        $sequence_8 = { 8d4544 50 e8???????? 8b4dc8 51 }
            // n = 5, score = 100
            //   8d4544               | lea                 eax, [ebp + 0x44]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   51                   | push                ecx

        $sequence_9 = { 52 8b4de8 e8???????? 8b45ec 50 8b4dec }
            // n = 6, score = 100
            //   52                   | push                edx
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]

    condition:
        7 of them and filesize < 280576
}
Download all Yara Rules