SYMBOLCOMMON_NAMEaka. SYNONYMS
win.risepro (Back to overview)

RisePro

RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data.

References
2023-11-28ANY.RUNMaksim Mikhailov
@online{mikhailov:20231128:risepro:9e5dc7e, author = {Maksim Mikhailov}, title = {{RisePro Malware Analysis: Exploring C2 Communication of a New Version}}, date = {2023-11-28}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/}, language = {English}, urldate = {2023-11-30} } RisePro Malware Analysis: Exploring C2 Communication of a New Version
RisePro
2023-11-15Twitter (@embee_research)Embee_research
@online{embeeresearch:20231115:identifying:c375df2, author = {Embee_research}, title = {{Identifying Simple Pivot Points in Malware Infrastructure - RisePro Stealer}}, date = {2023-11-15}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/identifying-risepro-panels-using-censys/}, language = {English}, urldate = {2023-11-17} } Identifying Simple Pivot Points in Malware Infrastructure - RisePro Stealer
RedLine Stealer RisePro
2022-12-22Sekoiasekoia
@online{sekoia:20221222:new:0f06190, author = {sekoia}, title = {{New RisePro Stealer distributed by the prominent PrivateLoader}}, date = {2022-12-22}, organization = {Sekoia}, url = {https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/}, language = {English}, urldate = {2022-12-24} } New RisePro Stealer distributed by the prominent PrivateLoader
RisePro
Yara Rules
[TLP:WHITE] win_risepro_auto (20230715 | Detects win.risepro.)
rule win_risepro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.risepro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d55f8 8b4df0 e8???????? 8b45ec }
            // n = 4, score = 100
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_1 = { 740c e8???????? f6d8 1ac0 fec0 c3 32c0 }
            // n = 7, score = 100
            //   740c                 | je                  0xe
            //   e8????????           |                     
            //   f6d8                 | neg                 al
            //   1ac0                 | sbb                 al, al
            //   fec0                 | inc                 al
            //   c3                   | ret                 
            //   32c0                 | xor                 al, al

        $sequence_2 = { c745fc00000000 8b4de8 e8???????? 0fb6c0 85c0 751b c645f300 }
            // n = 7, score = 100
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   0fb6c0               | movzx               eax, al
            //   85c0                 | test                eax, eax
            //   751b                 | jne                 0x1d
            //   c645f300             | mov                 byte ptr [ebp - 0xd], 0

        $sequence_3 = { 53 56 57 8b7d18 85ff 7e14 57 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d18               | mov                 edi, dword ptr [ebp + 0x18]
            //   85ff                 | test                edi, edi
            //   7e14                 | jle                 0x16
            //   57                   | push                edi

        $sequence_4 = { 8806 46 8b7df8 83c702 }
            // n = 4, score = 100
            //   8806                 | mov                 byte ptr [esi], al
            //   46                   | inc                 esi
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   83c702               | add                 edi, 2

        $sequence_5 = { 68???????? 6a22 e8???????? 8bf0 83c410 85f6 7415 }
            // n = 7, score = 100
            //   68????????           |                     
            //   6a22                 | push                0x22
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c410               | add                 esp, 0x10
            //   85f6                 | test                esi, esi
            //   7415                 | je                  0x17

        $sequence_6 = { 8a07 8806 46 8a1f 47 0fbec3 50 }
            // n = 7, score = 100
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8806                 | mov                 byte ptr [esi], al
            //   46                   | inc                 esi
            //   8a1f                 | mov                 bl, byte ptr [edi]
            //   47                   | inc                 edi
            //   0fbec3               | movsx               eax, bl
            //   50                   | push                eax

        $sequence_7 = { eb03 8a45ff 84c0 eb10 807dfe00 741b 807dfd00 }
            // n = 7, score = 100
            //   eb03                 | jmp                 5
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]
            //   84c0                 | test                al, al
            //   eb10                 | jmp                 0x12
            //   807dfe00             | cmp                 byte ptr [ebp - 2], 0
            //   741b                 | je                  0x1d
            //   807dfd00             | cmp                 byte ptr [ebp - 3], 0

        $sequence_8 = { e8???????? 8b4dfc 894108 89510c 686d7237ec 687e79cd0e }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   894108               | mov                 dword ptr [ecx + 8], eax
            //   89510c               | mov                 dword ptr [ecx + 0xc], edx
            //   686d7237ec           | push                0xec37726d
            //   687e79cd0e           | push                0xecd797e

        $sequence_9 = { e8???????? 50 8d4dd4 e8???????? 8d5320 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     
            //   8d5320               | lea                 edx, [ebx + 0x20]

    condition:
        7 of them and filesize < 280576
}
Download all Yara Rules