{
	"id": "3f41dbdb-a816-43d1-92fd-a15621526fe7",
	"created_at": "2026-04-06T00:08:46.644156Z",
	"updated_at": "2026-04-10T03:20:30.478574Z",
	"deleted_at": null,
	"sha1_hash": "3db0b51cdc55ac77759d9553aed03f885577cb85",
	"title": "Identifying Simple Pivot Points in Malware Infrastructure - RisePro Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1750392,
	"plain_text": "Identifying Simple Pivot Points in Malware Infrastructure -\r\nRisePro Stealer\r\nBy Matthew\r\nPublished: 2023-11-15 · Archived: 2026-04-05 13:49:15 UTC\r\nIn a previous post we analysed a Redline stealer sample and obtained a C2 address of 5.42.92[.]51:19057 .\r\nIn this post, we'll demonstrate how to pivot from this c2 address to identify a total of 16 additional related servers.\r\nInitial Search With Censys\r\nWe can begin by performing a basic search for the c2 on Censys.\r\nThis search reveals some basic information such as running services, ASN and the location of the server.\r\nThe initial services do not appear to be useful, there isn't much to pivot from on ports on ports 21,139,445 and\r\n5985\r\nHowever, there is an interesting HTTP service running on port 8081 .\r\nThis service appears to be hosting a login panel. (These panels are self hosted by RisePro users, according to this\r\nreport from FlashPoint)\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 1 of 11\n\nThis HTTP service is interesting and contains multiple opportunities for pivoting to additonal servers.\r\nOpportunity 1: Pivoting With Image Names\r\nWithin the screenshot above, we can see some raw html of the login page.\r\nLooking closely, we can see some relatively unique names used for the .png and .svg images.\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 2 of 11\n\nBy plugging either of these names into a Censys search, there are a total of 16 servers identified.\r\nWe can take the first returned IP of 194.169.175[.]122 and search for it in Virustotal.\r\nThis returns 1/88 detections, as well as a reference to Risepro malware. (Similar results can be obtained for most\r\nthe remaining 15 servers)\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 3 of 11\n\nCensys is able to obtain a significant amount of information about the running service, some of which is not\r\ndisplayed by default.\r\nWe can view this additional information by clicking on \"View All Data\".\r\nThis returns a lot of information about the running service on port 8081 .\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 4 of 11\n\nEach piece of information can be searched by clicking on the \"search\" box next to each option.\r\nFor example, we can click on the services.banner_hashes search box to attempt a pivot from a hash of the\r\nbanner, which contains a reference to \"RisePro\".\r\nPivoting on the banner hash returns 3 results.\r\nOf the results is a new IP of 152.89.198[.]49 . Which has 1/88 detections on Virustotal.\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 5 of 11\n\nOpportunity 3: Pivoting From RisePro String\r\nThe previous search using banner hashes only returned 3 results.\r\nSince the most interesting piece of the banner is the reference to \"RisePro\", we can skip using the hash and instead\r\nlook for any banner with a RisePro reference.\r\nBy searching for any banner containing a reference to \"RisePro\", we can obtain the same 16 results that were\r\nobtained by pivoting on the .png image name.\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 6 of 11\n\nOpportunity 4: Pivoting From Grammatical Errors\r\nThere is a small grammatical error contained in the initial html.\r\nIf we assume that this error is present across login panels, then we can use it as an additional pivot point.\r\nBy searching for the error inside of the response body, we can again obtain the same 16 results, as well as one\r\nadditional server.\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 7 of 11\n\nThe additional server has an ip of 61.134.65[.]198 and appears to be a chinese site unrelated to RisePro.\r\nDespite the 1 additional false positive, the remaining 16 results appear malicious and related to RisePro Stealer.\r\nThis confirms that the grammar error is useful as an additional pivot point.\r\nBasic Analysis of Newly Identified Servers\r\nUsing the 16 RisePro servers returned from our search, there are some interesting observations.\r\nHere is an example where 37.27.22[.]139 is marked as \"DCRAT,PRIVATELOADER\" and yet only has 2/88\r\ndetections.\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 8 of 11\n\nAnother server 128.140.73[.]191 contains the same C2 panel and has 0/88 detections.\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 9 of 11\n\nAnother server 185.216.70[.]233 has 0/88 detections, with malicious files communicating as far back as July\r\n2023.\r\nThe rest of the servers were largely repeats of those already mentioned. A full list of the results can be found\r\nbelow.\r\nList of Returned C2's\r\n#RisePro Server List - VT Detections as of 2023/11/15\r\n5.42.92[.]51 - 12/88\r\n37.27.22[.]139 - 2/88\r\n45.15.156[.]137 - 1/88\r\n85.209.11[.]247 - 7/88\r\n91.103.253[.]146 - 1/88\r\n109.107.182[.]9 - 1/88\r\n128.140.73[.]191 - 0/88\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 10 of 11\n\n152.89.198[.]49 - 1/88\r\n185.216.70[.]222 - 1/88\r\n185.216.70[.]233 - 0/88\r\n185.216.70[.]238 - 13/88\r\n194.49.94[.]41 - 1/88\r\n194.169.175[.]113 - 1/88\r\n194.169.175[.]122 - 1/88\r\n194.169.175[.]123 - 1/88\r\n194.169.175[.]128 - 20/88\r\nSign up for Embee Research\r\nMalware Analysis Tutorials\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nhttps://embee-research.ghost.io/identifying-risepro-panels-using-censys/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/identifying-risepro-panels-using-censys/"
	],
	"report_names": [
		"identifying-risepro-panels-using-censys"
	],
	"threat_actors": [],
	"ts_created_at": 1775434126,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3db0b51cdc55ac77759d9553aed03f885577cb85.pdf",
		"text": "https://archive.orkl.eu/3db0b51cdc55ac77759d9553aed03f885577cb85.txt",
		"img": "https://archive.orkl.eu/3db0b51cdc55ac77759d9553aed03f885577cb85.jpg"
	}
}