{ "id": "ce3fc790-3e4c-480e-b0b1-d1c485f79de6", "created_at": "2026-04-06T00:19:31.428658Z", "updated_at": "2026-04-10T13:11:46.228564Z", "deleted_at": null, "sha1_hash": "70d30984d1751ba8fad61882e7f5ab9d561e9a38", "title": "New RisePro Stealer distributed by the prominent PrivateLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1285860, "plain_text": "New RisePro Stealer distributed by the prominent PrivateLoader\r\nBy Pierre Le Bourhis\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-12-22 · Archived: 2026-04-05 19:13:15 UTC\r\nTable of contents\r\nContext\r\nQuick infection review\r\nMalware analysis\r\nDynamic lookup of APIs via GetProcAddress \r\nEmbedded DLLs\r\nHost fingerprinting\r\nStolen Information\r\nCommand and Control communication\r\nLoader capability\r\nSimilarities\r\nCode \u0026 functionalities\r\nInfrastructure\r\nAccesses \u0026 Support – Contacts\r\nConclusion\r\nIoCs \u0026 Technical Details\r\nIoCs\r\nRisePro C2\r\nShared domains based on NS\r\nDomains sharing same whois\r\nURLs with pattern zip?c=\r\nSamples\r\nScript\r\nYARAs\r\nTTPs\r\nExternal References\r\nContext\r\nPrivateLoader is an active malware in the loader market, used by multiple threat actors to deliver various\r\npayloads, mainly information stealer. Since our previous investigation, we keep tracking the malware to map its\r\necosystem and delivered payloads. Starting from this tria.ge submission, we recognized a now familiar first\r\npayload, namely PrivateLoader. However, the dropped stealer was not part of our stealer growing collection,\r\nnotably including RedLine or Raccoon. Eventually SEKOIA.IO realised it was a new undocumented stealer,\r\nknown as RisePro. This article aims at presenting SEKOIA.IO RisePro information stealer analysis.\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 1 of 18\n\nQuick infection review\r\nBased on the tria.ge submission, the first payload is a PrivateLoader. The sample fetches a document hosted on\r\nsun6-23.userapi.com. This dropped file is the starting point of this analysis.\r\nThe downloaded file is obfuscated using bytes substitution followed by a XOR operation with a fixed key. (See:\r\ndeobfuscation script in the annex). Tria.ge automatic analysis suggests a stealer.\r\nPrivateLoader SHA-1: da3aea62ddf57c895acf630b62e972ef70defb60\r\nDownload BMP SHA-1: d94e061e93f7ac003b01c0c9d12dbbb26f87d13e\r\nDeobfuscated BMP SHA-1: 17ba58fcfe47c49baeaba9aaebd8f888ed2d9473\r\nNB-1: The PCAP of the initial payload shows requests to RisePro infrastructure before PrivateLoader\r\ncommunication. Hypotheses about the future of the Stealer are presented in the conclusion.\r\nNB-2: The name of the distributed payload by PrivateLoader is StealerClient.bmp.\r\nMalware analysis\r\nThe stealer offers similar functionalities as other malware of the family. It targets a wide range of web browsers\r\nfor credentials, cookies, credit cards and crypto wallet via web browser extensions and 2FA software, and a file\r\ngrabber functionality. To reduce its detection, RisePro hides its configuration such as string or imported DLLs\r\nusing XOR instructions using different keys. The malware communicates over HTTP and content of the\r\ncommunication is obfuscated using bytes substitutions and XOR operations. Finally, the malware has the\r\ncapability to load other payloads.\r\nFigure 1. Overview of RisePro stealer delivered by Privateloader\r\nDynamic lookup of APIs via GetProcAddress \r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 2 of 18\n\nThe malware obfuscates its strings using XORed 128 bits (representing integer data). The image below highlights\r\nthe deobfuscation routine, as well as the dynamic function loading using the technique GetModuleHandle\r\ntechnique associated with GetProcAddress.\r\nFigure 2. String deobfuscation routine used to load RtlGetVersion from ntdll.dll\r\nEmbedded DLLs\r\nSome samples of RisePro embed legitimate DLLs such as sqlite3.dll and mozglue.dll used to access the web\r\nbrowsers data. Theses DLLs are stored in cleartext in the PE, they are dumped on the disk in the working directory\r\nof the malware: (working directory is composed of C:\\Users\\Admin\\AppData\\Local\\Temp\\ followed by\r\nLocalSimbaD and ten random alphanum characters).\r\nFigure 3. DLLs dumping into the malware working directory\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 3 of 18\n\nIn case these DLLs are not embedded in the malware, it fetches them on its C2 by requesting the /get_library\r\nendpoint with a POST request, where the body of the request is ‘name=\u003cdll name\u003e’. The server answers the URL\r\nto download the requested DLLs. Every C2 tracked by SEKOIA.IO host the DLLs under the /static/ directory:\r\nFigure 4. Hosted DLLs under /static/ web directory\r\nHost fingerprinting\r\nRisePro Stealer has a fingerprint capability, all information are retrieved in the following registry keys:\r\nSOFTWARE\\Microsoft\\Cryptography\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nHARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\nThe fingerprinting is gathered and saved at the beginning of the file informations.txt exfiltrated to the C2 at a later\r\nstage during the infection process. \r\nRisePro retrieves the infected host public IP address with a fallback functionality. It attempts to get this\r\ninformation from ipinfo.io fails, it tries on api.db-ip.com. Should this also fail, a last option is to contact\r\nmaxmind.com which is a service for IP address geolocalisation.\r\nThe stealer also takes a screenshot of the infected host.\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 4 of 18\n\nFigure 5. Analysis of the screenshot functionality\r\nIf the screenshot is saved in the working directory of the malware as screenshot.png, the file will also be\r\nexfiltrated by the malware in the ZIP file.\r\nStolen Information\r\nThe stealer targets cookies, saved passwords, saved credit cards and crypto wallets and also installed softwares for\r\ncredentials. \r\nWeb browsers: Google Chrome, Firefox, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox,\r\nComodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot,\r\nCentBrowser, 7start, ChomePlus, Iridium, Amigo, Opera, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale\r\nMoon, Atom.\r\nBrowser extensions: Authenticator, MetaMask, Jaxx Liberty Extension, iWallet, BitAppWallet,\r\nSaturnWallet, GuildWallet, MewCx, Wombat, CloverWallet, NeoLine, RoninWallet, LiqualityWallet,\r\nEQUALWallet, Guarda, Coinbase, MathWallet, NiftyWallet, Yoroi, BinanceChainWallet, TronLink,\r\nPhantom, Oxygen, PaliWallet, PaliWallet, Bolt X, ForboleX, XDEFI Wallet, Maiar DeFi Wallet.\r\nSoftware: Discord, battle.net, Authy Desktop.\r\nCryptocurrency assets : Bitcoin, Dogecoin, Anoncoin, BBQCoin, BBQCoin, DashCore, Florincoin, Franko,\r\nFreicoin, GoldCoin (GLD), IOCoin, Infinitecoin, Ixcoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin,\r\nYACoin, Zcash, devcoin, digitalcoin, Litecoin, Reddcoin.\r\nThe stealer also looks for particular file patterns, for example receipt with credit card information in common\r\nfolders (for instance, Desktop, Download, %TEMP%).\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 5 of 18\n\nAs previously introduced, stolen data are copied to the working directory of the malware to be compressed in a\r\nZIP file, exfiltrated during the late HTTP message.\r\nFigure 6. RisePro working directory snapshot at the late stage of its infection\r\nThe filename of the stolen data respects the format: `country code_victim ip address.zip`.\r\nCommand and Control communication\r\nMethod Endpoint Parameter(s) Response\r\nGET /pingmap.php Constant string : 918_tok\r\nGET /freezeStats.php uid\r\nPOST /get_marks.php uid\r\n{“success”:true,”result”:{“marks”:\r\n[]}}\r\nPOST /get_settings.php uid\r\n{“success”:true,”result”:{“settings”:\r\n{\r\n“_id”:”62b109591bde0e1b356c4c3b”,\r\n“HWIDduplicatesDay”:true,\r\n“HWIDduplicates”:false,\r\n“IPduplicates”:false,\r\n“telegram”:true,\r\n“discord”:true,\r\n“screenshot”:true,\r\n“cryptoWallets”:true,\r\n“netHistory”:true,\r\n“staticMarks”:””,\r\n“telegramIds”:”463473532″],\r\n“createdAt”:”2022-06-\r\n20T23:57:13.984Z”,\r\n“__v”:0}}}\r\nPOST /get_grabbers.php uid\r\n{“success”:true,”result”:{“grabbers”:\r\n[]}}\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 6 of 18\n\nPOST /get_loaders.php uid\r\n{“success”:true,”result”:{“loaders”:\r\n[]}}\r\nPOST /set_file.php\r\nMulti form, first one\r\nis the uid, the\r\nsecond form is a\r\nboundary file which\r\ncontains a ZIP file\r\nobfuscated \r\nJSON with status \r\nTable 1. HTTP endpoint of the Command and Control\r\nFigure 7. Summary of RisePro HTTP communication with its C2\r\nWhile RisePro communicates over HTTP in JSON format, the exchanged messages are obfuscated, with bytes\r\nsubstitution and a XOR operation.\r\nThis obfuscation is interesting because it uses the same byte substitution tables as PrivateLoader. The only\r\ndifference is the value of the XOR key, PrivateLoader uses the value 0x9d and RisePro uses 0x36. The similarity\r\nbetween these two malwares is detailed in the dedicated section (c.f:. Similiarities)\r\nOriginal byte Replacement byte\r\n0x00 0x80\r\n0x80 0x0a\r\n0x0a 0x01\r\n0x01 0x05\r\n0x05 0xde\r\n0xde 0xfd\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 7 of 18\n\n0xfd 0xff\r\n0xff 0x55\r\n0x55 0x00\r\nTable 2. Byte substitution \r\nLoader capability\r\nIt is likely that RisePro is able to load and execute a next stage, whose configuration is dynamically set by C2\r\ncommunication on the /get_loader.php endpoint. This endpoint provides the next payload to execute. As none of\r\nthe RisePro samples analysed by SEKOIA.IO downloaded a next stage payload or used this functionality, we\r\nassess this feature is still under development.\r\nFigure 8. Analysis of the next stage execution using ShellExecute function from shell32.dll\r\nIn case RisePro is configured with a next stage, the PE will be written in the same malware working directory.\r\nSimilarities\r\nCode \u0026 functionalities\r\nDuring our investigation, we observed PrivateLoader and RisePro Stealer’s behaviours partially overlap. Here is\r\na list of specific functionalities shared by the two malware:\r\nStrings obfuscation technique: (xor operation on 128 bits (representing integer data), pxor) with the same\r\nkey for a set of functionalities;\r\nHTTP method and port setup;\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 8 of 18\n\nHTTP message obfuscated with the same mode (byte substitution with same replacement values followed\r\nby a XOR operation);\r\nThe similarity spotted between these two malware is buttressed by the output of Bindiff, which shows more than\r\n30% of code similarity.\r\nFigure 9. Similarity of the function used to set up HTTP port.\r\nRisePro SHA-1: f6f143269c430a30003b9027c0f90f59388d65e4\r\nPrivateLoader SHA-1: d231903de12e11e94f3b52c5b71fe8a6ecf30458\r\nInfrastructure\r\nStarting from PrivateLoader wfsdragon.]ru domain, it is possible to pivot on the nameserver of the domain (which\r\nis hosted on cloudflare) which return a long list of domain distributing PrivateLoader samples (cf.: Annexe: IoCs –\r\nShared domains based on NS) and three domains related to RisePro:\r\nm-rise.]pro\r\nmy-rise.]pro\r\nmyrise.]pro\r\nPS: The previous query can be improved by a_record:104.21.0.0./16 to filter domains related to RisePro and\r\nPrivateLoader on the same NS`\r\nFrom the list of domains returned by the first query, a new part PL infrastructure could be highlighted by\r\nsearching domains on this AS containing ‘files‘.\r\nAnother query used to increase visibility into PrivateLoader infrastructure is to search for URLs with the\r\nparameter ‘zip?c=‘ which translates into the following query: ‘entity:url url:”.zip?c=”‘ hostname:file’. Moreover,\r\nsince early December, the threat actors expanded their infrastructure to include a new pattern for its delivery\r\ndomain, which can be retrieved with the following query: ‘entity:url url:”.zip?c=” hostname:soft‘.\r\nNB: A majority of the domains with the ‘file’ pattern where used during October and November but are down by\r\nnow.\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 9 of 18\n\nBesides, the two domains extracted from RisePro samples:\r\ngamefilescript.]com\r\nneo-files.]com\r\nSEKOIA.IO analysts pivot on the whois record with the following virus total query: ‘entity:domain (\r\nwhois:be03d85074711f86 OR whois:b4208f2c291398c5 )‘ yielding a long list of domain that again contains ‘file‘.\r\n(cf.: Annexe: IoCs – Domains share same whois)\r\nWhile browsing the domains, it appears there are download link managers, the final payload are password\r\nprotected archives hosted on compromised WordPress. As shown by figure 10, websites are only used to provide\r\ninstructions (Download URL and archive password). \r\nFigure 10. Example of a distribution website.\r\nThe redirect URL to download the malware changed regularly, at least once a day. Most of the distribution\r\ndomains are now down or for sale, which highlights the volatility of their infrastructure.\r\nThe payload available for download on compromised WordPress is PrivateLoader that installs a package of\r\ninformation stealer (RedLine, MixLoader, Vidar, etc…) for instance: Tria.ge :\r\n2507f7ca248884372a3088bf6413bd8292f898ca. \r\nRisePro is available for sale on the Telegram account of the developper: hxxps://t.]me/RiseProSUPPORT which is\r\nan obfuscated string embedded in the PE. There is also a Telegram channel to interact with infected hosts:\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 10 of 18\n\nhxxps://t.]me/RisePro (name: Rise bot). To interact with the host, attackers must provide the bot ID defined by the\r\nbot itself, and sent to the C2 during the infection c.f.: Table 1, endpoint: /set_file.php response.\r\nThreat Actors have access to the stolen data on the administration panel hosted at: hxxps://my-rise.]cc. To create\r\nan account the provided email address must be trusted by the solution. The domain my-rise.cc serves as a front\r\nend, and all requests are sent to the subdomain api.my-rise.]cc.\r\nFigure 11. Authentication page of the Command and Control panel of RisePro Stealer\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 11 of 18\n\nFigure 12. Screenshot of the telegram bot used to interact with the infected host\r\nConclusion\r\nSEKOIA.IO analysts understanding of the threat is that PrivateLoader is still active and comes with a set of new\r\ncapabilities. Similarities between the stealer and PrivateLoader could not be ignored and provides additional\r\ninsight into the threat actor expansion.\r\nSEKOIA.IO analysts first hypothesis is that RisePro Stealer might be a simple PrivateLoader version with pre-configured build to download its own stealer (NB: Side note, this version does not use a Dead Drop Resolver\r\ntechnique). A second hypothesis is that PrivateLoader simply evolved and a different unidentified PPI vendor\r\nprovides RisePro installation via PrivateLoader. At the time of writing, it is not clear whether RisePro is authored\r\nby PrivateLoader developers. Another intelligence gap is whether RisePro is offered by the same PPI service as\r\nPrivateLoader, or whether PrivateLoader authors maintain links with RisePro authors. SEKOIA.IO analysts will\r\nkeep tracking this threat to gain more knowledge into this specific question, and welcome any input that could\r\nhelp us to fill the gap. SEKOIA.IO will keep tracking this threat to provide as much as possible information to this\r\nquestion.\r\nIoCs \u0026 Technical Details\r\nIoCs\r\nRisePro C2\r\n108.174.199.]249\r\n108.174.200.]11\r\n108.174.198.]132\r\nmy-rise.]cc\r\napi.my-rise.]cc\r\nShared domains based on NS\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 12 of 18\n\ngreatsofteasy.]com\r\nfixgroupfactor.]com\r\nwebproduct25.]com\r\ngs24softeasy.]com\r\ntorggissoft.]com\r\nteleportsoft.]com\r\ntestitsoft.]com\r\nfactor1right.]com\r\nbest24-files.]com\r\nfirst-mirror.]com\r\nelite-hacks.]ru\r\njojo-files.]com\r\nmy-rise.]cc\r\nxx1-files.]com\r\nhero-files.]com\r\nmy-rise.]pro\r\nm-rise.]pro\r\npu-file.]com\r\npickofiles.]com\r\nvi-files.]com\r\nqd-file.]com\r\nuc-files.]com\r\nmyrise.]pro\r\nuni-files.]com\r\nfvp-files.]com\r\nDomains sharing same whois\r\nget-files24.]com\r\nsofts-portal.]com\r\nboost-files.]com\r\nfiles-rate.]com\r\nget-24files.]com\r\nupxlead.]com\r\ngg-download.]com\r\nfiles-sender.]com\r\nrate-files.]com\r\ngg-loader.]com\r\nneo-files.]com\r\nvip-space.c]om\r\npin-files.]com\r\nURLs with pattern zip?c=\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 13 of 18\n\nfilesuk.]com\r\nfilecryptobur.]com\r\nsocialfiletest.]com\r\nwww.filefactory.]com\r\nvi-files.]com\r\npu-file.]com\r\ntopfilesstorage.]com\r\nclubfiletyc.]com\r\nfilessoftpc.]com\r\nsmartfilegen.]com\r\nfilessite.]com\r\nspeedtestfile.]com\r\nfilesredproflex.]com\r\nfilefactory.]com\r\naccesstostofilestorage.]com\r\ngetfileasap1.]com\r\nfileswhiteprosoft.]com\r\nyfilesstorage1.]com\r\nSamples\r\na5076f73a1cfd10fedf1368a26f9f358, 77270de2b41a639e9ca285f9014502a1a5b0b020,\r\nc70e26edeacbf1fa052f073959403ee9337a4aed13833553f8a3856fae013c9e\r\n76ef5db3addbe357e753de73e7db258e, c126c8cc75f6f6ac4b4af125b85c499814053094,\r\n478e97b727eb82979087c1d4c2450be18c2d3413ca8c648e7e2a067595ef8511\r\n9b98ec558eb6fe1e4055d7535e17e37c, 1e416f2c40dfc44e60a65df8fd57524bf8e6f5ad,\r\n5facf25f6b0d35a79444949b3175fabf3d788cbfbbbbb6551a867e1ddceb00a5\r\n2ecae8d74f6cedfe5f06fd424c3cdc77, 0812df9653b27d994eb5f62e243a63d3ea28b1ec,\r\n75b395cc766351e6f44f36dcbfdbabc2c4b43ef6fb26f845fb55569a57ebdbdd\r\na0dfcfb9936669128353663b82fa01b3, 400d3908600b45a8e27f9133cb4950f1e11d5b8d,\r\n3fea5da905fb8cdb9ef203f85a2b0d37d9cbc8067fbf64d3e1849e84d99de3ee\r\ne6b0e14676e5b72a638a142e46f658d9, 77723f0e3c933eff00e0ce1c823aee668d5c3bea,\r\n2d34e214cbb14456357d2e3381692d188b1004d8ff26280e430c716e6e3730b6\r\nac2eae79e66ddf808900b5e2e261da9b, 69a403b81608457ad7106d4215e48e9207367f66,\r\n49fea24c6d2f6340755a22687a6daf63ff2692fe81e6e067b8b2465bc21f49f9\r\n12db8a9a0fb6baec2f801c640a8a4197, afa864c0d0fde050fd0d8694bf895b72d449969b,\r\nae8becfd65df0625c7e4f2069cb57e6f3c022aff24db51666b4d8b8c6ab15a15\r\nb3fbff1358ce82bc71009634c19ba2bf, 4b3d77895cd313db37793db0e5eb5fa2859c01b2,\r\n28820e270265796566d6651f16651a5fd6c412b9290be07d2829c444d9392a02\r\ndbe7d59705f5f919cc6354b81d746584, cc6284365d1d47460bed78dce4e237b95166a859,\r\n3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36\r\n46847232153f38a0326fe0e677a25b9e, f2303a12b73b6b033dde297ef8bdaf3f4cba6864,\r\naa80643e117a896314fe6b1785cb65ab53561f66f5b679ba9f16a05f36e28674\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 14 of 18\n\n319e5fbf83add883095fef277ac8e092, 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9,\r\nb295631063a6186a09a9dfee224bca7af6d4ab1650e9d63cdc325cf3fe1cd3d6\r\n5ab956806ec2e729b2c9c260ee3139f2, cb80fb19380b3dd20032763daa460af4452eebd7,\r\nffae7d880fcb139d03941e1bc658ce463e179435f438d945c74067fe291beb23\r\ndbe7d59705f5f919cc6354b81d746584, cc6284365d1d47460bed78dce4e237b95166a859,\r\n3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36\r\ne7cba894426bd9ca2cdc8b6d7ef31aae, 44afc3c4f62f062a746710440dde3ff7f29b4440,\r\nad75f79f985b4ec690fe9280108ae51cec8ef1650581ed4e26497a5e2c2f3ef9\r\n5df54fe48769bae887eaacb70eb23742, 0a20d79f8de58a088624f964f448846f5fe74afa,\r\n4107f3166ce3c67f375514ed039d663f197261126724f229e8d3cda2e62728d0\r\n0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233,\r\n440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43\r\n0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233,\r\n440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43\r\n0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233,\r\n440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43\r\n5df54fe48769bae887eaacb70eb23742, 0a20d79f8de58a088624f964f448846f5fe74afa,\r\n4107f3166ce3c67f375514ed039d663f197261126724f229e8d3cda2e62728d0\r\n0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233,\r\n440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43\r\n5df54fe48769bae887eaacb70eb23742, 0a20d79f8de58a088624f964f448846f5fe74afa,\r\n4107f3166ce3c67f375514ed039d663f197261126724f229e8d3cda2e62728d0\r\n0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233,\r\n440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43\r\n5df54fe48769bae887eaacb70eb23742, 0a20d79f8de58a088624f964f448846f5fe74afa,\r\n4107f3166ce3c67f375514ed039d663f197261126724f229e8d3cda2e62728d0\r\nfd1cabdc949d19b07ca9bfa206ae8560, f0eea0d1acca29bc82bcfe94b1ccb28d04581579,\r\n057b33d69a28fb08733bb710ca22036aaee853791b958e8c4e0c81ae5eed6fcd\r\n95fa2ab112ca196dfe5bdf0c13dd9396, d1e5ad285bb4506ae77c589682a5bc0a2afdec35,\r\n58b1210213ac1cb9c4efe63d43390dfd43bf094408b16033f176e6700ad0fb29\r\n95fa2ab112ca196dfe5bdf0c13dd9396, d1e5ad285bb4506ae77c589682a5bc0a2afdec35,\r\n58b1210213ac1cb9c4efe63d43390dfd43bf094408b16033f176e6700ad0fb29\r\n03366311b4fbe98c0a919b210cf2fa2b, c3f5b4a2203bf7769963852070f75ae7540fd180,\r\n9564a7f5d7132fe8a97450e0fa4b628b7d802c885f034dc5d094260ff6a76716\r\nScript\r\nimport sys\r\nfrom copy import copy\r\ndef deobfuscate(filename: str) -\u003e None:\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 15 of 18\n\nprint(f\"deobfuscate RisePro data: `{filename}`\")\r\nwith open(filename, \"rb\" )as f:\r\ndata = bytearray(f.read())\r\ndata2 = copy(data)\r\ndata2 = replace_all(data, data2, 0x00, 0x80)\r\ndata2 = replace_all(data, data2, 0x80, 0x0a)\r\ndata2 = replace_all(data, data2, 0x0a, 0x01)\r\ndata2 = replace_all(data, data2, 0x01, 0x05)\r\ndata2 = replace_all(data, data2, 0x05, 0xde)\r\ndata2 = replace_all(data, data2, 0xde, 0xfd)\r\ndata2 = replace_all(data, data2, 0xfd, 0xff)\r\ndata2 = replace_all(data, data2, 0xff, 0x55)\r\ndata2 = replace_all(data, data2, 0x55, 0x00)\r\nunxored = bytearray()\r\nfor byte in data2:\r\nunxored.append(byte ^ 0x36) # 0x36: RisePro and 0x9d for PrivateLoader\r\nwith open(f\"unxored.zip\", \"wb\") as f:\r\nf.write(unxored)\r\ndef replace_all(data: bytearray, data2: bytearray, x: int, y: int) -\u003e bytearray:\r\nprint(f\"replace all {hex(x)} by {hex(y)}\")\r\nfor index, byte in enumerate(copy(data)):\r\nif byte == x:\r\ndata2[index] = y\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 16 of 18\n\nreturn data2\r\nif __name__ == \"__main__\":\r\ndeobfuscate(sys.argv[1])\r\nYARAs\r\nDisclaimer, we removed the YARA rule due to false positives.\r\nTTPs\r\nTactic Technique\r\nCollection T1213 – Data from Information Repositories\r\nCollection T1113 – Screen Capture\r\nCredential\r\nAccess\r\nT1555.004 – Credentials from Password Stores: Windows Credential\r\nManager\r\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nDefense Evasion T1222 – File and Directory Permissions Modification\r\nDefense Evasion T1027 – Obfuscated Files or Information\r\nDefense Evasion\r\nT1027.005 – Obfuscated Files or Information: Indicator Removal from\r\nTools\r\nDiscovery T1087 – Account Discovery\r\nDiscovery T1083 – File and Directory Discovery\r\nDiscovery T1057 – Process Discovery\r\nDiscovery T1012 – Query Registry\r\nDiscovery T1518 – Software Discovery\r\nDiscovery T1082 – System Information Discovery\r\nDiscovery T1614 – System Location Discovery\r\nDiscovery T1614.001 – System Location Discovery: System Language Discovery\r\nDiscovery T1033 – System Owner/User Discovery\r\nExecution T1129 – Shared Modules\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 17 of 18\n\nPersistence\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys /\r\nStartup Folder\r\nTable 3 – MITRE ATT\u0026CK TTPs for RisePro Stealer\r\nExternal References\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nhttps://intel471.com/blog/privateloader-malware\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nYou can also read other blog post :\r\nDiscover our:\r\nCyber Threat Intelligence platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nSIEM solution\r\nCybercrime Infrastructure Stealer\r\nShare this post:\r\nSource: https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/" ], "report_names": [ "new-risepro-stealer-distributed-by-the-prominent-privateloader" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434771, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70d30984d1751ba8fad61882e7f5ab9d561e9a38.pdf", "text": "https://archive.orkl.eu/70d30984d1751ba8fad61882e7f5ab9d561e9a38.txt", "img": "https://archive.orkl.eu/70d30984d1751ba8fad61882e7f5ab9d561e9a38.jpg" } }