Date: 12/18/2024
Severity: Medium
Summary
The "Technical Analysis of RiseLoader" explores the newly discovered malware family, which uses a network communication protocol similar to that of RisePro. Unlike RisePro, which primarily focuses on information theft, RiseLoader specializes in downloading and executing second-stage payloads. The analysis highlights the similarities between the two malware families, particularly their use of a TCP-based binary protocol. Given the discontinuation of RisePro in June 2024 and its connection to PrivateLoader, ThreatLabz assesses with moderate confidence that the same threat actor is behind both RisePro and RiseLoader.
Indicators of Compromise (IOC) List
IP Address | 41.216.183.36 185.209.21.88 147.45.44.166 |
Hash |
e4cbf31ac0aacb712219b080af8ccbc11899cc1e7a695077b61df5317ffc3a1d
3834d3be235ebc488832a35dbd98d301c33281f9062a2cb16a681b77b3480044
5731851703e6ca1dd31c4ba3455a4e961621aab904d53ff5d747f811d3dee1b0
b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2
eccf6b8a45f044951712b08013fcb020bff95e7c784164464afcf5e6adba1fdb
0c26d498ccd4d7aea16e4b6e7e647fe4e16b89f67e18a8eacb4b0965fce2f381
65a060f8606f2213f1480ea132d519590f2736d8e1f53edb33fdfb27b3c9d869
c0cdd15f9913c6e88d7e124cbcba7ea981f12a856f473d0e96a94d8835d9ecf3
86c4e141ec49a5bb2646d39efec6207f01f9f9cfdff552715fcef860ec7d0b2d
4635a9149c53a2fbc072ceb338351d3b149e093cd43163e01d629bb016f8cd7c
54bc5a6ed4cca0770ced899f55b18a9e4d7ba7c6b0136f3291c43a5112ef0800
7b2f904ede2ef17c8b9cda1433ffab97b5f7098ee33664a8362beaa1479e1baa
0df41caa968a517a454a6f36528c572af685f1ab62f792760e3a4d8e9de40461
bfe368b6b3729f8dfee1531e43cd41a787c554e3090645dd66f9785be96ccff4
f06e0e417bca037bfa2150451bb6a4e38aa9db104c29167c1f642dc2ca60abfc
1bda055af670cb8e8f37d4860197b58cea1464c16dfaa31fadf42a9eedee8b25
c04f64f0b5cbd336ad8b5dcf40727f50dba7534d66df1998110f38af533b45b3
c0cdd15f9913c6e88d7e124cbcba7ea981f12a856f473d0e96a94d8835d9ecf3
ced59ab566ffe8b3274d7bba452a3b93341411c2c1cc23f2577a767ac846591a |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | dstipaddress IN ("185.209.21.88","41.216.183.36","147.45.44.166") or ipaddress IN ("185.209.21.88","41.216.183.36","147.45.44.166") or publicipaddress IN ("185.209.21.88","41.216.183.36","147.45.44.166") or srcipaddress IN ("185.209.21.88","41.216.183.36","147.45.44.166") |
Detection Query 2 |
sha256hash IN ("3834d3be235ebc488832a35dbd98d301c33281f9062a2cb16a681b77b3480044","4635a9149c53a2fbc072ceb338351d3b149e093cd43163e01d629bb016f8cd7c","65a060f8606f2213f1480ea132d519590f2736d8e1f53edb33fdfb27b3c9d869","b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2","bfe368b6b3729f8dfee1531e43cd41a787c554e3090645dd66f9785be96ccff4","ced59ab566ffe8b3274d7bba452a3b93341411c2c1cc23f2577a767ac846591a","0df41caa968a517a454a6f36528c572af685f1ab62f792760e3a4d8e9de40461","c0cdd15f9913c6e88d7e124cbcba7ea981f12a856f473d0e96a94d8835d9ecf3","e4cbf31ac0aacb712219b080af8ccbc11899cc1e7a695077b61df5317ffc3a1d","1bda055af670cb8e8f37d4860197b58cea1464c16dfaa31fadf42a9eedee8b25","5731851703e6ca1dd31c4ba3455a4e961621aab904d53ff5d747f811d3dee1b0","86c4e141ec49a5bb2646d39efec6207f01f9f9cfdff552715fcef860ec7d0b2d","f06e0e417bca037bfa2150451bb6a4e38aa9db104c29167c1f642dc2ca60abfc","eccf6b8a45f044951712b08013fcb020bff95e7c784164464afcf5e6adba1fdb","0c26d498ccd4d7aea16e4b6e7e647fe4e16b89f67e18a8eacb4b0965fce2f381","54bc5a6ed4cca0770ced899f55b18a9e4d7ba7c6b0136f3291c43a5112ef0800","7b2f904ede2ef17c8b9cda1433ffab97b5f7098ee33664a8362beaa1479e1baa","c04f64f0b5cbd336ad8b5dcf40727f50dba7534d66df1998110f38af533b45b3") |
Reference:
https://www.zscaler.com/blogs/security-research/technical-analysis-riseloader#indicators-of-compromise--iocs-