Recent RisePro is packed with ENIGMA and shipped from CAB loader

morimolymoly
3 min readJan 15, 2024

Hello~~, this is morimolymoly!

This time, I will give you some recent updates of RisePro features updates!

Funny AutoIT program

3Eb73mM.exe is an AutoIT program.

You can extract script from this binary with Autoit-Ripper.

It opens google, facebook, youtube…What the hell are you doing?

Process Tree

Next one is 5up4SW7.exe!

Packed with ENIGMA

Here as you can see, This binary is protected by ENIGMA!

Process Tree

At Process Tree, you can see RisePro was executed and made persistence with scheduled task!

YARA Result

YARA also indicated this is RisePro.

At this time, I don’t unpack ENIGMA because of this article is for focusing on interesiting points of this attack chain.

Funny Feature of new rising RisePro

Same hash end enigma protected binary was droppped!

  • MaxLoonaFest131.exe
  • FANBooster131.exe
  • OfficeTrackerNMP131.exe

They are all RisePro and it is packed by ENIGMA.

I had looked tons of detonations, it indicates that recent RisePro has same indicators.

Conclusion

  • CAB loader is used and it connects to youtube, facebook, google
  • Recent RisePro is packed by ENIGMA
  • RisePro copy itself and it is also packed by ENIGMA(FANBooster131.exe, MaxLoonaFest131.exe, OfficeTrackerNMP131.exe)

--

--

morimolymoly

I am a Software Engineer, Malware Analyst. Feel free to reach me! Webpage: https://morimolymoly.com/