purelogstealer | 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Size

419KB
MD5

8a716466aa6f2d425ec09770626e8e54
SHA1

62fb757ea5098651331f91c1664db9fe46b21879
SHA256

585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815
SHA512

54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940
SSDEEP

6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw

Score

10^/10

purelogstealer xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

5.182.87.154:7000

Mutex

VMFidhoqn75fm5lJ

Attributes

Install_directory
%Temp%
install_file
mdnsresp.exe

aes.plain

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/memory/2508-13-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2508-17-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2508-19-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2508-11-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2508-21-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2056-29-0x00000000026A0000-0x00000000026E0000-memory.dmp	family_xworm

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/2208-3-0x0000000000650000-0x0000000000698000-memory.dmp	family_purelog_stealer

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents 6 IoCs

resource	yara_rule
behavioral1/memory/2508-13-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2508-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2508-19-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2508-11-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2508-21-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2056-29-0x00000000026A0000-0x00000000026E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables packed with SmartAssembly 1 IoCs

resource	yara_rule
behavioral1/memory/2208-3-0x0000000000650000-0x0000000000698000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2056	powershell.exe
2512	powershell.exe
1940	powershell.exe
2656	powershell.exe
1232	powershell.exe
2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Token: SeDebugPrivilege	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2056	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	28
PID 2208 wrote to memory of 2056	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	28
PID 2208 wrote to memory of 2056	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	28
PID 2208 wrote to memory of 2056	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	28
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2208 wrote to memory of 2508	2208	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	30
PID 2508 wrote to memory of 2512	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	31
PID 2508 wrote to memory of 2512	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	31
PID 2508 wrote to memory of 2512	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	31
PID 2508 wrote to memory of 2512	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	31
PID 2508 wrote to memory of 1940	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	33
PID 2508 wrote to memory of 1940	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	33
PID 2508 wrote to memory of 1940	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	33
PID 2508 wrote to memory of 1940	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	33
PID 2508 wrote to memory of 2656	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	35
PID 2508 wrote to memory of 2656	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	35
PID 2508 wrote to memory of 2656	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	35
PID 2508 wrote to memory of 2656	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	35
PID 2508 wrote to memory of 1232	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	37
PID 2508 wrote to memory of 1232	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	37
PID 2508 wrote to memory of 1232	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	37
PID 2508 wrote to memory of 1232	2508	585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe	37

C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
"C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
  C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
da02baf60d0f64942e0f806ba027aba5

SHA1
122828e98b7b918231e3d3290481ca6628ea21c0

SHA256
b2a53b437844124e1e67e12e55b56641da1b6d4602cada05f8971f6ef7be8708

SHA512
ca3fe4f1f5cf2267fd44fbe99d3240df3ee99f35df793f00f02f2c8382db4bc9613c0c9bf3f78fc5197e94d016848ca3904557c9f4eb65eca4a28bb780050a6a

Download Submit
\Users\Admin\AppData\Local\Temp\mdnsresp.exe

Filesize
116KB

MD5
fcdaab00e2f4e2b208939d9a2301dfb8

SHA1
31e19cc04ec33f974441dd30f306ca3b9cce1420

SHA256
59fe950316d446bbaa3fcc389f094407db644ed87f4a40cf31da997d60676ada

SHA512
4f806563160383b7441b4b6191808053ad83ca6516f0d14a025edeffbd534915d8c5b70ad9fc55ae09005696fdc919b77e0f18fed4f5996e4be1031e1f41807f

Download Submit
memory/1232-70-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-71-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1232-72-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-74-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1232-73-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-75-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-49-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1940-50-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-52-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1940-48-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-51-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1940-54-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-29-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/2056-28-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/2056-30-0x0000000070CE0000-0x000000007128B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-27-0x0000000070CE0000-0x000000007128B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-26-0x0000000070CE0000-0x000000007128B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-6-0x0000000000CD0000-0x0000000000D1C000-memory.dmp

Filesize
304KB

Download
memory/2208-22-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-0-0x0000000000F70000-0x0000000000FE0000-memory.dmp

Filesize
448KB

Download
memory/2208-1-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-2-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2208-3-0x0000000000650000-0x0000000000698000-memory.dmp

Filesize
288KB

Download
memory/2208-4-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/2208-5-0x0000000000A50000-0x0000000000A80000-memory.dmp

Filesize
192KB

Download
memory/2508-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-53-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-82-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2508-83-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2508-23-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-40-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2512-42-0x0000000070220000-0x00000000707CB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-39-0x0000000070220000-0x00000000707CB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-41-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2512-38-0x0000000070220000-0x00000000707CB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-36-0x0000000070220000-0x00000000707CB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-37-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2656-64-0x0000000070220000-0x00000000707CB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-63-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2656-62-0x0000000070220000-0x00000000707CB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-61-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2656-60-0x0000000070220000-0x00000000707CB000-memory.dmp

Filesize
5.7MB

Download