purelogstealer | f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4

General

Target

f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe
Size

400KB
MD5

273f874fb8cf5f0ea683569cc5aa1105
SHA1

75e0c12ddd0bf9d26e8ce5e014b2ff52476d3884
SHA256

f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4
SHA512

03b1faa4a531837b6201abe4089cbfe89119c71a88cfdfa14e216040bed8cbab8595dc5c8e834fac4fedede8fd55e6982a7a9a29869b0dd30a838491959fef54
SSDEEP

12288:bixfqg8gtc1Ue6JGNHvrWJwdrO//2M9+Y5:bCfqZuQUe6Ji1O/F7

Score

10^/10

purelogstealer raccoon 5bfc2fea32660a3c43ec3fa8f7188f7e persistence stealer

Malware Config

Extracted

Family

raccoon

Botnet

5bfc2fea32660a3c43ec3fa8f7188f7e

C2

http://91.103.252.109:80

Attributes

user_agent
SunShineMoonLight

xor.plain

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000900000001ac31-3.dat	family_purelog_stealer
behavioral2/memory/4952-6-0x0000000000F60000-0x0000000000FBA000-memory.dmp	family_purelog_stealer

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral2/memory/4976-17-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon_v2
behavioral2/memory/4976-22-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon_v2
behavioral2/memory/4976-24-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon_v2

Executes dropped EXE 3 IoCs

pid	Process
4952	countrycyber.exe
4788	countrycyber.exe
4976	countrycyber.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 4976	4952	countrycyber.exe	74

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4952	countrycyber.exe
4952	countrycyber.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	countrycyber.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4952	3496	f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe	72
PID 3496 wrote to memory of 4952	3496	f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe	72
PID 3496 wrote to memory of 4952	3496	f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe	72
PID 4952 wrote to memory of 4788	4952	countrycyber.exe	73
PID 4952 wrote to memory of 4788	4952	countrycyber.exe	73
PID 4952 wrote to memory of 4788	4952	countrycyber.exe	73
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	74
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	74
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	74
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	74
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	74
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	74
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	74
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	74

C:\Users\Admin\AppData\Local\Temp\f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe
"C:\Users\Admin\AppData\Local\Temp\f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
    3⤵
    - Executes dropped EXE
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
    3⤵
    - Executes dropped EXE
    PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe

Filesize
357KB

MD5
c643acf3f644f9e94305a546365fb300

SHA1
8e270c565228ec7e6856220fc8b726914430c456

SHA256
9c5fb4465f201e05e9a0a6ae79fa8a27b48035f9a2a3f910c6e675ae24c53afa

SHA512
8d16986b4ac1a8673310d4eccf3bcd62f0696bdd134716e37b49e959ef4a97cb1b4d4bfb8abaebd34cd3900ef4b6d479575e0dc29211120809b48fc1b55c7394

Download Submit
memory/4952-12-0x0000000006520000-0x0000000006556000-memory.dmp

Filesize
216KB

Download
memory/4952-13-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/4952-7-0x0000000005D20000-0x000000000621E000-memory.dmp

Filesize
5.0MB

Download
memory/4952-8-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/4952-9-0x0000000005770000-0x00000000057BE000-memory.dmp

Filesize
312KB

Download
memory/4952-10-0x0000000006490000-0x00000000064DE000-memory.dmp

Filesize
312KB

Download
memory/4952-6-0x0000000000F60000-0x0000000000FBA000-memory.dmp

Filesize
360KB

Download
memory/4952-5-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

Filesize
4KB

Download
memory/4952-11-0x00000000064E0000-0x0000000006516000-memory.dmp

Filesize
216KB

Download
memory/4952-14-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

Filesize
4KB

Download
memory/4952-15-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/4952-23-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/4976-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads