Overview

overview

10

Static

static

10

TT ViewBot...sts.py

windows7-x64

3

TT ViewBot...sts.py

windows10-2004-x64

10

TT ViewBot...xie.py

windows7-x64

3

TT ViewBot...xie.py

windows10-2004-x64

3

TT ViewBot...ent.py

windows7-x64

3

TT ViewBot...ent.py

windows10-2004-x64

3

TT ViewBot...rt.exe

windows7-x64

10

TT ViewBot...rt.exe

windows10-2004-x64

10

TT ViewBot...tup.py

windows7-x64

3

TT ViewBot...tup.py

windows10-2004-x64

3

Resubmissions

20-08-2024 08:06

240820-jzqg8svfmq 10

20-08-2024 08:00

240820-jweassvdrp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TT ViewBot v3.7.zip

  • Size

    266KB

  • Sample

    240820-jzqg8svfmq

  • MD5

    e46d36d1360b8457c032b66c6daff409

  • SHA1

    bdfc45dc35f9d373e50cb537b87a8f8e5320ca47

  • SHA256

    d46fea1913a10aa5cd4d1a7815b44bb93750bc06e2673857a0c314704a518a59

  • SHA512

    3d82ea94f04cb8ef973ca41eec465aa6e61710523fd2dab6c993ae25f8ef464f80700047f878452ea790bc57780b94a002425e6b076e3537bca2da1637a6fcb3

  • SSDEEP

    6144:k97VDohTUgnNiQeDveFdGnP710V6A2F8f7kE8ISFqRaVZSV5Ve4HPc:k9hDoBUI9ebeFu710VsCQEsFqRVe4vc

Score
10/10
purelogstealercredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      TT ViewBot v3.7/Data/Lists.py

    • Size

      2KB

    • MD5

      58b844082767dd40b291276087b6323b

    • SHA1

      41748aed3409eeb4be7a8d53b98a81fcfff2323d

    • SHA256

      b21702251cf0e88c166088d4e08294b2b0c2f961da8056ac48c735243d554279

    • SHA512

      f50268442358d511424d649603ce701cda7bb885cdfe005c8fbcdbde2b47784102b7196438d664ef4c32b5c317ad9e9b8ec7f1ed741d3aef399f378149c61547

    Score
    10/10
    discoverypurelogstealercredential_accesspersistenceprivilege_escalationspywarestealer

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

      stealerpurelogstealer

    • PureLog Stealer payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      TT ViewBot v3.7/Data/ScrapProxie.py

    • Size

      8KB

    • MD5

      005e6b6cd75e6fd6040731c64494e537

    • SHA1

      86f24fc5aad569829e0651bdcd607168c19c58f6

    • SHA256

      8fd6afc4c92b8c65eb96a7493e559c83449578fcf178e20d9d126b411eead5e5

    • SHA512

      a16848eda731c6e7591b94a7291095a19fca11ecdd2e4b1e55306f28b288bc473f2bad97bb505c0c8fd4d3a7e7227103427ac5aed1bf6bd3b21f6bce3e785931

    • SSDEEP

      96:QSGcG6lghWnE559ZlWoxKMk59Vp+pvey9t9c9xsRvRxY1K7DpCgkTli:P659ZwoxKMW9Vp+pmYHexscU9j

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      TT ViewBot v3.7/Data/UserAgent.py

    • Size

      1.0MB

    • MD5

      0c9b29e6b8291144a8a1c7b190accbe5

    • SHA1

      a5946876fb6de43a28c9b3d3b783c755f74f41f1

    • SHA256

      8ec04b593bbf03b344809ebca690dcec7bc082bccd0e28d3b4931b371ab044c9

    • SHA512

      cc8ad93051da8b447064d4c3dbaab624b8fa4516874358a1dfe2d52ac03a87f104b6cae8b036c42c87c7d9b1946138d9a0f4f7f5ed2db62b0a771901e1ec5cfe

    • SSDEEP

      384:UKxzhaSY5IiEgeBLPxKQheqwF3zdU49rdobwjkH6g6QcOHcoR8AnaREHszt3Y3fO:e

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      TT ViewBot v3.7/bot_start.exe

    • Size

      197KB

    • MD5

      9c29f4415a735c3d9ee26ca06385d502

    • SHA1

      127b2d6c2e63bf3ff6fb8fb055a272e088fd851d

    • SHA256

      c4174541aa2cef599aee7a376e5de3393446f0018a850fcf1c6658da9692bed5

    • SHA512

      ac2cf91b4ef1dc72c10d5affa83305aa011b733ffc7ce10b87efe8e91d2a9dda72a52a3806f8a20e6bd02a1873677d74a793d5359c8e235bf64fdd23946927d6

    • SSDEEP

      1536:cHc9JW77pHtDEOFYPUh7N9H/sPafochTLZ61tISqS9HwRXBuS7pR72BfLJFBLbbI:ayy9HwSLZ6vTjHwBBybvIJe9

    Score
    10/10
    purelogstealerdiscoverystealercredential_accesspersistencespyware

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

      stealerpurelogstealer

    • PureLog Stealer payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      TT ViewBot v3.7/setup.py

    • Size

      941B

    • MD5

      eda4ba41910e22351b9181d552cf3b1c

    • SHA1

      bf2fa5977b13b6ae80a4a1915d8025f75eca16fd

    • SHA256

      1291ef03e04110780a294bb9608358901fb86ea235840fbd49ffe7beeb6c4da4

    • SHA512

      1f6bcfd592c408acc45ec680ca78d01f15ed5ff3a7aaa632410923f4b661de671d9a5db6dd14b1695dcad37979b053df2d9d3067be8d5a51687bc583fda89ed2

    Score
    3/10
    discovery
    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks