General

  • Target

    bot_start.exe

  • Size

    197KB

  • Sample

    240820-x2h3tssgnq

  • MD5

    9c29f4415a735c3d9ee26ca06385d502

  • SHA1

    127b2d6c2e63bf3ff6fb8fb055a272e088fd851d

  • SHA256

    c4174541aa2cef599aee7a376e5de3393446f0018a850fcf1c6658da9692bed5

  • SHA512

    ac2cf91b4ef1dc72c10d5affa83305aa011b733ffc7ce10b87efe8e91d2a9dda72a52a3806f8a20e6bd02a1873677d74a793d5359c8e235bf64fdd23946927d6

  • SSDEEP

    1536:cHc9JW77pHtDEOFYPUh7N9H/sPafochTLZ61tISqS9HwRXBuS7pR72BfLJFBLbbI:ayy9HwSLZ6vTjHwBBybvIJe9

Malware Config

Targets

    • Target

      bot_start.exe

    • Size

      197KB

    • MD5

      9c29f4415a735c3d9ee26ca06385d502

    • SHA1

      127b2d6c2e63bf3ff6fb8fb055a272e088fd851d

    • SHA256

      c4174541aa2cef599aee7a376e5de3393446f0018a850fcf1c6658da9692bed5

    • SHA512

      ac2cf91b4ef1dc72c10d5affa83305aa011b733ffc7ce10b87efe8e91d2a9dda72a52a3806f8a20e6bd02a1873677d74a793d5359c8e235bf64fdd23946927d6

    • SSDEEP

      1536:cHc9JW77pHtDEOFYPUh7N9H/sPafochTLZ61tISqS9HwRXBuS7pR72BfLJFBLbbI:ayy9HwSLZ6vTjHwBBybvIJe9

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks