purelogstealer | 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3

Analysis

max time kernel
24s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
Size

2.0MB
MD5

d4f9d1afe2b5bf3633642526c01625d2
SHA1

f553184ae1cf84c9d12ae7ea8262e1cec6442577
SHA256

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3
SHA512

dcb89b0095fd7ab16ecfd3e4d43d1d6358e612fda3fbdc1cc1dd8d49c69fe60759c20b5f28ec758a6a577626b796f4e2ee66aa7e1f01cfc008c0af6cf52b5c82
SSDEEP

49152:Be7O00O0FTsQTv1YcXKpRaV6NL4ZlEhLHSjqKoe:U7j0OWVTdYcfV6NL4ZlEpyjqKoe

Score

10^/10

purelogstealer persistence stealer

Malware Config

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1400-1-0x00000000003F0000-0x00000000005F2000-memory.dmp	family_purelog_stealer

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Humfa = "C:\\Users\\Admin\\AppData\\Roaming\\Humfa.exe"	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

pid process

1400 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

pid	process
1400	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

description	pid	process
Token: SeDebugPrivilege	1400	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
Token: SeDebugPrivilege	1400	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

description	pid	process	target process
PID 1400 wrote to memory of 4524	1400	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	WerFault.exe
PID 1400 wrote to memory of 4524	1400	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	WerFault.exe
PID 1400 wrote to memory of 4524	1400	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
"C:\Users\Admin\AppData\Local\Temp\45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1400 -s 624
  2⤵
  PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-0-0x000007FEF68F3000-0x000007FEF68F4000-memory.dmp

Filesize
4KB

Download
memory/1400-1-0x00000000003F0000-0x00000000005F2000-memory.dmp

Filesize
2.0MB

Download
memory/1400-2-0x000000001B3F0000-0x000000001B59E000-memory.dmp

Filesize
1.7MB

Download
memory/1400-3-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-4-0x000000001B7E0000-0x000000001B990000-memory.dmp

Filesize
1.7MB

Download
memory/1400-6-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-8-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-10-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-12-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-16-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-18-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-20-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-22-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-26-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-24-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-14-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-5-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-29-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-36-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-42-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-50-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-67-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-30-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-68-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-64-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-62-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-60-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-58-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-56-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-54-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-52-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-48-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-46-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-1077-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-44-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-40-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-38-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-34-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-32-0x000000001B7E0000-0x000000001B98A000-memory.dmp

Filesize
1.7MB

Download
memory/1400-1078-0x000000001B5A0000-0x000000001B6CA000-memory.dmp

Filesize
1.2MB

Download
memory/1400-1079-0x0000000000310000-0x000000000035C000-memory.dmp

Filesize
304KB

Download
memory/1400-1080-0x000007FEF68F3000-0x000007FEF68F4000-memory.dmp

Filesize
4KB

Download
memory/1400-1081-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-1083-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-1084-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/1400-1086-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

Filesize
9.9MB

Download