purelogstealer | 0e559172d232f5fd5fe97331941cc210ed8de9d7ca09636514f536fd1797c69d | Triage

Sharing

General

Target

24082024_1318_URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.REV
Size

1.2MB
Sample

240824-qkbtvs1hrd
MD5

e8a7e910aec12a584bcfe6925be20efe
SHA1

59f5c8dace1da214bc8e6086b21a6bbfeb114449
SHA256

0e559172d232f5fd5fe97331941cc210ed8de9d7ca09636514f536fd1797c69d
SHA512

1a4d7802ca16b191fc1571fafd79f2f96a5dc7e8987c554046a544c99c45f4703dabf78efbad3257ae5be0d07ff538fceb3251c0b0306f5631534dfe3d4d5e40
SSDEEP

24576:ga++qUq2R4bXHFcoxnPBHbgerZb7gm036BEZpTheYxSTad8c0uFx:galqUq64bnxnPBHbge9b7gmA6BYThphV

Score

10^/10

purelogstealer remcos new2709 discovery persistence rat stealer

Malware Config

Extracted

Family

remcos

Botnet

new2709

C2

nuevospa.con-ip.com:2709

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
loggsdsce
keylog_path
%AppData%
mouse_option
false
mutex
Rmc1214550111-8ILYZA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.exe
- Size
  
  1.3MB
- MD5
  
  634d083e156932ad463d0b6d565b1864
- SHA1
  
  08efee0f93d8437fc78c1b072bab1bf656ba0446
- SHA256
  
  961e1a9e87354282994687dd1fcedab938d86b3444c60fb800693c12eba7992b
- SHA512
  
  544f2a497ee106fbca9d57322a13b03a7267d07829e6c170b1f8207b0a418c3ea4d2a043063aa99451f7c322d29159f398affe21e5ba72acd6ad123b099440a4
- SSDEEP
  
  24576:DpS9vNYPOhImXpYhqjxjY/TS9LrPC0g3MAtG5jtgBKqvs:A9v6PeBGhqjxE2960g3HG5jtgois
Score

10^/10

purelogstealer discovery persistence stealer remcos new2709 rat
- PureLog Stealer
  PureLog Stealer is an infostealer written in C#.
  stealer purelogstealer
- PureLog Stealer payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

purelogstealerdiscoverypersistencestealer

behavioral2

purelogstealerremcosnew2709discoverypersistenceratstealer