General
-
Target
https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqazdiNWVBNUU0a0l6YkR2QzJwZndma0M5dTZhUXxBQ3Jtc0tsM1RENjJ3Y0picXQ2eHRtcUt6MkthUVJ0Q29PWi1uRExoY09JWFFhQklBRmw2Mm5ndzRRNWR4X242TTVxelFZdUxyQWJvVG5rX0F0UWxJcVNpdVJQRk9DcUVCWDUxbVpQanUyeXJORXlfYkVhdFN3RQ&q=https%3A%2F%2Fbit.ly%2Fskinmanager
-
Sample
240905-c3twhasfkh
Malware Config
Targets
-
-
Target
https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqazdiNWVBNUU0a0l6YkR2QzJwZndma0M5dTZhUXxBQ3Jtc0tsM1RENjJ3Y0picXQ2eHRtcUt6MkthUVJ0Q29PWi1uRExoY09JWFFhQklBRmw2Mm5ndzRRNWR4X242TTVxelFZdUxyQWJvVG5rX0F0UWxJcVNpdVJQRk9DcUVCWDUxbVpQanUyeXJORXlfYkVhdFN3RQ&q=https%3A%2F%2Fbit.ly%2Fskinmanager
Score10/10-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1