purelogstealer | f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4

Analysis

max time kernel
195s
max time network
255s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-05-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe
Size

400KB
MD5

273f874fb8cf5f0ea683569cc5aa1105
SHA1

75e0c12ddd0bf9d26e8ce5e014b2ff52476d3884
SHA256

f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4
SHA512

03b1faa4a531837b6201abe4089cbfe89119c71a88cfdfa14e216040bed8cbab8595dc5c8e834fac4fedede8fd55e6982a7a9a29869b0dd30a838491959fef54
SSDEEP

12288:bixfqg8gtc1Ue6JGNHvrWJwdrO//2M9+Y5:bCfqZuQUe6Ji1O/F7

Score

10^/10

purelogstealer raccoon 5bfc2fea32660a3c43ec3fa8f7188f7e persistence stealer

Malware Config

Extracted

Family

raccoon

Botnet

5bfc2fea32660a3c43ec3fa8f7188f7e

http://91.103.252.109:80

Attributes

user_agent
SunShineMoonLight

xor.plain

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe	family_purelog_stealer
behavioral2/memory/4952-6-0x0000000000F60000-0x0000000000FBA000-memory.dmp	family_purelog_stealer

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-17-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon_v2
behavioral2/memory/4976-22-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon_v2
behavioral2/memory/4976-24-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon_v2

Executes dropped EXE 3 IoCs

Processes:

countrycyber.execountrycyber.execountrycyber.exe

pid process

4952 countrycyber.exe
4788 countrycyber.exe
4976 countrycyber.exe

pid	process
4952	countrycyber.exe
4788	countrycyber.exe
4976	countrycyber.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

countrycyber.exe

description pid process target process

PID 4952 set thread context of 4976 4952 countrycyber.exe countrycyber.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

countrycyber.exe

pid process

4952 countrycyber.exe
4952 countrycyber.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

countrycyber.exe

description pid process

Token: SeDebugPrivilege 4952 countrycyber.exe

description	pid	process	target process
PID 4952 set thread context of 4976	4952	countrycyber.exe	countrycyber.exe

pid	process
4952	countrycyber.exe
4952	countrycyber.exe

description	pid	process
Token: SeDebugPrivilege	4952	countrycyber.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.execountrycyber.exe

description	pid	process	target process
PID 3496 wrote to memory of 4952	3496	f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe	countrycyber.exe
PID 3496 wrote to memory of 4952	3496	f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe	countrycyber.exe
PID 3496 wrote to memory of 4952	3496	f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe	countrycyber.exe
PID 4952 wrote to memory of 4788	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4788	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4788	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	countrycyber.exe
PID 4952 wrote to memory of 4976	4952	countrycyber.exe	countrycyber.exe

C:\Users\Admin\AppData\Local\Temp\f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe
"C:\Users\Admin\AppData\Local\Temp\f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
3⤵
- Executes dropped EXE
PID:4788

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
3⤵
- Executes dropped EXE
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe
Filesize
357KB

MD5
c643acf3f644f9e94305a546365fb300

SHA1
8e270c565228ec7e6856220fc8b726914430c456

SHA256
9c5fb4465f201e05e9a0a6ae79fa8a27b48035f9a2a3f910c6e675ae24c53afa

SHA512
8d16986b4ac1a8673310d4eccf3bcd62f0696bdd134716e37b49e959ef4a97cb1b4d4bfb8abaebd34cd3900ef4b6d479575e0dc29211120809b48fc1b55c7394

Download Submit
memory/4952-12-0x0000000006520000-0x0000000006556000-memory.dmp

Filesize
216KB

Download
memory/4952-13-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/4952-7-0x0000000005D20000-0x000000000621E000-memory.dmp

Filesize
5.0MB

Download
memory/4952-8-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/4952-9-0x0000000005770000-0x00000000057BE000-memory.dmp

Filesize
312KB

Download
memory/4952-10-0x0000000006490000-0x00000000064DE000-memory.dmp

Filesize
312KB

Download
memory/4952-6-0x0000000000F60000-0x0000000000FBA000-memory.dmp

Filesize
360KB

Download
memory/4952-5-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

Filesize
4KB

Download
memory/4952-11-0x00000000064E0000-0x0000000006516000-memory.dmp

Filesize
216KB

Download
memory/4952-14-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

Filesize
4KB

Download
memory/4952-15-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/4952-23-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/4976-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download