2025/10/26

Write-up Malops - PureLogs Stealer

Question 1

PureLogs is obfuscated and packed to hinder static analysis. Which commercial .NET packer is used to protect the PureLogs binary?

3ce7dee87e16c94ec3473d2d82570326.png

Solution 
.NET Reactor

Question 2

What is the name of the mutex created by PureLogs?

I used NetRecatorSlayer (https://github.com/SychicBoy/NETReactorSlayer) for deobfuscation of the .NET code. From there on the code was readable and suited for analysis using ILSpy.

The hypothesis for the Mutex was to find it at the beginning, which turned to be true. I went to the Entry Point of the PE and right at the beginning the corresponding code.

cd1d2af4aae6d2a62b71d825543f2005.png

2af53ddede9483cfc37de2ffb9b64202.png

9136a2d9aeabae891391f86e0505d6a6.png

Solution 
FQBnanyetMxSRRO

Question 3

PureLogs includes several anti-analysis checks before proceeding with execution. One of them specifically targets a well-known sandboxing tool. What process name does PureLogs check for to detect this sandbox?

e896a6e66ddf422758db800dca6d6c50.png

61de0f53636d6d62fc01cf5c091e773e.png

Checks for a process and module that belong to the Sandboxie sandbox.

Solution 
SbieCtrl.exe

Question 4

In the same class as the check for the Sandboxie sandbox, there is also a check if a debugger is attached:

7e0004a1a59f7bdf0a252444d06a8e36.png

Solution 
CheckRemoteDebuggerPresent

Question 5

PureLogs checks a specific registry key to know if it has already run on the system before. What is the full path of that registry key?

6fcae722c6009550f40877164e825f4b.png

a5ebde6ddcb61609c5d06f2e8cb0594d.png

Solution 
HKEY_CURRENT_USER\Software\IqswyHgVpagFHxu

Question 6

PureLogs modifies its process name and command-line to appear as a legitimate Windows process. What process name does it use to masquerade as a trusted system process?

6bc3f9d593f405ea68a5f62b709a86c5.png 204ac749cda6b51935d3ee5f23018afd.png

Solution 
explorer.exe

Is in Admin Group check, smethod_0 for Class13.

https://learn.microsoft.com/de-de/dotnet/api/system.security.principal.windowsbuiltinrole?view=net-8.0

Question 7

What WMI class does PureLogs query to retrieve the system’s manufacturer and model?

f94644c3222de54d022f12e2691b74b0.png

Solution 
Win32_ComputerSystem

Question 8

PureLogs uses a trick to bypass the “Run as Administrator” (UAC) prompt by starting a special COM object. What exact string does it add before the COM CLSID to request an elevated instance?

85dc409546c46ac909520036f4fafa53.png

In this case, by misusing the COM object of the Admin API of the Microsoft Connection Manager Setup Utility (cmstplua.dll)

See: https://www.varonis.com/de/blog/alphv-blackcat-ransomware

https://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512

https://strontic.github.io/xcyclopedia/library/clsid_6EDD6D74-C007-4E75-B76A-E5740995E24C.html

https://strontic.github.io/xcyclopedia/library/clsid_3E5FC7F9-9A51-4367-9063-A120244FBEC7.html

https://learn.microsoft.com/en-us/windows/win32/api/objbase/nf-objbase-cogetobject

Read the question carefully, as this string below is not the expected answer!

Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Solution 
Elevation:Administrator!new:

Question 9

PureLogs uses COM objects to silently bypass User Account Control (UAC) and relaunch itself with elevated privileges. What ATT&CK technique does this behavior map to?

Just searching for UAC in the MITRE ATT&CK. https://attack.mitre.org/techniques/T1548/002/

Solution 
T1548.002

Question 10

What regex pattern does PureLogs use to find Steam session tokens?

The malware searches the process memory of Steam for the regex pattern matching with the session token.

a75cdb340b8437d54b731a101b12dddb.png

Solution 
[A-Za-z0-9-_]{16,}\\.[A-Za-z0-9-_]{40,}\\.[A-Za-z0-9-_]{40,}

Question 11

PureLogs adds a unique tag to the stolen data before sending it to the attacker. What is the exact string it adds to identify this specific build of the malware?

c95a4edd01f15670cbb8aa0a4176fb75.png

Solution 
test120922139213

Question 12

What port number does PureLogs use to communicate with its Command and Control (C2) server?

c7ca9ddeef9497844df3e5eae512f3ca.png

Solution 
6561

Question 13

What mode of AES does PureLogs use to encrypt stolen data?

b26333f61e9b3447a7c81fa2f4575b06.png

31af447e1e57c86ee3754970d2d3f23d.png

Solution 
CBC

Question 14

What is the length (in bytes) of the derived Initialization Vector (IV) used in the encryption?

See screenshot above.

Solution 
128 / 8

Question 15

What algorithm is used to derive the AES key and IV from the SHA-512 hash in PureLogs?

See screenshot above.

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rfc2898derivebytes

Solution 
PBKDF2

Question 16

What fixed salt value is used in the PBKDF2 function in PureLogs (in hex starts as 0x)?

See screenshot above.

array2 = bytes([
    117, 45, 158, 253, 184, 172, 96, 158, 
    239, 125, 30, 70, 145, 225, 3, 161
])
print(array2.hex())
Solution 
0x752d9efdb8ac609eef7d1e4691e103a1