{ "Event": { "analysis": "0", "date": "2022-09-01", "extends_uuid": "", "info": "[OSINT] No Honor Among Thieves - Prynt Stealer\u2019s Backdoor Exposed", "publish_timestamp": "1666601807", "published": true, "threat_level_id": "1", "timestamp": "1666601798", "uuid": "b7a486af-8b67-4f58-873b-0ae25fea43e9", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#0088cc", "name": "misp-galaxy:malpedia=\"Prynt Stealer\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0088cc", "name": "misp-galaxy:malpedia=\"WorldWind\"" }, { "colour": "#0088cc", "name": "misp-galaxy:stealer=\"DarkEye\"" }, { "colour": "#0088cc", "name": "misp-galaxy:stealer=\"Prynt Stealer\"" }, { "colour": "#0088cc", "name": "misp-galaxy:stealer=\"WorldWind\"" }, { "colour": "#0088cc", "name": "misp-galaxy:malpedia=\"DarkEye\"" }, { "colour": "#00b3b3", "name": "ecsirt:intrusions=\"backdoor\"" }, { "colour": "#00a9ce", "name": "veris:action:malware:variety=\"Backdoor\"" }, { "colour": "#2c0037", "name": "ms-caro-malware:malware-type=\"Backdoor\"" }, { "colour": "#001534", "name": "ms-caro-malware-full:malware-type=\"Backdoor\"" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Prynt Stealer", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "9888e096-1341-4655-9a0c-1e53df9a6096", "value": "d8469e32afc3499a04f9bcb0ca34fde63140c3b872c41e898f4e31f2a7c1f61f" }, { "category": "Payload delivery", "comment": "Prynt Stealer", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "6de8e173-c0fd-4be3-b4b1-42fc8c76c8e7", "value": "f15e92c34dd8adfcd471d726e88292d6698217f05f1d2bcce8193eb2536f817c" }, { "category": "Payload delivery", "comment": "WorldWind Stealer", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "d1d5db20-15d9-4e1f-a4e6-cab7a0bdf0b5", "value": "3b948a0eb0e9bbca72fc363b63ffd3a5983e23c47f14f8296e8559fd98c25094" }, { "category": "Payload delivery", "comment": "DarkEye Stealer", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "d451551e-c177-4ed9-a989-af74bb028188", "value": "bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec" }, { "category": "Payload delivery", "comment": "DarkEye Stealer (old version without AsyncRAT)", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "a9b86903-b79c-455c-bbf0-7b488d90a3dc", "value": "e48179c4629b5ab9e53ccb785ab3ee5eeb2e246e1897154a15fec8fd9237f44b" }, { "category": "Payload delivery", "comment": "Celesty Binder payload", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "ae705dbd-6b31-41b9-9cfb-eb8ac1121210", "value": "9678ca06068b705da310aa2f76713d2d59905b12b67097364160857cd1f90c58" }, { "category": "Payload delivery", "comment": "Builder", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "f54aa09c-1841-4826-9b28-22ef426079b6", "value": "654f080d5790054f0cd1a0f9b31cd7a82a4722ff3ce5093acdc31ff154f1ae24" }, { "category": "Payload delivery", "comment": "LodaRAT", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "74ed1b4c-6d5b-4d42-91fb-b642d4079067", "value": "cb132691793e93ad8065f857b4b1baba92e937cfc3d3a8042ce9109e12d32b4c" }, { "category": "Payload delivery", "comment": "Prynt Stealer Stub", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "ce2ad6bb-1747-4b74-bfce-8fb70c2051a0", "value": "d37d0ae4c5ced373fe1960af5ea494a6131717d1c400da877d9daa13f55439bb" }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "timestamp": "1665989801", "to_ids": true, "type": "sha256", "uuid": "5ed227fe-15f1-44e9-bd7f-7fc04710ec7c", "value": "c79aed9551260daf74a2af2ec5b239332f3b89764ede670106389c3078e74d1a" }, { "category": "Network activity", "comment": "DarkEye Stealer Hosting", "deleted": false, "disable_correlation": false, "timestamp": "1665992990", "to_ids": true, "type": "url", "uuid": "b2cce1cd-8669-4f40-8215-2f4f141c8b1d", "value": "https://cdn.discordapp.com/attachments/523238636561629190/890007970207907871/vltn.exe" }, { "category": "Network activity", "comment": "WorldWind - Market Website (Inactive)", "deleted": false, "disable_correlation": false, "timestamp": "1665993250", "to_ids": true, "type": "url", "uuid": "4ec5a062-377a-4d46-954f-c0e9a5c9d798", "value": "http://shop.prynt.market" }, { "category": "Network activity", "comment": "Prynt Stealer - Market Website (Inactive)", "deleted": false, "disable_correlation": false, "timestamp": "1665993250", "to_ids": true, "type": "url", "uuid": "ff207b26-10e9-41d8-a901-208460f5f1f8", "value": "http://market.prynt.market" }, { "category": "Network activity", "comment": "Prynt Stealer - Market Website (Active)", "deleted": false, "disable_correlation": false, "timestamp": "1665993250", "to_ids": true, "type": "url", "uuid": "3f959b7e-8c08-4fe2-b769-7ace9f1d3b20", "value": "http://venoxxxx.xxx" }, { "category": "Payload delivery", "comment": "Prynt Stealer builder package - Prynt stub used by the builder", "deleted": false, "disable_correlation": false, "timestamp": "1665994495", "to_ids": true, "type": "filename", "uuid": "967a4473-5c38-421a-b44c-68d71767fec5", "value": "Stub.exe" }, { "category": "Payload delivery", "comment": "Prynt Stealer builder package - Builder executable", "deleted": false, "disable_correlation": false, "timestamp": "1665994495", "to_ids": true, "type": "filename", "uuid": "b25ef0d4-7c29-4dbc-8cd5-b9619400bf65", "value": "Prynt Stealer.exe" }, { "category": "Payload delivery", "comment": "Prynt Stealer builder package - Unmanaged PE", "deleted": false, "disable_correlation": false, "timestamp": "1665994495", "to_ids": true, "type": "filename", "uuid": "b176d8c2-0949-4e79-b7e7-4891a729c352", "value": "Prynt sub.exe" }, { "category": "Payload delivery", "comment": "Prynt Stealer builder package - Backdoor that downloads and executes DarkEye Stealer", "deleted": false, "disable_correlation": false, "timestamp": "1665994495", "to_ids": true, "type": "filename", "uuid": "59827e8b-9dab-44b4-aab4-4ed13b02b39b", "value": "Prynt.exe" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1665989572", "uuid": "39c86d1d-05bd-4dae-a488-360079914b64", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1665989572", "to_ids": false, "type": "link", "uuid": "3f4d70ad-8208-4707-afa6-0f7400f55025", "value": "https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1665989572", "to_ids": false, "type": "text", "uuid": "ccb48af3-8af0-428e-9c57-ba2b922f879a", "value": "Technical Comparison of Prynt Stealer, WorldWind, and DarkEye Malware" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1665989572", "to_ids": false, "type": "text", "uuid": "6aad45d1-0674-4854-b666-4d813ffbbc1f", "value": "Blog" } ] }, { "comment": "WorldWind (hardcoded)", "deleted": false, "description": "Information related to a telegram bot", "meta-category": "misc", "name": "telegram-bot", "template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46", "template_version": "1", "timestamp": "1665990242", "uuid": "32c7146e-8ac3-4543-889b-1c39754b6303", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "chat-id", "timestamp": "1665990242", "to_ids": false, "type": "text", "uuid": "19aa10d9-e55d-4bed-b8fd-2a4e1403553b", "value": "1096425866" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "token", "timestamp": "1665990242", "to_ids": false, "type": "text", "uuid": "ae8f5b64-bd3c-4c9e-896c-4c3dff3b5374", "value": "1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8" } ] }, { "comment": "Prynt Stealer (hardcoded)", "deleted": false, "description": "Information related to a telegram bot", "meta-category": "misc", "name": "telegram-bot", "template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46", "template_version": "1", "timestamp": "1665990378", "uuid": "535b633e-9e74-4f90-8e28-bfbbc342fb33", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "chat-id", "timestamp": "1665990378", "to_ids": false, "type": "text", "uuid": "29b53d36-ff5a-4e5f-8f0b-b4f072e0ab66", "value": "1937717367" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "token", "timestamp": "1665990378", "to_ids": false, "type": "text", "uuid": "5a092591-61bc-436f-8dd4-be5af46783ce", "value": "1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug" } ] }, { "comment": "Prynt Stealer", "deleted": false, "description": "Information related to a telegram bot", "meta-category": "misc", "name": "telegram-bot", "template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46", "template_version": "1", "timestamp": "1665990780", "uuid": "921b1fa9-a804-47ec-99fc-2b0c63517d7a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "chat-id", "timestamp": "1665990780", "to_ids": false, "type": "text", "uuid": "3508cefe-b0b3-4906-ab78-d73a06e0260a", "value": "5038570348" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "token", "timestamp": "1665990780", "to_ids": false, "type": "text", "uuid": "b17b02c2-bc88-42bb-9de7-0106b1edf26b", "value": "5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI" } ] }, { "comment": "Prynt Stealer", "deleted": false, "description": "Information related to a telegram bot", "meta-category": "misc", "name": "telegram-bot", "template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46", "template_version": "1", "timestamp": "1665991643", "uuid": "09b2266a-460d-45cd-968a-f903dcb8e938", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "chat-id", "timestamp": "1665991643", "to_ids": false, "type": "text", "uuid": "57e39ba6-a415-4771-96c5-62ceadadc360", "value": "1856525476" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "token", "timestamp": "1665991643", "to_ids": false, "type": "text", "uuid": "7849bf84-5d84-4049-a686-8834b91323ce", "value": "5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI" } ] }, { "comment": "Prynt Stealer", "deleted": false, "description": "Information related to a telegram bot", "meta-category": "misc", "name": "telegram-bot", "template_uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46", "template_version": "1", "timestamp": "1665991857", "uuid": "89ca0c35-28ce-4896-97ef-96a1277a042b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "chat-id", "timestamp": "1665991857", "to_ids": false, "type": "text", "uuid": "a02fdd87-9fd4-4b74-af29-72cc7d256918", "value": "849561191" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "token", "timestamp": "1665991857", "to_ids": false, "type": "text", "uuid": "5f075a20-5076-45dc-9217-90afc883968a", "value": "1916193181:AAHhdcx3k6mHbnJ6JLfyWtJBMChny-la8Xs" } ] }, { "comment": "DarkEye Stealer C&C ", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "11", "timestamp": "1665993035", "uuid": "ae21fd17-1261-4d84-a0ac-44d65e3a9c31", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1665993035", "to_ids": true, "type": "domain", "uuid": "7e15ddff-abf4-4735-9138-c8d46362102d", "value": "bigdaddy-service.biz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "port", "timestamp": "1665993035", "to_ids": false, "type": "port", "uuid": "0ba8c8e5-908d-427e-b942-254099cfecf1", "value": "6606" } ] }, { "comment": "DarkEye Stealer C&C ", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "11", "timestamp": "1665993059", "uuid": "df65f997-8718-4042-9aee-c63b8065db3d", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1665993059", "to_ids": true, "type": "domain", "uuid": "5e6f89a6-0333-4de5-8e43-ac78547f6034", "value": "bigdaddy-service.biz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "port", "timestamp": "1665993059", "to_ids": false, "type": "port", "uuid": "7c828a5f-8e54-4860-ad06-9fc1670a78f8", "value": "7707" } ] }, { "comment": "DarkEye Stealer C&C ", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "11", "timestamp": "1665993090", "uuid": "fb51780b-d597-4c98-9c55-e84bea603537", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1665993090", "to_ids": true, "type": "domain", "uuid": "e91c1f39-762e-4cae-bdd9-f5f5641f4627", "value": "bigdaddy-service.biz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "port", "timestamp": "1665993090", "to_ids": false, "type": "port", "uuid": "42eb50fd-0a53-40b6-88e3-edf832ddc8e2", "value": "8808" } ] }, { "comment": "LodaRAT C&C", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "11", "timestamp": "1665993149", "uuid": "422c54fd-935c-4f2d-b07d-3e8701cad357", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1665993149", "to_ids": true, "type": "domain", "uuid": "8b60fe6f-3f0a-48e5-96ce-6887a9f049b2", "value": "daddy.linkpc.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "port", "timestamp": "1665993149", "to_ids": false, "type": "port", "uuid": "687aa5a5-83c2-43ce-b02f-cc5d5fb27c8e", "value": "1199" } ] } ] } }