Keypoints
- Sample is a 32-bit .NET (v4.0.30319) executable that copies itself into a user-specific folder as “temporallogger.exe”.
- Deploys a ROT13-based decoding routine to obtain a Telegram token and ChatID, which it uses to exfiltrate data.
- Performs sandbox/VM detection by comparing current username and machine name against embedded blacklist entries and exits if matched.
- Creates and executes a .bat file to run the copied binary via cmd.exe and deletes the original launcher to hide traces.
- Harvests browser-stored credentials, credit card details, cookies (host_key, name, encrypted_value), and download URLs by querying browser SQLite databases.
- Stages user data (screenshots, Desktop files zipped as DesktopFiles.zip) in AppData under a “UserCash” folder before sending it over Telegram.
- Observed network activity shows attempts to connect to Telegram for exfiltration of the collected ZIP archive.
MITRE Techniques
- [T1497.001] Virtualization/Sandbox Detection – Uses embedded username and machine-name blacklists to detect analysis environments and terminate if matched. Quote: [‘The sample has two sets of lists, one is with user name and other with System name. If the name matches … terminates by itself.’]
- [T1036] Masquerading – Self-copies into a user-specific folder and renames itself to “temporallogger.exe” to hide the original binary. Quote: [‘creates a new directory “Username + UserCash” and in that directory self-copies itself as “temporallogger.exe”.’]
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Creates and runs a .bat via cmd.exe to launch the copied binary and remove the original file. Quote: [‘Malware creates a .bat file for running the temporallogger.exe file using cmd.exe. It deletes the file after creating the process.’]
- [T1140] Deobfuscate/Decode Files or Information – Uses ROT13 to decode the Telegram token and ChatID prior to connecting. Quote: [‘Later it uses the Rot13 algorithm for decrypting a Telegram Token and a TelegramChatID which will be used to login to their account.’]
- [T1555.003] Credentials from Web Browsers – Extracts saved login credentials and stores them in a temporary SQL database (login_data_db). Quote: [‘Login information is collected from the browser profile and stored in a database by creating a temporary login_data_db file.’]
- [T1539] Steal Web Session Cookies – Extracts cookie records including host_key, name, and encrypted_value from browser cookie storage. Quote: [‘It extracts details like host_key, name, encrypted_value.’]
- [T1074] Data Staged – Aggregates desktop files into DesktopFiles.zip and stores staged data under the user’s AppData roaming “UserCash” folder. Quote: [‘The malware combines all the desktop files as DesktopFiles.zip, and saves in the “C:UsersAdminAppDataRoamingAdminUserCash” folder.’]
- [T1113] Screen Capture – Takes screenshots of the desktop to include in the staged data prior to exfiltration. Quote: [‘As seen in the image below, the malware takes the screenshot of the desktop.’]
- [T1070.004] Indicator Removal on Host: File Deletion – Deletes the original DotStealer.exe after creating and launching the temporary runner to reduce discovery. Quote: [‘Batch file first deletes the original DotStealer.exe file and then starts executing temporallogger.exe file thus, the user cannot find the original malware file.’]
- [T1567.002] Exfiltration Over Web Service – Sends the staged ZIP file to an attacker-controlled Telegram account using the decoded token and ChatID. Quote: [‘It sends the .zip file through Telegram.’]
Indicators of Compromise
- [Hash] Sample MD5 – 5BE1657618ED1B556C2D038ADB4A9D04 (reported detection: Password-Stealer).
- [File names] Binary and runner – DotStealer.exe (original), temporallogger.exe (self-copied runner).
- [File artifacts] Staged/data files – DesktopFiles.zip (staged desktop files), login_data_db (temporary SQLite DB holding extracted credentials).
- [File path] Staging location – %APPDATA%<username>UserCash (example shown as C:UsersAdminAppDataRoamingAdminUserCash).
- [Network/service] Exfiltration channel – Telegram token and ChatID decoded and used to send data (no token value published in article).
The analyzed sample is a 32-bit .NET (v4.0.30319) executable that locates the current Windows username, creates a per-user folder named “UserCash” under AppData, and self-copies there as temporallogger.exe. It decodes embedded Telegram credentials with ROT13, performs sandbox/VM detection by checking the username and machine name against embedded blacklists (terminating if a match is found), then assembles a .bat which launches temporallogger.exe via cmd.exe and deletes the original launcher to conceal the infection.
Once running, the stealer queries browser SQLite databases to extract saved logins (stored into a temporary login_data_db), credit card records (cardholder name, number, expiry), cookies (host_key, name, encrypted_value), and download URLs. It captures screenshots, aggregates Desktop contents into DesktopFiles.zip in the AppData staging folder, and prepares these artifacts for exfiltration.
The malware connects to Telegram using the decoded token and ChatID to transmit the staged ZIP archive; network captures in the report show attempted connections to Telegram. The single reported sample hash is 5BE1657618ED1B556C2D038ADB4A9D04. Detection and containment should focus on identifying temporallogger.exe or DotStealer.exe artifacts, staged ZIPs in AppData, and outbound Telegram API traffic from endpoints.
Read more: https://labs.k7computing.com/index.php/unmasking-the-dot-stealer/