CYFIRMA’s analysis focuses on Infostealer Prynt, a commodity malware used in Malware-as-a-Service campaigns with a hidden backdoor, notably through process injection into a legitimate AppLaunch.exe workflow to exfiltrate data. It collects system information, files, credentials, takes screenshots, and communicates back via a backdoor—often as part of broader attacks including ransomware—and is distributed through social engineering, phishing, and compromised sites. #PryntMalware #Telegram
Keypoints
- Prynt is a commodity infostealer used as part of MaaS, sometimes wrapped with a backdoor for data exfiltration to support broader campaigns.
- The sample analyzed is a 32-bit C/C++ console binary that steals system information, files, and web browser credentials.
- Process injection is a core technique, injecting Prynt’s malicious code into AppLaunch.exe to hide activity and gain access to resources.
- Technical details show the use of VirtualAlloc/VirtualAllocEx, VirtualProtect, and WriteProcessMemory to inject code, plus CreateRemoteThreadEx to establish execution.
- Prynt allocates memory in a remote process, writes payload, and resumes a suspended host thread to execute injected code.
- Capabilities include system information gathering, file/process enumeration, process hiding, registry changes, backdoor network communication, and screenshots.
- CYFIRMA notes Prynt’s ties to MaaS ecosystems, openness to backdoors for customers, and overlap with RedLine in underground discourse, with wide regional targeting (>40 nations) and varied distribution methods.
MITRE Techniques
- [T1106] Native API – Prynt uses a combination of VirtualAlloc/VirtualAllocEx, VirtualProtect, and WriteProcessMemory APIs to inject code into a remote process. ‘Prynt process creates multiple threads via CreateRemoteThreadEx for establishing foundations for process injection and code execution.’
- [T1055] Process Injection – The infostealer’s authors injected code into the AppLaunch.exe host process to run within another process context. ‘Process injection’ describes this activity.
- [T1059] Hijack Execution Flow – Defense evasion through execution flow modification is evidenced by hosting code inside AppLaunch and altering execution context. ‘Prynt first creates an AppLaunch process to host the malicious code in suspended mode.’
- [T1036] Masquerading – The backdoor and host process usage imply masquerading by blending with legitimate software behavior; ‘The infostealer Prynt.exe … injects into the legitimate AppLaunch process to hide its activity.’
- [T1112] Modify Registry – Registry changes are listed among Prynt’s capabilities. ‘Registry changes.’
- [T1082] System Information Discovery – Prynt gathers system information as part of its data theft. ‘Gathering System Information.’
- [T1012] Query Registry – Registry access as part of discovery and persistence is indicated. ‘Query Registry.’
- [T1102] Web Service – The backdoor communications use web-based channels to exfiltrate data, including data sent to a private Telegram chat. ‘Network communication through backdoor’ and ‘private Telegram chat monitored by the Prynt Stealer developers.’
Indicators of Compromise
- [File name] Prynt.Exe, AppLaunch.exe – The main infostealer and its host process
- [Hash] MD5 – BCD1E2DC3740BF5EB616E8249D1E2D9C
- [Hash] SHA1 – 230f401260805638aa683280b86af2231cf73f93
- [Hash] SHA256 – 04b528fa40c858bf8d49e1c78f0d9dd7e3bc824d79614244f5f104baae628f8f