Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now
Carbon Black Employee

TAU-TIN – Borr Info Stealer


Threat Analysis Unit - Threat Intelligence Notification

Title: TAU-TIN – Borr Info Stealer


“Borr” is an Info Stealer that will steal various sensitive information from the victim’s computer. Borr Info Stealer will make connections to a Command & Control (C&C) Server and, depending on the configuration from the C&C server, it may issue commands to perform various malicious activities on the victim’s computer. It is able to able to steal sensitive information and passwords from web browsers, mail, FTP clients, cryptocurrency wallets, and other applications from the compromised system.

This post serves to inform our customers about detection and protection capabilities within the VMware Carbon Black suite of products against Borr Info Stealer.

Behavioral Summary

Borr will collect the stolen sensitive information to put in a folder in “C:\ProgramData\PSSLB.tmp\” and compress them into a zip file then send it to the command and control(C&C) server.

Figure 1: Screenshot of stolen data and file by Borr

Figure 2: Screenshot of event logs from VMware Carbon Black EDR

VMware Carbon Black Cloud Endpoint Standard (CB Defense) will display the malware’s overall triggered TTPs.




TID Tactics Technique
T1045 Defense Evasion Software Packing
T1081 Credential Access Credentials in Files
T1083 Discovery File and Directory Discovery
T1119 Collection Automated Collection
T1005 Collection Data from Local System
T1012 Discovery Query Registry
T1082 Discovery System Information Discovery
T1002 Exfiltration Data Compressed
T1043 Command and Control Commonly Used Ports

Indicators of Compromise (IOCs)

Indicator Type Context
fcae8b0bb6f188c6c0c6ed0bfe8b9ac18b9fc8c146e905998c7f330ead6787c3 SHA256 Borr Info Stealer
6a4c314d4953f10e3877baa1333868576baa34122d8c950577bfa37f870d7843 SHA256 Borr Info Stealer
2c91e45bce82d4ca81f974a5f3139351d903eec9e1b04300f4c5673ff32bc853 SHA256 Borr Info Stealer
b15689e4e5dd17fc506b08abbcaadfff9e5445687ca20e23bf06c318e3bb8a5e SHA256 Borr Info Stealer
03751e4a982634ffd50ad80c9a1e50a7df40bf932a2baeeb9696ad150f598615 SHA256 Borr Info Stealer
7d8b71940fcdcfb3f93642c46ba0c487 MD5 Borr Info Stealer
7665c216e741575991f1051557b57bc9 MD5 Borr Info Stealer
d918bfc80585f1e5fc1439e2b0db3947 MD5 Borr Info Stealer
29a47b3caac041f4f039914a9a19c971 MD5 Borr Info Stealer
9e89607980478343bbe1026e8b296ded MD5 Borr Info Stealer IP Address Command and Control (C&C) Server IP Address Command and Control (C&C) Server IP Address Command and Control (C&C) Server


TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.

Labels (1)
Tags (1)
0 Kudos