MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 18 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3
SHA3-384 hash: 9740dcac8ed642e92675487e5fda2d601d66783fffa451f73f108d85baf4e7213f0cf2309089447ea338364221b41c94
SHA1 hash: ac66ecdf850f111b5bc70edc3f68633bdab63eaa
MD5 hash: 47069f002e03da24cb2ef04c19cce8f9
humanhash: johnny-bacon-coffee-alaska
File name:47069f002e03da24cb2ef04c19cce8f9
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'714'336 bytes
First seen:2024-06-18 18:29:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 340d65ede751260b3cc3042ec139606a (2 x AgentTesla, 1 x RemcosRAT, 1 x PureLogsStealer)
ssdeep 49152:SgpOmgDQ06m3N051GXdJCXw5Y9ehswM1A8Lfwosta:MDDe4RhfHta
Threatray 5 similar samples on MalwareBazaar
TLSH T1D7C5AD01E3A805A4D87BD734CA558333D670B9929732E54F0A9CD6462F73AA29F7F312
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 exe PureLogStealer signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-06-15T10:08:50Z
Valid to:2025-06-15T10:08:50Z
Serial number: ab2be3b5a5bdc38c4380b9251da61cf5
Thumbprint Algorithm:SHA256
Thumbprint: f55159d66fb520b02aecd3902c50a77458a43143b701a87bfd6a4306c9e65399
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3.exe
Verdict:
No threats detected
Analysis date:
2024-06-18 18:30:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d689261-5dce-4a4d-ab94-816c8b5d82db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.8279.16865.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6671d3be0f8138dd4eae1898win7simulatehigh_evasion
Tags:
Encryption Network Static Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Modifying a system file
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Searching for synchronization primitives
Replacing files
Launching the default Windows debugger (dwwin.exe)
Launching a service
Reading critical registry keys
Running batch commands
Sending a UDP request
Launching cmd.exe command interpreter
Creating a window
Forced system process termination
Changing a file
Connection attempt to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a system process
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc overlay packed regedit remote
Link:
https://www.filescan.io/uploads/6671d22d0bf5978c0b105b4f/reports/6e86de54-38a1-452d-87b8-10a6d40f704a/overview
Verdict:
Malicious
Labled as:
Generik.BUFVGMV trojan
Link:
https://www.hybrid-analysis.com/sample/0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bd4019d5-b322-4d37-897d-d64d43d798ba
Result
Threat name:
Amadey, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1459083
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1459083 Sample: AgHiy5gaGp.exe Startdate: 18/06/2024 Architecture: WINDOWS Score: 100 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for URL or domain 2->144 146 Multi AV Scanner detection for dropped file 2->146 148 9 other signatures 2->148 13 AgHiy5gaGp.exe 1 2->13         started        16 svchost.exe 2->16         started        18 cmd.exe 2->18         started        20 4 other processes 2->20 process3 signatures4 182 Writes to foreign memory regions 13->182 184 Allocates memory in foreign processes 13->184 186 Sample uses process hollowing technique 13->186 188 Injects a PE file into a foreign processes 13->188 22 CasPol.exe 14 389 13->22         started        27 conhost.exe 13->27         started        29 WerFault.exe 16->29         started        31 WerFault.exe 16->31         started        33 WerFault.exe 16->33         started        35 conhost.exe 18->35         started        37 conhost.exe 20->37         started        process5 dnsIp6 126 5.42.66.47 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 22->126 128 160.153.0.192 GODADDY-AMSDE United States 22->128 130 4 other IPs or domains 22->130 100 C:\Users\...\yb4oWEH5fi0qJWGA4hdAxBWi.exe, PE32 22->100 dropped 102 C:\Users\...\yD0xW6eY0Zwln1dM1ZEyBb7A.exe, PE32+ 22->102 dropped 104 C:\Users\...\xHRiIPPIcdNHJ5gkwaRHBWwh.exe, PE32+ 22->104 dropped 106 223 other files (222 malicious) 22->106 dropped 158 Drops script or batch files to the startup folder 22->158 160 Creates HTML files with .exe extension (expired dropper behavior) 22->160 162 Writes many files with high entropy 22->162 39 4ErTK3KMwTkh1lsPdBxJWXSw.exe 11 48 22->39         started        44 soRv585QCwz334dCBxaqBMZ6.exe 22->44         started        46 CFnnUEkmjgHA5BUt0i4mI8ES.exe 22->46         started        48 13 other processes 22->48 file7 signatures8 process9 dnsIp10 132 176.111.174.109 WILWAWPL Russian Federation 39->132 134 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 39->134 136 16 other IPs or domains 39->136 108 C:\Users\...\zniduxm_9SHVjAInEwntFePd.exe, PE32 39->108 dropped 110 C:\Users\...\f6l8gBiU8cw5Nsii6oHWkocD.exe, PE32 39->110 dropped 112 C:\Users\...\bttAoVUBNxm819PudLk9df9B.exe, PE32 39->112 dropped 118 19 other malicious files 39->118 dropped 164 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 39->164 166 Drops PE files to the document folder of the user 39->166 168 Creates HTML files with .exe extension (expired dropper behavior) 39->168 178 8 other signatures 39->178 120 2 other malicious files 44->120 dropped 170 Writes many files with high entropy 44->170 50 Install.exe 44->50         started        122 2 other malicious files 46->122 dropped 54 Install.exe 46->54         started        114 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 48->114 dropped 116 C:\Users\user\AppData\Local\...\Install.exe, PE32 48->116 dropped 124 5 other malicious files 48->124 dropped 172 Detected unpacking (changes PE section rights) 48->172 174 Detected unpacking (overwrites its own PE header) 48->174 176 Contains functionality to inject code into remote processes 48->176 56 Install.exe 48->56         started        58 WerFault.exe 48->58         started        60 WerFault.exe 48->60         started        62 WerFault.exe 48->62         started        file11 signatures12 process13 file14 94 C:\Users\user\AppData\Local\...\Install.exe, PE32 50->94 dropped 150 Multi AV Scanner detection for dropped file 50->150 64 Install.exe 50->64         started        96 C:\Users\user\AppData\Local\...\Install.exe, PE32 54->96 dropped 67 Install.exe 54->67         started        98 C:\Users\user\AppData\Local\...\Install.exe, PE32 56->98 dropped signatures15 process16 signatures17 138 Multi AV Scanner detection for dropped file 64->138 140 Modifies Windows Defender protection settings 64->140 69 cmd.exe 64->69         started        72 forfiles.exe 64->72         started        74 cmd.exe 67->74         started        process18 signatures19 152 Uses cmd line tools excessively to alter registry or file data 69->152 154 Modifies Windows Defender protection settings 69->154 76 forfiles.exe 69->76         started        79 conhost.exe 69->79         started        81 forfiles.exe 74->81         started        83 conhost.exe 74->83         started        process20 signatures21 85 cmd.exe 76->85         started        180 Modifies Windows Defender protection settings 81->180 88 cmd.exe 81->88         started        process22 signatures23 90 reg.exe 85->90         started        156 Uses cmd line tools excessively to alter registry or file data 88->156 92 reg.exe 88->92         started        process24
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3/
Threat name:
Win64.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-06-16 21:00:11 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=awa763hmyilej6nv3bmcgnrp4yhqys3vozslpp5pzspc4fmgsdjq._file
Verdict:
malicious
Similar samples:
1c81c786a70496397e5c05b533473585322037875390aa522f8ffed43bf47c84
PureLogsStealer
d613abfde1e416e467b1b936060835b5dff7d3617cfd54dba245f36a214ddd6a
PureLogsStealer
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:privateloader botnet:9a3efc discovery evasion execution loader spyware stealer trojan
Link:
https://tria.ge/reports/240618-w5f7zatgkd/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Amadey
Modifies firewall policy service
PrivateLoader
Malware Config
C2 Extraction:
http://check-ftp.ru
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ec85c7f-1f6d-4dbb-aeb1-b0184dece4c1
Unpacked files
SH256 hash:
0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3
MD5 hash:
47069f002e03da24cb2ef04c19cce8f9
SHA1 hash:
ac66ecdf850f111b5bc70edc3f68633bdab63eaa
Link:
https://www.unpac.me/results/88763b87-94c6-4464-8abe-eca8f0743bf8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0581ff6cecc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2895910/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::RevertToSelf
ADVAPI32.dll::GetSecurityDescriptorLength
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetWindowsAccountDomainSid
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::DeleteVolumeMountPointW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::ReplaceFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptEncrypt
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptImportKey
bcrypt.dll::BCryptOpenAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
ADVAPI32.dll::RegSetValueExA

Comments


Avatar
zbet commented on 2024-06-18 18:29:17 UTC

url : hxxp://5.42.66.47/files/Vpro.exe