MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bb1f1573597153cfc103837c100ad94a69b1ec04b16d71ad37c5ae30b7fd5a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	0bb1f1573597153cfc103837c100ad94a69b1ec04b16d71ad37c5ae30b7fd5a6
SHA3-384 hash:	95ea0858118e848e2410d6375456026108a15c98838d97f3d21286c29cfd7fa03e5965c3a7da1df15779235aa26b5cf2
SHA1 hash:	8d89cd3746585dccf4e2ab0aa921dac3fbefb638
MD5 hash:	39717fb1aedf9d38856d2e9c94304168
humanhash:	nebraska-bulldog-kitten-bakerloo
File name:	SecuriteInfo.com.Trojan.PackedNET.2147.4331.28353
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	647'680 bytes
First seen:	2024-05-11 09:26:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:LRHWGJEj1S0yB1dk695iqrV/ou71zs9rfB8KIANImH9gF44Aar:FHZEJfc1dkQ51BRgfB8KD3HSLAar
Threatray	701 similar samples on MalwareBazaar
TLSH	T1F8D423769AE4AE33DE2B39733B178267306993A127276F99547044172225630CECFF53
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	exe PureLogStealer

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0bb1f1573597153cfc103837c100ad94a69b1ec04b16d71ad37c5ae30b7fd5a6.exe

Verdict:

Malicious activity

Analysis date:

2024-05-11 09:27:19 UTC

Tags:

zgrat pureminer

Link:

https://app.any.run/tasks/b50a2274-67d6-4271-b5d8-f1161ff494cb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2147.4331.28353.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a file

Creating a process from a recently created file

DNS request

Connection attempt

Creating a window

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/663f39e8148f01a7073f4ab4/reports/3c0f6175-ef03-4346-b86a-a4ac0f1f0b4b/overview

Verdict:

Malicious

Labled as:

Trojan.Mardom.IN.Generic

Link:

https://www.hybrid-analysis.com/sample/0bb1f1573597153cfc103837c100ad94a69b1ec04b16d71ad37c5ae30b7fd5a6

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/09bd21c5-28ca-4243-a9e8-804518a42eee

Result

Threat name:

PureLog Stealer, zgRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1439987

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Yara detected Costura Assembly Loader

Yara detected PersistenceViaHiddenTask

Yara detected PureLog Stealer

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0bb1f1573597153cfc103837c100ad94a69b1ec04b16d71ad37c5ae30b7fd5a6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0bb1f1573597153cfc103837c100ad94a69b1ec04b16d71ad37c5ae30b7fd5a6/

Threat name:

ByteCode-MSIL.Trojan.Mardom

Status:

Malicious

First seen:

2024-05-02 17:19:14 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=boy7cvzvs4ktz7aqha34cafnsstjwhwajmlnogwtprnogc372wta._file

Verdict:

malicious

PureLogsStealer

224a4f5de098684e12b95521f9015f642357581c70c8b9702ca325c581e7fb88

PureLogsStealer

6f37a0e103969097717c3a290977c2e1faaf04e5468f7f9e5cdf80d8598156c8

PureLogsStealer

90f43f41f50f5c7f266f9353d21c3733468bad8644be318d48568415a6d9b89b

PureLogsStealer

a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8

PureLogsStealer

+ 691 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat rat

Link:

https://tria.ge/reports/240511-lerkxaba7t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Executes dropped EXE

Loads dropped DLL

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

0bb1f1573597153cfc103837c100ad94a69b1ec04b16d71ad37c5ae30b7fd5a6

MD5 hash:

39717fb1aedf9d38856d2e9c94304168

SHA1 hash:

8d89cd3746585dccf4e2ab0aa921dac3fbefb638

Link:

https://www.unpac.me/results/f2579183-73eb-4423-a272-49c3a1f5fd0f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.89

Link:

https://yomi.yoroi.company/submissions/0bb1f1573597153cfc103837c100ad94a69b1ec04b16d71ad37c5ae30b7fd5a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample