MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e
SHA3-384 hash: 193745cd8e8979bb04f387a50af6d6002a14186439ff85f8ab1c519e96805c4e40825b159b2dc2b452f7870108344f95
SHA1 hash: 3d1cecb12c80bbb4c3d69d25f8295c867a40828f
MD5 hash: 249fa2a560a2a8e1ae5a6b114e31afb2
humanhash: steak-georgia-item-september
File name:249fa2a560a2a8e1ae5a6b114e31afb2
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:3'173'376 bytes
First seen:2023-12-04 04:03:47 UTC
Last seen:2023-12-04 05:28:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:RjB+06fkx9KWqBDeRTsnBF75riKIJWsHGR:RjB+Rfe7RTsBF75OKjs+
Threatray 652 similar samples on MalwareBazaar
TLSH T149E51284A3E56A42F0FA0F33E8F5574087B5F967A77AE70E4290165D0D67B92CC81B23
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe PureLogs

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
249fa2a560a2a8e1ae5a6b114e31afb2
Verdict:
Malicious activity
Analysis date:
2023-12-04 04:06:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77508990-1b84-42a1-a823-fca085c7bb4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462219/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.13569.15218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand greyware lolbin obfuscated packed packed remote smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/656d4fb21dea9b05c3d1a096/reports/e3da564a-a82f-496c-8180-c067bed2db4f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/98f009ac-c9d2-4da7-a5d8-08b0e01532fb
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1352872
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1352872 Sample: k58DuUDVVJ.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 80 34 Multi AV Scanner detection for submitted file 2->34 36 .NET source code contains potential unpacker 2->36 38 Machine Learning detection for sample 2->38 40 Yara detected Costura Assembly Loader 2->40 6 Cphekmz.exe 5 2->6         started        9 k58DuUDVVJ.exe 1 5 2->9         started        12 Cphekmz.exe 4 2->12         started        process3 file4 42 Multi AV Scanner detection for dropped file 6->42 44 Machine Learning detection for dropped file 6->44 46 Injects a PE file into a foreign processes 6->46 14 Cphekmz.exe 6->14         started        16 Cphekmz.exe 6->16         started        18 Cphekmz.exe 6->18         started        26 7 other processes 6->26 32 C:\Users\user\AppData\Roaming\Cphekmz.exe, PE32 9->32 dropped 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->48 20 k58DuUDVVJ.exe 9->20         started        22 k58DuUDVVJ.exe 9->22         started        24 k58DuUDVVJ.exe 9->24         started        28 7 other processes 9->28 30 10 other processes 12->30 signatures5 process6
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-12-03 01:31:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cprfc7vz2rnd22h65soyz3c6rlxo2s2x2y63ikhwrrkl4qreheha._file
Verdict:
malicious
Similar samples:
13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e
PureLogsStealer
243da90881574b0764dfe3d508c31b6d825bf822c11f0e91f3346b4abfbe206b
PureLogsStealer
311a3b7def97fc40fd72447b9e581401e5dcb7ecb6fc75e160035c87746452fa
PureLogsStealer
dbb832a8e39eadb4dff92c86785f16fc52682f8acfe0a831a4ce8b6a958e93ea
PureLogsStealer
f56e9fc3e849f746c918864bab7f6e03ad1721ab05dade87aed887ac8c2c6526
PureLogsStealer
fb55261b420d8aca5691e8d9230e6d378aa57de53fa2147e9dc6f0c1c5ee4571
PureLogsStealer
+ 642 additional samples on MalwareBazaar
Result
Malware family:
purelogs
Create hunting rule
Score:
  10/10
Tags:
family:purelogs persistence stealer
Link:
https://tria.ge/reports/231204-emxzbsgh66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Detect PureLogs payload
PureLogs
Unpacked files
SH256 hash:
f4b2524c23d6503b8130ce09cfede9a728bcdaf49e00b72d75535417f120dbba
MD5 hash:
9bb584ee6ecb761f609abd5639050990
SHA1 hash:
b41ed8b838ad6d78e004134fcaeba1896758a0e7
Link:
https://www.unpac.me/results/4b3491e1-c682-488e-b7d4-3350a5df88e9/
SH256 hash:
6e457a5575ae8f55590b99d59bf5a1e40a46d81d9274956c3e5ff79bd0b3f243
MD5 hash:
c5e39f9ae31b4db6dcf873e4ad8dbb9e
SHA1 hash:
af209330efb275ba077099833c011272b40d87b2
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/4b3491e1-c682-488e-b7d4-3350a5df88e9/
SH256 hash:
3308356c8ac88f60d4e875e0ea3173499a503bcbcf4d6cb67f250cd54c22c46b
MD5 hash:
47fb457469c141f0cbfef1bca49959f7
SHA1 hash:
6d56077742221d26c5494dd1188ad98b330d7bd2
Link:
https://www.unpac.me/results/4b3491e1-c682-488e-b7d4-3350a5df88e9/
SH256 hash:
b2ebe266909b3ef1995f3c4ff4bd64f974535c8886f28135adfac6e62ab6f48e
MD5 hash:
2092bbc7a1bd4b918c05b21f0a3d4be8
SHA1 hash:
582cbf9b152a9ba0a545b83d3e79d7ac3261b3d6
Link:
https://www.unpac.me/results/4b3491e1-c682-488e-b7d4-3350a5df88e9/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/4b3491e1-c682-488e-b7d4-3350a5df88e9/
SH256 hash:
4e5962e581acfb52f390d5f94063c99ed3e4f1677893ba317272508cb1bf1802
MD5 hash:
5caed6ded21f0908a36d482757d06fdf
SHA1 hash:
aa82d96e18e52e73ce8eaeaf882e7c04ef47d1ed
Link:
https://www.unpac.me/results/4b3491e1-c682-488e-b7d4-3350a5df88e9/
SH256 hash:
13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e
MD5 hash:
249fa2a560a2a8e1ae5a6b114e31afb2
SHA1 hash:
3d1cecb12c80bbb4c3d69d25f8295c867a40828f
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/4b3491e1-c682-488e-b7d4-3350a5df88e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 13e2517eb9d45a3d68feec9d8cec5e8aeeed4b57d63db428f68c54be4224390e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2737095/
Cape
Cape
https://www.capesandbox.com/analysis/462219/

Comments


Avatar
zbet commented on 2023-12-04 04:03:48 UTC

url : hxxp://185.196.8.238/Wraub.exe