MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc
SHA3-384 hash: d8beefb5fbb838a92401c956bf97ad6b30107c04f39e18ab7ec5a6d0349089fd83d27d28715243c9aab83c59266e4f24
SHA1 hash: 033a93d5c686e85ada58f4d1ef1744d9a267e679
MD5 hash: c21fa24cd98134a77b98be40c3f5449d
humanhash: vermont-april-robin-undress
File name:SecuriteInfo.com.Trojan.PackedNET.2148.14300.32426
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:661'504 bytes
First seen:2024-07-09 21:22:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:hTRYPMVYJyOG3I81dFl5meiIrtuSHkiBvif2dMQBev9VuTY90yVbQom:hTsA3z13l9ukBjTkVmYGsQ
Threatray 5'380 similar samples on MalwareBazaar
TLSH T1A9E423603AA77A33D260C9333E521ECA60DCCB655C6F876870C252E6AE24D353FEC556
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc.exe
Verdict:
Malicious activity
Analysis date:
2024-07-09 21:28:14 UTC
Tags:
crypto-regex netreactor
Link:
https://app.any.run/tasks/7b8d276a-a030-4a2f-b955-f44425eb6777

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2148.14300.32426.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668daa36ec881b573673f9dcwin10vpnfull_triage
Tags:
Generic Stealth Variant
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/668daa36fe05860727da8f6b/reports/9594d017-f8f9-4b48-8833-fabee3cae293/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5820bcf4-4b65-48cf-83da-26866d41a1c0
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1470429
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-06-24 12:28:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c4bnegllq7ab4a4244pbpphneej2f6m2ol5w3doo4im57rmyvx6a._file
Verdict:
malicious
Similar samples:
1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc
PureLogsStealer
3281d57fa722b506b76e2221ab97e94890ddd7dd7e2fe153f9e382728a9e870b
PureLogsStealer
3f352445c521895812735acebb5f944cd1e88024cade5b201c562166619ffc9f
PureLogsStealer
4f71cd8e603fc88f358d8bbd51353436fb70837e4e93938e01f747024d54ae88
PureLogsStealer
572e5e6295f7bc9877c82de35f32ed4039cc68c7d8f508be1c9302b795b09deb
PureLogsStealer
aae9e126f03798f15445e8f308bbf43e9bda6a9e1ffaa9fe2dfd75eb65fef74c
PureLogsStealer
+ 5'370 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/240709-z8fmdsyare/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/92d538c3-b81d-4b8d-815e-1260f780b088
Unpacked files
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/c7ae12ba-6bb1-435f-abb4-1667fca5240f/
SH256 hash:
ccd93d8bc941ca21289713ef01387995246a797ada02fc09f37e3bc4af0ece41
MD5 hash:
17e7ff6d810643ac44597b57935c35cc
SHA1 hash:
41d8a3058d25cb3def18b09a381b701a47625503
Link:
https://www.unpac.me/results/c7ae12ba-6bb1-435f-abb4-1667fca5240f/
SH256 hash:
fc93e15723abe6cecc632dad64461c831e7d86d4f1e522b2694171cc891ca3af
MD5 hash:
4bb2400160ec7f7007a6e1d77169d752
SHA1 hash:
2400b3b8ec97350cd35e088ae730db35aa728dad
Link:
https://www.unpac.me/results/c7ae12ba-6bb1-435f-abb4-1667fca5240f/
SH256 hash:
1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc
MD5 hash:
c21fa24cd98134a77b98be40c3f5449d
SHA1 hash:
033a93d5c686e85ada58f4d1ef1744d9a267e679
Link:
https://www.unpac.me/results/c7ae12ba-6bb1-435f-abb4-1667fca5240f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 1702d2196b87c01e039ae71e17bced2113a2f99a72fb6d8dcee219dfc598adfc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2946996/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2947060/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments