MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2
SHA3-384 hash: c307f33b363d72ade5f0682fec841739d461fb43dd48bf85486738cbd7b7022932f8ab8ec323216ae8c5f351aa5ad804
SHA1 hash: adb461d4d199ea7367b65b185f47a10401e2ba97
MD5 hash: 31118351b8b0db68e9c1bc3ad1da8e7c
humanhash: high-lion-quebec-alpha
File name:31118351b8b0db68e9c1bc3ad1da8e7c
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'589'696 bytes
First seen:2024-01-30 03:54:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:ywoUZ8Cps0BJDmN8wjp+ps8M+1tgVO8jrHWvrYz93513:E0LSNFUps8M+MVvr2zMn
TLSH T1B0C5F145DBDA1620E1FE4F3294F12A0593F9E423EBDBE34B054962D90E677A78812733
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-01-30 20:06:28 UTC
Tags:
hausbomber loader opendir miner risepro stealer evasion raccoon rhadamanthys lumma asyncrat rat remcos remote keylogger backdoor dcrat azorult arechclient2 payload amadey botnet blacknet trojan redline phorpiex gh0st whitesnake metastealer
Link:
https://app.any.run/tasks/38fe9273-6f95-4e64-a015-45cb65ddbd00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealerium
Create hunting rule
Link:
https://www.capesandbox.com/analysis/473532/
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Running batch commands
Creating a window
Sending an HTTP GET request
Launching a process
Launching the process to change network settings
Searching for synchronization primitives
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed phishing smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/65b8731b814c2aeb1484b477/reports/41eab401-062c-4993-b3cd-d76050f258cb/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealerium Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/121ed1e2-1486-4ba0-88eb-3a0642ee2fb6
Result
Threat name:
PureLog Stealer, Stealerium
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383109
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected Stealerium
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1383109 Sample: 7WIsWvO1NV.exe Startdate: 30/01/2024 Architecture: WINDOWS Score: 100 46 store16.gofile.io 2->46 48 icanhazip.com 2->48 50 3 other IPs or domains 2->50 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Sigma detected: Capture Wi-Fi password 2->70 72 10 other signatures 2->72 9 7WIsWvO1NV.exe 3 2->9         started        12 msiexec.exe 2->12         started        signatures3 process4 signatures5 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->78 80 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 9->80 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->82 84 3 other signatures 9->84 14 7WIsWvO1NV.exe 15 130 9->14         started        process6 dnsIp7 52 api.gofile.io 51.38.43.18, 443, 49725 OVHFR France 14->52 54 store16.gofile.io 104.36.23.21, 443, 49726 ICASTCENTERUS United States 14->54 56 2 other IPs or domains 14->56 38 C:\Users\user\AppData\...\SUAVTZKNFL.xlsx, ASCII 14->38 dropped 40 C:\Users\user\AppData\...FOYFBOLXA.jpg, ASCII 14->40 dropped 42 C:\Users\user\AppData\...EGWXUHVUG.pdf, ASCII 14->42 dropped 44 C:\Users\user\...\DotNetZip-q0lcx3xa.tmp, Zip 14->44 dropped 58 Found many strings related to Crypto-Wallets (likely being stolen) 14->58 60 Tries to harvest and steal browser information (history, passwords, etc) 14->60 62 Tries to harvest and steal WLAN passwords 14->62 64 Modifies existing user documents (likely ransomware behavior) 14->64 19 cmd.exe 1 14->19         started        22 cmd.exe 1 14->22         started        file8 signatures9 process10 signatures11 74 Uses netsh to modify the Windows network and firewall settings 19->74 76 Tries to harvest and steal WLAN passwords 19->76 24 netsh.exe 2 19->24         started        26 conhost.exe 19->26         started        28 findstr.exe 1 19->28         started        30 chcp.com 1 19->30         started        32 netsh.exe 2 22->32         started        34 conhost.exe 22->34         started        36 chcp.com 1 22->36         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2/
Threat name:
ByteCode-MSIL.Trojan.ZgRAT
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 00:30:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvzpicpzbcn2k6yvd5mdnxyaxjyeqdyvgddhwgrmqh6jwufxzpra._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:stealerium family:zgrat collection rat spyware stealer
Link:
https://tria.ge/reports/240130-egsgnahcep/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of web browsers
Detect ZGRat V1
Stealerium
ZGRat
Malware Config
C2 Extraction:
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Unpacked files
SH256 hash:
08c1b2ef75185c6b5de1aae23d646003f7940afa9d96357fbeecbbf00de5c629
MD5 hash:
8bd0d0a53a5388d471b759daf4145c76
SHA1 hash:
e1366dc21be0503ac16aaeb669eb166a730a5d8c
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/4ff81749-4b8c-4a88-8455-070f7ad2933d/
SH256 hash:
24ad3a439163156eb93d647b41d8e2911dd40035da1a16cc2854975d8bf96fd9
MD5 hash:
075b00b913449f09ec885485d717f00c
SHA1 hash:
bcd199092203a1f21096580bb5e0b047952514f0
Link:
https://www.unpac.me/results/4ff81749-4b8c-4a88-8455-070f7ad2933d/
SH256 hash:
ecfe92c51f688d38979d1ee4df624ce19a3964b890f24448137b81a50c6e2d57
MD5 hash:
f5d035d836d7165b73af27855ab82422
SHA1 hash:
9593ab8a4f276561296065ac72f4704894ef08c7
Link:
https://www.unpac.me/results/4ff81749-4b8c-4a88-8455-070f7ad2933d/
SH256 hash:
537609cf0deb83f38c00849a5d0e49e3ab8e6bbbb5470653a65c6a1d2720625b
MD5 hash:
b1a8d3888e6c5f7856fc3d204e47e66c
SHA1 hash:
5024647a1b5502d9c181fcfc2667740f22e17425
Detections:
Stealerium
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
MALWARE_Win_Stealerium
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
MALWARE_Win_Multi_Family_InfoStealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/4ff81749-4b8c-4a88-8455-070f7ad2933d/
SH256 hash:
e2fbec49f8ec4e4b891b51ff436b30b37abccb88592e6883127153fb4f15846d
MD5 hash:
114742a3297707819d284c5bfd9ba48e
SHA1 hash:
107d2b26a7b3fe0fa770e1141fce08cf81a97b31
Link:
https://www.unpac.me/results/4ff81749-4b8c-4a88-8455-070f7ad2933d/
SH256 hash:
1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2
MD5 hash:
31118351b8b0db68e9c1bc3ad1da8e7c
SHA1 hash:
adb461d4d199ea7367b65b185f47a10401e2ba97
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/4ff81749-4b8c-4a88-8455-070f7ad2933d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d72f409f908/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:MALWARE_Win_Multi_Family_InfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects Prynt, WorldWind, DarkEye, Stealerium and ToxicEye / TelegramRAT infostealers
Rule name:MALWARE_Win_Stealerium
Create hunting rule
Author:ditekSHen
Description:Detects Stealerium infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473532/
  
URLhaus
https://urlhaus.abuse.ch/url/2753383/

Comments


Avatar
zbet commented on 2024-01-30 03:54:53 UTC

url : hxxps://magic.poisontoolz.com/bossa.exe