MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00
SHA3-384 hash: 42f58227dc5e7083d38054059635fabb4d6a88a94f3eb2dc53dfd4ad91be17966e91f92a3ddfa6e2ff6933abc98c68dc
SHA1 hash: 93c4423663620e16753dfbbb52629416c9eb859c
MD5 hash: 25bbcd3deb0ac8de0822a74f9d91b989
humanhash: michigan-triple-magazine-two
File name:25bbcd3deb0ac8de0822a74f9d91b989
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'539'584 bytes
First seen:2023-12-20 18:35:42 UTC
Last seen:2023-12-21 04:51:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:GCPhcFykjCEIaRYiYMd7fc6Ngf4RpQ1amra/OWoU7t1rczuZV:zMdRJDYMxfc6NxpDme/doaFc
Threatray 678 similar samples on MalwareBazaar
TLSH T11665DF54661D0A13F6626774D8AFE7330A45EE7684E2460B62C1BC3B713E1AF3BB1742
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f08e9686dad89ac4 (5 x zgRAT, 4 x PureLogsStealer, 3 x Amadey)
Reporter zbetcheckin
Tags:64 exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
369
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25bbcd3deb0ac8de0822a74f9d91b989
Verdict:
Suspicious activity
Analysis date:
2023-12-20 18:37:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ed95627-5d93-4c8f-938d-e5debd0d4bcf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468661/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65833414eabaed070171e0ce/reports/b55d7e81-ee1e-4501-a1b1-ab57018cc8f8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/640d43a9-571d-499d-81cd-30f91ba235c0
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365220
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365220 Sample: kQEOLzl6Ge.exe Startdate: 20/12/2023 Architecture: WINDOWS Score: 100 55 conn.pandaking2016.xyz 2->55 57 ip.allproxy.io 2->57 59 connv2.proxies.tv 2->59 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 75 9 other signatures 2->75 11 ContextProperties.exe 1 2->11         started        14 kQEOLzl6Ge.exe 1 2->14         started        16 ContextProperties.exe 2->16         started        18 2 other processes 2->18 signatures3 73 Performs DNS queries to domains with low reputation 55->73 process4 signatures5 91 Antivirus detection for dropped file 11->91 93 Multi AV Scanner detection for dropped file 11->93 95 Machine Learning detection for dropped file 11->95 20 ContextProperties.exe 2 11->20         started        97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->97 99 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->99 101 Modifies the context of a thread in another process (thread injection) 14->101 23 kQEOLzl6Ge.exe 6 14->23         started        103 Injects a PE file into a foreign processes 16->103 26 ContextProperties.exe 16->26         started        28 conhost.exe 18->28         started        process6 file7 81 Writes to foreign memory regions 20->81 83 Modifies the context of a thread in another process (thread injection) 20->83 85 Injects a PE file into a foreign processes 20->85 30 InstallUtil.exe 1 20->30         started        47 C:\Users\user\...\ContextProperties.exe, PE32+ 23->47 dropped signatures8 process9 signatures10 105 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->105 107 Modifies the context of a thread in another process (thread injection) 30->107 109 Injects a PE file into a foreign processes 30->109 33 InstallUtil.exe 15 3 30->33         started        process11 dnsIp12 51 185.196.8.248, 49730, 49735, 49740 SIMPLECARRER2IT Switzerland 33->51 53 80.85.241.193, 49729, 49731, 49732 MEDIAL-ASRU Russian Federation 33->53 45 C:\Users\user\AppData\Local\...\ixlfgawvb.exe, PE32+ 33->45 dropped 77 Modifies the context of a thread in another process (thread injection) 33->77 79 Injects a PE file into a foreign processes 33->79 38 InstallUtil.exe 33->38         started        file13 signatures14 process15 signatures16 87 Modifies the context of a thread in another process (thread injection) 38->87 89 Injects a PE file into a foreign processes 38->89 41 InstallUtil.exe 38->41         started        process17 dnsIp18 61 conn.pandaking2016.xyz 198.23.233.111, 29082, 49753, 49757 AS-COLOCROSSINGUS United States 41->61 63 connv2.proxies.tv 51.79.32.112, 49752, 49754, 49770 OVHFR Canada 41->63 65 ip.allproxy.io 172.67.159.225, 443, 49772, 49776 CLOUDFLARENETUS United States 41->65 49 C:\Users\user\AppData\...\provisionshare.url, MS 41->49 dropped file19
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-12-20 18:36:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
20
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d56wbtd4s5eoiu3r5oqdb6oprzz4jnvqc2uwee3mlcvuhdo6nmaa._file
Verdict:
malicious
Similar samples:
1cbbbbd6e0bdc94c4fe64cf616013550df1f027787ba1fbaa7671a317838cb07
PureLogsStealer
1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00
PureLogsStealer
6f4297025fa48f5f412dd305ba5a03560c1ee83e32e94a461b788c3b42575155
PureLogsStealer
8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
PureLogsStealer
a40342aa9ecc963d2c7d3cdf726cb6b175adbc03d6258b2b368f10f9e524df3d
PureLogsStealer
acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e
PureLogsStealer
d2a91bcf09bf0e0cf35213e66652457a40aff63d856ad49370612637a8847420
PureLogsStealer
e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
PureLogsStealer
+ 668 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231220-w8wrtsgdg4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00
MD5 hash:
25bbcd3deb0ac8de0822a74f9d91b989
SHA1 hash:
93c4423663620e16753dfbbb52629416c9eb859c
Link:
https://www.unpac.me/results/b77ff731-3a14-4028-8d09-f6c920682400/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f7d60cc7c97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 1f7d60cc7c9748e45371eba030f9cf8e73c4b6b016a962136c58ab438dde6b00

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2742844/
Cape
Cape
https://www.capesandbox.com/analysis/468661/

Comments


Avatar
zbet commented on 2023-12-20 18:35:43 UTC

url : hxxp://185.196.8.248/Pcpkjc.exe