MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543
SHA3-384 hash: 8f6613974a58f26bb8a862c8998d1d89dcd6ee902f901b9b0b761837c51793002bca67b23d72555497b11619dbb9a363
SHA1 hash: b7629fabf8a95a28aa4b6b7137fd8a3192ac9876
MD5 hash: 13f5245d5e08141f7683be6418bfd81c
humanhash: oxygen-jersey-uncle-batman
File name:SecuriteInfo.com.Trojan.PackedNET.2147.2308.11865
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:645'632 bytes
First seen:2024-07-09 21:22:59 UTC
Last seen:2024-08-22 09:29:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:5VkfjXYYLquGEFqP0llDdGhpWsgWPh+G6JN/7+/0lI4wKJqWxpXO8h5A9Gx:HU75LquGEUP0lGhphgW36J97+cjf/pXX
Threatray 1'042 similar samples on MalwareBazaar
TLSH T13AD423DCAF8519AAC76C48390EE3D7B37FB3A54421678B02E24B9E0387281474CDB593
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:91-92-240-9 exe PureLogStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
479
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543.exe
Verdict:
Malicious activity
Analysis date:
2024-07-09 21:25:44 UTC
Tags:
api-base64 zgrat pureminer netreactor
Link:
https://app.any.run/tasks/cf446b73-0664-4f9d-b472-e778a376423b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2147.2308.11865.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668daa3bec881b573673f9fawin10vpnfull_triage
Tags:
Generic Stealth Msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys packed
Link:
https://www.filescan.io/uploads/668daa39bb965284a1c5e96d/reports/6320ba6d-821a-4053-93da-6348769b69c1/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7fcf89da-ff51-4a7c-836f-ff1aa3c3a3be
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1470427
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1470427 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 09/07/2024 Architecture: WINDOWS Score: 100 29 relay-01-static.com 2->29 31 fp2e7a.wpc.phicdn.net 2->31 33 fp2e7a.wpc.2be4.phicdn.net 2->33 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 8 other signatures 2->43 7 InputBlockSize.exe 3 2->7         started        10 SecuriteInfo.com.Trojan.PackedNET.2147.2308.11865.exe 6 2->10         started        13 InputBlockSize.exe 2 2->13         started        15 InputBlockSize.exe 2 2->15         started        signatures3 process4 file5 45 Antivirus detection for dropped file 7->45 47 Multi AV Scanner detection for dropped file 7->47 49 Machine Learning detection for dropped file 7->49 53 3 other signatures 7->53 17 MSBuild.exe 1 2 7->17         started        21 C:\Users\user\AppData\...\InputBlockSize.exe, PE32+ 10->21 dropped 23 C:\...\InputBlockSize.exe:Zone.Identifier, ASCII 10->23 dropped 25 SecuriteInfo.com.T....2308.11865.exe.log, CSV 10->25 dropped 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->51 signatures6 process7 dnsIp8 27 relay-01-static.com 91.92.240.9, 39001, 49726, 57008 THEZONEBG Bulgaria 17->27 35 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->35 signatures9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-06-24 12:28:15 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g7lekob2y3baqrxsgqvoyg6w4ltklkdryc2hu4pby3i7re6javbq._file
Verdict:
malicious
Similar samples:
37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543
PureLogsStealer
6f37a0e103969097717c3a290977c2e1faaf04e5468f7f9e5cdf80d8598156c8
PureLogsStealer
dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614
PureLogsStealer
dfba4d1c63cb8b9e426b04fa2b048bfe4554de13e7ce1c2c5e665cc708a23d09
PureLogsStealer
f229b3725dbe9bc2b555daac400a1549cc6439d1a46e20a41578f42a2bf4c70a
PureLogsStealer
+ 1'032 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240709-z8fmdswgjn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/173c7a8f-1422-4b96-b7f1-d61ad264666f
Unpacked files
SH256 hash:
37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543
MD5 hash:
13f5245d5e08141f7683be6418bfd81c
SHA1 hash:
b7629fabf8a95a28aa4b6b7137fd8a3192ac9876
Link:
https://www.unpac.me/results/94ef7b17-6005-477a-94be-4178c2aa5e4e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37d645383ac6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 37d645383ac6c20846f2342aec1bd6e2e6a5a871c0b47a71e1c6d1f893c90543

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2946994/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2947059/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments