MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f
SHA3-384 hash: c7b060e1fdf9324dea9d0c4c309494a6703e511dd1a1723c9c2284cb23b1210dad2f8d658b2c076040bd1f81702f6cbf
SHA1 hash: 3644d30f5b43b59afaceaae7f6a1cba2393d938c
MD5 hash: d96267ad9812c133efeea9de18b14c02
humanhash: virginia-echo-west-uncle
File name:d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55_dump.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:921'088 bytes
First seen:2024-07-13 00:23:56 UTC
Last seen:2024-07-24 13:06:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:pdZvmA/hqoZGYqDehsKTywPVpoPSTCcvplMEyk7ltK6P:pd1muqbYq3KPpoPSTCcvLauBP
Threatray 407 similar samples on MalwareBazaar
TLSH T1E81522433AE54B15D2B8AF74C0E7492007E1DA8776B3CA89BD4447DE4E123E5CE9CB1A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter ukycircle
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
357
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f.exe
Verdict:
Malicious activity
Analysis date:
2024-07-13 00:24:33 UTC
Tags:
purecrypter netreactor exfiltration purelogs stealer
Link:
https://app.any.run/tasks/b6d7ef9d-b47a-4c0a-a690-576b484468c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.6005.10833.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6691c923bcca3f923eb45a99win7simulatehigh_evasion
Tags:
Generic Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Reading critical registry keys
Creating a file
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
net_reactor packed packed
Link:
https://www.filescan.io/uploads/6691c923748dbbe27183f16b/reports/f9b795e1-70b9-4244-8158-aca15593f549/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c275623f-3515-417e-893a-a5ff0e79b038
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1472593
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to capture screen (.Net source)
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f/
Threat name:
ByteCode-MSIL.Trojan.ZgRAT
Create hunting rule
Status:
Malicious
First seen:
2024-07-13 00:24:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcxmibfhz37dcbuzn2whi3uq5zsy6y7gnf3igamw5dvry2fiumhq._file
Verdict:
suspicious
Similar samples:
38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f
PureLogsStealer
39acd505663ef230a0871108eb33536dd87367ef886c1f209784e7434a930346
PureLogsStealer
4589cef24c0d5800c245c74d5b4c3f38bb5bc5893db52a58740a26b011ebe4c9
PureLogsStealer
6095332b4a96dee4fa6e71a5c233842977eddcdb1a57663943685d96fb27e8e3
PureLogsStealer
697444c2cb0a7bd6fde35bd250870e7a9aa4a2b49beb0ff2c795f8c507bb5c15
PureLogsStealer
767ad6a683c15dc908cd12b10e115c9b3dd1de419ac8f84ce80ccbfd7c0a564a
PureLogsStealer
d80327695eebee6940b7a55704b4c712e22c37f5bc95f2d5d6fc83e90f87bf55
PureLogsStealer
+ 397 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/240713-ap2m3sxdpp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Deletes itself
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f36b3b9b-1c9e-4356-86f6-4195a00a2f1b
Unpacked files
SH256 hash:
791a41f5a5d7f1662895d7d1e812407807317b6d07b95b911e6fbebda372edc8
MD5 hash:
a0bd094d299074d2e9e3ff6c543a3df1
SHA1 hash:
da45b56a139e54177b7380c4f5c416810b69f2f6
Link:
https://www.unpac.me/results/4bc94f53-c76a-42bb-8fed-927de4773518/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/4bc94f53-c76a-42bb-8fed-927de4773518/
SH256 hash:
6c623f97ec9960c328d480af729224602fa7603dd4e796216f6de39d875f2a27
MD5 hash:
e1ac6cee4125a1c3efdc9597d2007c77
SHA1 hash:
1c1e12f6b422be26e10e81bc566e657fa0d6ac8e
Link:
https://www.unpac.me/results/4bc94f53-c76a-42bb-8fed-927de4773518/
SH256 hash:
23066ad4d60ddf9cf143df94cbb22e5e256975abb6807f06701b4878fcd4b84a
MD5 hash:
6b9515afcce8af6dec7fbf4d436a4295
SHA1 hash:
0d9916410049d5ab220a3ce192a37beb01a64a94
Link:
https://www.unpac.me/results/4bc94f53-c76a-42bb-8fed-927de4773518/
SH256 hash:
38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f
MD5 hash:
d96267ad9812c133efeea9de18b14c02
SHA1 hash:
3644d30f5b43b59afaceaae7f6a1cba2393d938c
Link:
https://www.unpac.me/results/4bc94f53-c76a-42bb-8fed-927de4773518/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38aec404a7ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38aec404a7cefe3106996eac746e90ee658f63e66976830196e8eb1c68a8a30f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments