MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a
SHA3-384 hash: 940f466f4e0178d3068faf05f1c48a3e291d5ea7ccf37d3dd54d42f79c9a53ef33156a2db6f96c0ccd2e09fc10821ea4
SHA1 hash: 3265a76ab3e92e5d77336427f3d6892fcb0d9cf7
MD5 hash: 115b5aae8c9a24258d28bfb74f638ac8
humanhash: quebec-potato-glucose-jersey
File name:39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:148'640 bytes
First seen:2024-05-08 13:14:10 UTC
Last seen:2024-05-08 14:16:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'489 x Formbook, 12'212 x SnakeKeylogger)
ssdeep 1536:PezR1zewFnNK7GRvKVnnatIl6X0QnX3OON8UbBGk0:PI1zDFMQvynnatC6dW2h0
Threatray 531 similar samples on MalwareBazaar
TLSH T15BE32D543AA88C1FF3F06731479DD1110926ADA5F89C973A34963638BA71780682DFBF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 92d1dc8e8686c6e0 (1 x XpertRAT, 1 x AveMariaRAT, 1 x Formbook)
Reporter adrian__luca
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a
Verdict:
Malicious activity
Analysis date:
2024-05-08 13:13:20 UTC
Tags:
fileshare
Link:
https://app.any.run/tasks/ad660b25-9209-442d-827a-057592cd7c7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.4221.10576.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Reading critical registry keys
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/663b7ae711114a9ab5e2e244/reports/7aa94a6f-2e15-4349-bc50-1b4e7b41b2af/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/514b7440-4e7e-47a6-9561-f7c5eeec5cd8
Result
Threat name:
AgentTesla, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1438287
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Notepad Making Network Connection
Sigma detected: Suspicious Process Parents
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1438287 Sample: Se7CZnlXZZ.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 48 api.telegram.org 2->48 50 dual-spov-0006.spov-msedge.net 2->50 52 8 other IPs or domains 2->52 72 Snort IDS alert for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 80 13 other signatures 2->80 9 Se7CZnlXZZ.exe 16 5 2->9         started        14 notepad.exe 14 3 2->14         started        16 notepad.exe 2->16         started        signatures3 78 Uses the Telegram API (likely for C&C communication) 48->78 process4 dnsIp5 58 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49744, 49747 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->58 42 C:\Users\user\AppData\Roaming\notepad.exe, PE32 9->42 dropped 94 Found many strings related to Crypto-Wallets (likely being stolen) 9->94 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->96 98 Injects a PE file into a foreign processes 9->98 18 Se7CZnlXZZ.exe 19 9->18         started        100 System process connects to network (likely due to code injection or exploit) 14->100 102 Multi AV Scanner detection for dropped file 14->102 23 notepad.exe 19 14->23         started        60 13.107.139.11, 443, 49751 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->60 25 notepad.exe 16->25         started        file6 signatures7 process8 dnsIp9 54 193.161.193.99, 42538, 49746, 49750 BITREE-ASRU Russian Federation 18->54 56 a0951646.xsph.ru 141.8.192.82, 49753, 49759, 80 SPRINTHOSTRU Russian Federation 18->56 38 C:\Users\user\AppData\Local\Temp\Vudknf.exe, PE32 18->38 dropped 82 Found many strings related to Crypto-Wallets (likely being stolen) 18->82 84 Tries to harvest and steal Bitcoin Wallet information 18->84 27 Vudknf.exe 18->27         started        40 C:\Users\user\AppData\...\Zrjmkwldei.exe, PE32 23->40 dropped 86 System process connects to network (likely due to code injection or exploit) 23->86 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->88 90 Tries to steal Mail credentials (via file / registry access) 23->90 92 Tries to harvest and steal browser information (history, passwords, etc) 23->92 30 Zrjmkwldei.exe 23->30         started        file10 signatures11 process12 signatures13 32 Vudknf.exe 27->32         started        104 Multi AV Scanner detection for dropped file 30->104 106 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 30->106 36 Zrjmkwldei.exe 30->36         started        process14 dnsIp15 44 api.telegram.org 149.154.167.220, 443, 49756, 49761 TELEGRAMRU United Kingdom 32->44 46 api.ipify.org 104.26.12.205, 443, 49755, 49760 CLOUDFLARENETUS United States 32->46 62 Installs a global keyboard hook 32->62 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->64 66 Tries to steal Mail credentials (via file / registry access) 36->66 68 Tries to harvest and steal ftp login credentials 36->68 70 Tries to harvest and steal browser information (history, passwords, etc) 36->70 signatures16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-04-29 20:43:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hh4s24j4v4c37ecd3mtetlvj2lpuxub6cooatkhgrx6kehkul5fa._file
Verdict:
malicious
Similar samples:
07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92
PureLogsStealer
46881e86cabd9d39cb7b57e9a85f2007c1c8fece41e3b5edd74c12f38c4acba9
PureLogsStealer
4ec050b4dfd931ed6d30256b3ed1d042f313860da23e7ca064aaf95ad83e257e
PureLogsStealer
71b506b1fbf26cef2b28bed51237f1f15e2fa7984af2a563aeb35a1e3cc71d64
PureLogsStealer
9387f4d0d04d48e9bdb9cbcb6edd9b2567fc50b0b5752c05b507c6953b33c742
PureLogsStealer
dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8
PureLogsStealer
e6cb7e5622c6a86100f753343e7b7837a5e682f67c730d2a7e5c612ca54d8aba
PureLogsStealer
+ 521 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat collection keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240508-qg73wsgf72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
AgentTesla
Detect ZGRat V1
ZGRat
Malware Config
C2 Extraction:
https://api.telegram.org/bot1263338506:AAEo1afaqZcanZqwKGJF2HA7xr6YOHyXHtU/
Unpacked files
SH256 hash:
39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a
MD5 hash:
115b5aae8c9a24258d28bfb74f638ac8
SHA1 hash:
3265a76ab3e92e5d77336427f3d6892fcb0d9cf7
Link:
https://www.unpac.me/results/75454f21-3aeb-4362-b135-07f28213c2e9/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39f92d713caf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
StrelaStealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39f92d713caf05bf9043db2649aea9d2df4bd03e139c09a8e68dfca21d545f4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments