MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb
SHA3-384 hash: 3e6a2657cc8db17c8f861d9a66f7dc3e5da23f6b420496aabb4cfa3fb57c2c30e6028227a3a5fc0c22202283116e34c8
SHA1 hash: 6612a26d5db4a6a745fed7518ec93a1121fffd9c
MD5 hash: 76eae6ef736073145d6c06d981615ff9
humanhash: kilo-five-mexico-spring
File name:SecuriteInfo.com.IL.Trojan.MSILZilla.30455.29056.1307
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:3'430'912 bytes
First seen:2024-04-16 06:24:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:Y/gORUJOUyQBOrgJedw0H+GSYq8dG+zMJ:Y/+J69gKw0e1Yq+P
Threatray 27 similar samples on MalwareBazaar
TLSH T14FF5E00BBA878DE5D34A273FC19B550C5BE8DA812217D71F79CA237525037BAA8C160F
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb.exe
Verdict:
Malicious activity
Analysis date:
2024-04-16 06:29:39 UTC
Tags:
zgrat pureminer
Link:
https://app.any.run/tasks/885cf54c-27b5-4b32-abe9-39adc1520bca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade net_reactor packed packed
Link:
https://www.filescan.io/uploads/661e19c347bfd8641eac3e9b/reports/2549eacc-df5a-4ef3-976e-fd81c59ce9fd/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56b39c64-5005-44a8-af58-4d61b1724c6f
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1426499
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426499 Sample: SecuriteInfo.com.IL.Trojan.... Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 76 filebin.net 2->76 82 Multi AV Scanner detection for domain / URL 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 13 other signatures 2->88 10 TypeId.exe 1 2->10         started        13 SecuriteInfo.com.IL.Trojan.MSILZilla.30455.29056.1307.exe 1 3 2->13         started        16 Startup.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 108 Multi AV Scanner detection for dropped file 10->108 110 Machine Learning detection for dropped file 10->110 112 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->112 114 Found direct / indirect Syscall (likely to bypass EDR) 10->114 20 TypeId.exe 10->20         started        23 cmd.exe 10->23         started        25 cmd.exe 10->25         started        74 C:\Users\user\AppData\Roaming\Startup.exe, PE32+ 13->74 dropped 116 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->116 118 Modifies the context of a thread in another process (thread injection) 13->118 120 Injects a PE file into a foreign processes 13->120 27 SecuriteInfo.com.IL.Trojan.MSILZilla.30455.29056.1307.exe 6 13->27         started        30 cmd.exe 1 13->30         started        32 cmd.exe 1 13->32         started        122 Loading BitLocker PowerShell Module 18->122 34 conhost.exe 18->34         started        36 WmiPrvSE.exe 18->36         started        signatures6 process7 file8 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->90 92 Writes to foreign memory regions 20->92 94 Modifies the context of a thread in another process (thread injection) 20->94 96 Injects a PE file into a foreign processes 20->96 38 MSBuild.exe 20->38         started        41 conhost.exe 23->41         started        43 ipconfig.exe 1 23->43         started        45 conhost.exe 25->45         started        47 ipconfig.exe 25->47         started        72 C:\Users\user\AppData\Roaming\...\TypeId.exe, PE32+ 27->72 dropped 98 Uses ipconfig to lookup or modify the Windows network settings 30->98 49 conhost.exe 30->49         started        51 ipconfig.exe 1 30->51         started        53 conhost.exe 32->53         started        55 ipconfig.exe 1 32->55         started        signatures9 process10 signatures11 100 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->100 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->102 104 Modifies the context of a thread in another process (thread injection) 38->104 106 3 other signatures 38->106 57 MSBuild.exe 38->57         started        60 cmd.exe 38->60         started        62 cmd.exe 38->62         started        process12 dnsIp13 78 filebin.net 88.99.137.18, 443, 49711, 49713 HETZNER-ASDE Germany 57->78 80 45.128.96.253, 39001, 49709, 49710 XXLNETNL Germany 57->80 64 conhost.exe 60->64         started        66 ipconfig.exe 60->66         started        68 conhost.exe 62->68         started        70 ipconfig.exe 62->70         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-04-16 05:33:11 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlg6ueirewcm2h3y3ib7nl247qhyqmyj7rpmkux2nooiljweqo5q._file
Verdict:
malicious
Similar samples:
2abf88086c88ec538403aaaf274e992ab8492f2402f5523f3d212e84c30f3c07
PureLogsStealer
3751dae5d0813f6ec2fcc253c65854ddad340be058b199f4eb0a540bbf878efe
PureLogsStealer
5c7e18764c02e02117f91213a2f66e63265d3ed30c0ea8ae1c9be8ff5ee4ba43
PureLogsStealer
85a1f398d30b7efd27dee5b78472a000c6303ebd29b067df1012cfb9d61bcffa
PureLogsStealer
b37f7be1a4d8373425660e726dbeb8ab32be2b94ea36ae2481db6f1c144e9735
PureLogsStealer
b835220d18074195e2df569e8088470b7f400c334aef1dd54dfe30e2019dab7a
PureLogsStealer
c961a1c23fe7e6704d8c4b718815dd0d1f93804de28756fb44ab0d6aa70776a1
PureLogsStealer
d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca
PureLogsStealer
eb1e06e44907439d39f4ec93d973a8555ba0c683eab4b94c1035cb0bdf10e6c9
PureLogsStealer
+ 17 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/240416-g6l3aadb81/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb
MD5 hash:
76eae6ef736073145d6c06d981615ff9
SHA1 hash:
6612a26d5db4a6a745fed7518ec93a1121fffd9c
Link:
https://www.unpac.me/results/830048d4-c793-4f22-b8b1-0e5d0e74365c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2814830/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments