MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 17 File information Comments

SHA256 hash:	461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e
SHA3-384 hash:	88d656b82b52a0f913a56c1a5d7e325e06bf80e462eeaa6b2eac833b692fc8df81a64d2167a1ca08ff4543a4d7de0f9e
SHA1 hash:	e03a6626b72b120b4e0b3746d7d07f929498c59e
MD5 hash:	95f47649af49eb2bd587036e86d73616
humanhash:	steak-alaska-jig-summer
File name:	PO 2942024.exe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	701'440 bytes
First seen:	2024-04-30 05:33:59 UTC
Last seen:	2024-04-30 06:37:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:0TB778QNRc+EACzS6h1I3UoGKLvQRcSbuT4w4ajMK18szCR:6Bezf/AnIWYO4MF1xz
Threatray	235 similar samples on MalwareBazaar
TLSH	T18EE4238BE3C992E6D5EF43BEA89664190B34B9534AD0E78D0FC640CDFD13FC18A21166
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	4018f9e960e20464 (19 x AgentTesla, 6 x Formbook, 2 x PureLogsStealer)
Reporter	abuse_ch
Tags:	exe PureLogStealer

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e.exe

Verdict:

Malicious activity

Analysis date:

2024-04-30 05:36:21 UTC

Tags:

formbook stealer spyware xloader

Link:

https://app.any.run/tasks/aafc0473-dc7b-4491-9897-50770056d1d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a file

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/663082d675339da04fa75ca9/reports/bc2b45f3-d065-4f2b-8762-637571b5fe5d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5825a06d-eef7-43e0-a4d5-5623a02a3650

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1433829

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-04-29 03:09:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iyo4euevok2u7bn2blwtbvfjs2nq7s7rk3nf6f3sod3ucomoloha._file

Verdict:

malicious

PureLogsStealer

57cfb4702d6902a5848f4c9536381f46e1b1b4870f5df749ba4d3f15660e8947

PureLogsStealer

5d2b78785f719fda04cda095b4dfb75d00440fc39ab6e52d176a74786541bdaf

PureLogsStealer

c79fe9575611a361113d1bbc4929fd078461c6a935166a1f39ebfcac7009bf53

PureLogsStealer

+ 225 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/240430-f9ft1aeb41/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

575d389e5e458241b21551ac2ac0a20aa4de8f36e83a7a537431529a02c72b2a

MD5 hash:

4adffe894b204c2067c5a6fbb3e8be98

SHA1 hash:

018a92025ba05c00da9b66909f584523c600921e

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

159c5f516645cb942ac1cc9587b2386e5cc5587e12cd7bfb075d7ff556967c04

MD5 hash:

27fd78cd27e3fd909821028f54025729

SHA1 hash:

a47272086e7980938f433c8328355e53573e7cb5

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

da9b95bd64c416e4c39111ff2ffcd00878c62abbe9dfd089e38eebcf53febf49

MD5 hash:

8aa29fafac63903c0151c08e2cd0768c

SHA1 hash:

9d387c429825159714b2403b85295071517c735a

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

aed4a976a528f9472b707daae3bc4e722978bce7f0ac54b72cf1cfcd5981a5d8

MD5 hash:

9e4aea62ee76efb9013e6440afd8ffe6

SHA1 hash:

8d597f109698e7c74da0f20815fc4da575ce29c4

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

de5752577676a4134851cfdc89422a3832761b633272a7ff0882c12b21809c11

MD5 hash:

3190fa631fd85fef77c53d0e519dde19

SHA1 hash:

70080495f53699c3334441d944c68220f98e366a

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

bf24e3d51b96eb9687fbd9107df383008c95d18244300d0f2270864dea830dd7

MD5 hash:

9b65b3f5b4b6df39b0655be15b23f50c

SHA1 hash:

52a81b7d5377d6aa7a5ef4565b9266c73fa9dd4b

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

830673ebed2abdcc6ebcf416b82f39c68052932b30565b430635ce3491f655a0

MD5 hash:

a5f76f50b3b045e697742c3ba6d2fe09

SHA1 hash:

c363ebeca2753d560c9ea2d313ec6f7ad4dd7034

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

d8230ba4920a6bc24e5644a5b8c1888ef37d6af38405fbae34eebdf55df3dd23

MD5 hash:

168ae641f9c95fba8dda9904a226b9a1

SHA1 hash:

b185c94d2ac821803bee33446a77833638a6c205

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

1e7e302fa8c51bfc343c2dd51b9d0077c2c3cddbb28aa031755c7b9bb968f5a0

MD5 hash:

be667908402e307c43060f79a109ad9b

SHA1 hash:

7f74c6b969ddee9d1d61831ba1d0ec956ab2ca54

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

15d04ef6c79f5e466d771205764e23d1ee232b435d1182b41e26600d4d72f88b

MD5 hash:

cc5582f1d5c4dd280afaff035678b894

SHA1 hash:

6ad21d0662ffd6365ac6f6c09a5aa66046ba5755

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

26200fcfd4c49f1f803795462993df771ea0d281ac9f4b63e16c3a8fbeefbadf

MD5 hash:

31281a6f3bcb94392f561283863bb66a

SHA1 hash:

4590b026e04948bf48b752ca8404529629062913

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

1beba4db9bdaddf092bdbc743f33b09c4ea10730aa1cf65b6ebe81df44860277

MD5 hash:

436f58cb8bfe5f489d2e647a1a748767

SHA1 hash:

13c6a095a24b19f29f171abd146eacc710987c34

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

SH256 hash:

461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e

MD5 hash:

95f47649af49eb2bd587036e86d73616

SHA1 hash:

e03a6626b72b120b4e0b3746d7d07f929498c59e

Link:

https://www.unpac.me/results/09e797c7-6a76-4cd5-84d6-0c6ff221a20b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/461dc2509572/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample