MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 503cb62569cf05f5c94fd45470d3fdae5a9c86ffc253ae086d727a1ad62337f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 503cb62569cf05f5c94fd45470d3fdae5a9c86ffc253ae086d727a1ad62337f7
SHA3-384 hash: 686b30f265a8c2fa8c343aca9985e9c2516a6fcbec76b410c02e332582c776ef2b880b5fa5e2df01d6bf943ab39f3e31
SHA1 hash: b856166c5f336facf362e1300404b7dd3cb4ed22
MD5 hash: 84fc911bc7f305f4f1e1526f114b32e8
humanhash: oven-winner-mexico-florida
File name:kuskus.ps1
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'853 bytes
First seen:2024-04-03 07:25:05 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:URyBE/XfKdcirV/JRJhrOJtnJsMiPH7EbmYtIR1cu1P36:NBE/Sdl7LrOtHm/TXPq
TLSH T14651E9B78BBA3174CBA18964255DB49BE3246D8E38400E722E3D8CD8A547C2311ED2FC
Reporter likeastar20
Tags:ps1 PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
RO RO
Vendor Threat Intelligence
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.1020
Link:
https://www.hybrid-analysis.com/sample/503cb62569cf05f5c94fd45470d3fdae5a9c86ffc253ae086d727a1ad62337f7
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Amadey, PureLog Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1419214
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to detect sleep reduction / modifications
Contains functionality to prevent local Windows debugging
Contains functionality to steal Opera passwords
Creates multiple autostart registry keys
Disables Windows Defender (via service or powershell)
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1419214 Sample: kuskus.ps1 Startdate: 03/04/2024 Architecture: WINDOWS Score: 100 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for URL or domain 2->99 101 18 other signatures 2->101 9 powershell.exe 14 25 2->9         started        14 vuupdate2.exe 2->14         started        16 CachemanServ.exe 2->16         started        18 6 other processes 2->18 process3 dnsIp4 89 194.116.214.225 VMAGE-ASRU unknown 9->89 71 C:\Users\user\...\gxKHfJyfxqJF4N4kFSZ.exe, PE32 9->71 dropped 73 C:\Users\user\...\KRrgHS1079ScWbo5.exe, PE32+ 9->73 dropped 75 C:\Users\user\AppData\...\I2h6Ug97tbnnv.exe, PE32 9->75 dropped 139 Uses ipconfig to lookup or modify the Windows network settings 9->139 141 Modifies Windows Defender protection settings 9->141 143 Adds extensions / path to Windows Defender exclusion list 9->143 161 4 other signatures 9->161 20 KRrgHS1079ScWbo5.exe 15 4 9->20         started        24 I2h6Ug97tbnnv.exe 3 9->24         started        26 gxKHfJyfxqJF4N4kFSZ.exe 16 4 9->26         started        39 3 other processes 9->39 145 Antivirus detection for dropped file 14->145 147 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->147 149 Machine Learning detection for dropped file 14->149 163 2 other signatures 14->163 29 vuupdate2.exe 14->29         started        151 Contains functionality to steal Opera passwords 16->151 153 Contains functionality to prevent local Windows debugging 16->153 155 Found direct / indirect Syscall (likely to bypass EDR) 16->155 157 Contains functionality to detect sleep reduction / modifications 16->157 31 conhost.exe 16->31         started        91 127.0.0.1 unknown unknown 18->91 77 C:\Users\user\...\CachemanServ.exe (copy), PE32 18->77 dropped 79 C:\Users\user\AppData\Roaming\...\BITCDB0.tmp, PE32 18->79 dropped 159 Benign windows process drops PE files 18->159 33 WerFault.exe 18->33         started        35 InstallUtil.exe 18->35         started        37 InstallUtil.exe 18->37         started        file5 signatures6 process7 dnsIp8 67 C:\Users\user\AppData\Local\...\vuupdate2.exe, PE32+ 20->67 dropped 103 Antivirus detection for dropped file 20->103 105 Multi AV Scanner detection for dropped file 20->105 107 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->107 123 4 other signatures 20->123 41 KRrgHS1079ScWbo5.exe 20->41         started        109 Contains functionality to steal Opera passwords 24->109 111 Maps a DLL or memory area into another process 24->111 113 Contains functionality to prevent local Windows debugging 24->113 115 Contains functionality to detect sleep reduction / modifications 24->115 44 cmd.exe 5 24->44         started        47 conhost.exe 24->47         started        93 23.175.1.212 JCOLOUS United States 26->93 69 C:\Users\user\AppData\Local\...\vuupdate.exe, PE32 26->69 dropped 117 Machine Learning detection for dropped file 26->117 119 Creates multiple autostart registry keys 26->119 121 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->121 49 InstallUtil.exe 26->49         started        52 WmiPrvSE.exe 39->52         started        54 conhost.exe 39->54         started        file9 signatures10 process11 dnsIp12 125 Hijacks the control flow in another process 41->125 127 Found strings related to Crypto-Mining 41->127 129 Writes to foreign memory regions 41->129 135 3 other signatures 41->135 56 vbc.exe 41->56         started        81 C:\Users\user\AppData\Local\...\brwuykwjicjv, PE32 44->81 dropped 131 Injects code into the Windows Explorer (explorer.exe) 44->131 133 Found hidden mapped module (file has been removed from disk) 44->133 60 explorer.exe 44->60         started        62 conhost.exe 44->62         started        85 185.172.128.87 NADYMSS-ASRU Russian Federation 49->85 file13 signatures14 process15 dnsIp16 87 185.172.128.212 NADYMSS-ASRU Russian Federation 56->87 137 Query firmware table information (likely to detect VMs) 56->137 64 WerFault.exe 60->64         started        signatures17 process18 dnsIp19 83 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 64->83
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/503cb62569cf05f5c94fd45470d3fdae5a9c86ffc253ae086d727a1ad62337f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/503cb62569cf05f5c94fd45470d3fdae5a9c86ffc253ae086d727a1ad62337f7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ka6lmjljz4c7lskp2rkhbu75vznjzbx7yjj24cdnoj5bvvrdg73q._file
Verdict:
unknown
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240403-h9hppsae2y/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/503cb62569cf05f5c94fd45470d3fdae5a9c86ffc253ae086d727a1ad62337f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

LummaStealer

Executable exe 94ab177cc62af8c0fa1d2a0be6575db5bde69a52d126293e6a7fe5c01607597d

PureLogsStealer

PowerShell (PS) ps1 503cb62569cf05f5c94fd45470d3fdae5a9c86ffc253ae086d727a1ad62337f7

(this sample)

  
Dropped by
MD5 b1cb85d0689f64c6373345fc6b084f5f
  
Dropped by
SHA256 94ab177cc62af8c0fa1d2a0be6575db5bde69a52d126293e6a7fe5c01607597d

Comments