MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800
SHA3-384 hash: b353fd45979b035ce677eb0c516e399574e47446a6d2d6e86e78f7a73c602c64ac1e3d876ee959c91bb9c6d2014f40bb
SHA1 hash: a4f8e2102645ad87b37c4de7fa45779d3bb70f18
MD5 hash: 8f505e8ec6a2129264b6609d96e68962
humanhash: sink-rugby-music-carpet
File name:8f505e8ec6a2129264b6609d96e68962
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:5'687'296 bytes
First seen:2024-01-30 03:45:13 UTC
Last seen:2024-01-30 05:32:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:tl+wZnx28ufF6eE39oRGIOVgdDll+wZnx28uf36eE39oRGIOVgdDp:
Threatray 130 similar samples on MalwareBazaar
TLSH T1BF46C0261B670A730E5CA78C3476D48A144DC9FB2AE85722BFD57E3007CED382DDA5A4
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-01-30 20:12:40 UTC
Tags:
opendir loader hausbomber stealer stealc rat remcos remote evasion asyncrat rhadamanthys keylogger redline gcleaner ramnit trojan azorult phorpiex pureloader purecrypter amadey botnet backdoor dcrat arechclient2 neoreklami agenttesla metastealer adware risepro socks5systemz proxy
Link:
https://app.any.run/tasks/8ccd5547-d450-4742-8722-9ef278089fbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473526/
Detection(s):
SecuriteInfo.com.Trojan.Siggen24.32624.30525.14636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for files in the %temp% directory
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin update
Link:
https://www.filescan.io/uploads/65b870fc0eab2d160549ea8f/reports/7f74a40e-9264-4d27-807d-e8247fc424e1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f249cd8-3c7e-43f6-b73f-4eed60d73874
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383104
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops large PE files
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1383104 Sample: RMruQ6cpHL.exe Startdate: 30/01/2024 Architecture: WINDOWS Score: 100 96 Multi AV Scanner detection for domain / URL 2->96 98 Found malware configuration 2->98 100 Antivirus detection for URL or domain 2->100 102 14 other signatures 2->102 7 hluzquk.exe 2->7         started        11 Rwshevq.exe 2->11         started        13 RMruQ6cpHL.exe 8 2->13         started        15 6 other processes 2->15 process3 file4 72 C:\Users\user\AppData\Roaming\Rwshevq.exe, PE32+ 7->72 dropped 130 Multi AV Scanner detection for dropped file 7->130 132 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->132 134 Modifies the context of a thread in another process (thread injection) 7->134 17 hluzquk.exe 7->17         started        136 Injects a PE file into a foreign processes 11->136 22 Rwshevq.exe 11->22         started        74 C:\Users\user\AppData\Local\Temp\rock.exe, PE32 13->74 dropped 76 C:\Users\user\AppData\Local\Temp\blbrok.exe, PE32 13->76 dropped 24 rock.exe 14 11 13->24         started        26 blbrok.exe 6 13->26         started        78 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 15->78 dropped 80 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 15->80 dropped 82 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 15->82 dropped 84 13 other files (8 malicious) 15->84 dropped 138 Antivirus detection for dropped file 15->138 140 Machine Learning detection for dropped file 15->140 142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->142 144 3 other signatures 15->144 28 InstallUtil.exe 15->28         started        30 conhost.exe 15->30         started        32 conhost.exe 15->32         started        34 3 other processes 15->34 signatures5 process6 dnsIp7 86 38.170.242.108 COGENT-174US United States 17->86 42 C:\Users\user\AppData\Local\...42fkneoelk.exe, PE32 17->42 dropped 44 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 17->44 dropped 104 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->104 106 Tries to steal Mail credentials (via file / registry access) 17->106 108 Found many strings related to Crypto-Wallets (likely being stolen) 17->108 36 Nfkneoelk.exe 17->36         started        46 C:\Users\user\AppData\Local\...behaviorgraphzncuaa.exe, PE32 22->46 dropped 110 Tries to harvest and steal browser information (history, passwords, etc) 22->110 112 Tries to harvest and steal Bitcoin Wallet information 22->112 40 Gzncuaa.exe 22->40         started        88 208.95.112.1 TUT-ASUS United States 24->88 90 149.154.167.220 TELEGRAMRU United Kingdom 24->90 48 C:\Users\...\Microsoft Windows Update.exe, PE32 24->48 dropped 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->114 116 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 24->116 118 Drops PE files to the startup folder 24->118 120 Queries memory information (via WMI often done to detect virtual machines) 24->120 50 C:\Users\user\AppData\Local\...\TypeId.exe, PE32 26->50 dropped 122 Multi AV Scanner detection for dropped file 26->122 124 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->124 126 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->126 92 172.67.162.192 CLOUDFLARENETUS United States 28->92 94 194.33.191.53 AQUA-ASRO unknown 28->94 52 C:\Users\user\AppData\Local\Temp\szfblc.exe, PE32 28->52 dropped 54 C:\Users\user\AppData\Local\...\hluzquk.exe, PE32+ 28->54 dropped file8 signatures9 process10 file11 56 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 36->56 dropped 58 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 36->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 36->60 dropped 68 7 other files (3 malicious) 36->68 dropped 128 Drops large PE files 36->128 62 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 40->62 dropped 64 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 40->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 40->66 dropped 70 7 other files (3 malicious) 40->70 dropped signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2024-01-20 00:08:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 23 (91.30%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhtrqcrkq2kfh62u2e7qjnhnugsrknszg6cqd6rrwghymjlw7aaa._file
Verdict:
malicious
Similar samples:
2ba23a256551d2b59785b96b6e2b79b3a1a63c3e634b6a1e2690d48c8450e80a
PureLogsStealer
34e8f89b08f8eb1ed0a72f0cc584bcc816ed56338ec8164c9f303fb53bb89cf5
PureLogsStealer
4acddc15352051552d4684fff6d07d18305cf7276d208adf7e2f59c5a70c909a
PureLogsStealer
72f5f9230c025a393d1362241679fd0dd5c48b7e3786591f35b3f74eccf53978
PureLogsStealer
8868ea6af3214fc758c93c1cb909231a76e22e718a4917aae5f2a60cf12af094
PureLogsStealer
c1a7adbef8fb6d94955cbae7dd0dd5c2778eb4cb45e56b73ccc772274bcb55da
PureLogsStealer
+ 120 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat spyware stealer
Link:
https://tria.ge/reports/240130-ebmdfsfhf4/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
cce14a677c9461acfe924ebc65222365fed422e155f63628831f844c94d57820
MD5 hash:
d8cc7920dafb49c2ae8752614ea30e7c
SHA1 hash:
f8bab611a4e716de45f6743a9001083bda04321a
Link:
https://www.unpac.me/results/664747c3-67af-45d5-a0e4-c38ea5ce9394/
SH256 hash:
ef5a664c1d2bb56463019845d197f5621eab330abed7e5d0c622dfc677478520
MD5 hash:
bfe7069b39ef3800f1c20942a6ecd200
SHA1 hash:
a7a3a6eefd8fc0cddac6f7835a8daceeb620d8ba
Link:
https://www.unpac.me/results/664747c3-67af-45d5-a0e4-c38ea5ce9394/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/664747c3-67af-45d5-a0e4-c38ea5ce9394/
SH256 hash:
d7f5e3fc7e380e56ceba0dbe34c04c5222a7bcaeb37b5f8c632564b64371fbc4
MD5 hash:
d470de8671c3481bf1e8e0f5c5d63a6d
SHA1 hash:
31812ec49d6cb418c8f011fa75fe701dd63be287
Link:
https://www.unpac.me/results/664747c3-67af-45d5-a0e4-c38ea5ce9394/
SH256 hash:
85e9c8291e1e4629df517e7aaefed1640e2a44283027a9127a54c1aeee4b2fe3
MD5 hash:
b6987f1725f2157069a931e79228cbd3
SHA1 hash:
a7bdabe2ec98712b4fcb2175f615ac2a3f8d1ff1
Link:
https://www.unpac.me/results/664747c3-67af-45d5-a0e4-c38ea5ce9394/
SH256 hash:
3aedb56f66dffe7afa34c8ae888d507b34f099cf7f74037ae77ff3fb38cad36d
MD5 hash:
bc713bf795c8ae89cdeb603ff1e727ae
SHA1 hash:
a2d899ff55e812d1d17d65de0d561fa890a32713
Detections:
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/664747c3-67af-45d5-a0e4-c38ea5ce9394/
SH256 hash:
59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800
MD5 hash:
8f505e8ec6a2129264b6609d96e68962
SHA1 hash:
a4f8e2102645ad87b37c4de7fa45779d3bb70f18
Link:
https://www.unpac.me/results/664747c3-67af-45d5-a0e4-c38ea5ce9394/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2753372/
Cape
Cape
https://www.capesandbox.com/analysis/473526/

Comments


Avatar
zbet commented on 2024-01-30 03:45:14 UTC

url : hxxps://magic.poisontoolz.com/Binded.exe