MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a864329af914f03439071ce674af617571fdd9ef7da17930d2978254ab6247a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	5a864329af914f03439071ce674af617571fdd9ef7da17930d2978254ab6247a
SHA3-384 hash:	e878f9f51ef1fb81f10da9ff23406aae0d8b4f90a46e64520e3f56506995bb44016a7266795cfac3246a6adb64b79622
SHA1 hash:	408defcc25eb99a742f9f2c99ea5f16c36fb65bb
MD5 hash:	64a8834adbae73dbf2c6e743b32ab57b
humanhash:	shade-nuts-ohio-tennessee
File name:	FOC goods invoice pdf.exe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	652'800 bytes
First seen:	2024-08-19 15:48:03 UTC
Last seen:	2024-08-19 16:42:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:B5PVuGmqBMVb2FIlr2xLv6s6HYQ/IkA7Ehpd:fAGmBgIlKxLvz5LJ7mp
TLSH	T1C1D4126077AAD925E2F81A7388D6802C07F07A56A133D70F5CD511C74A1AFE68BD2F27
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	689271e8e030f000 (3 x PureLogsStealer, 2 x Formbook)
Reporter	abuse_ch
Tags:	exe PureLogStealer

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FOC goods invoice pdf.exe

Verdict:

No threats detected

Analysis date:

2024-08-19 15:53:59 UTC

Tags:

netreactor

Link:

https://app.any.run/tasks/7627a542-d3b1-4ac3-af24-3838d694258f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.3368.9455.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c36934e7ff3f5a063b8f9c

Tags:

Static Stealth

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade net_reactor packed packed

Link:

https://www.filescan.io/uploads/66c369389a458267e53eed40/reports/e2ffde07-707e-4b1e-8551-abbf7204d5e8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/5a864329af914f03439071ce674af617571fdd9ef7da17930d2978254ab6247a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7598d58c-a89a-4a5b-a98c-84c4a0cc6206

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1495102

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5a864329af914f03439071ce674af617571fdd9ef7da17930d2978254ab6247a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a864329af914f03439071ce674af617571fdd9ef7da17930d2978254ab6247a/

Threat name:

ByteCode-MSIL.Trojan.PureLogStealer

Status:

Malicious

First seen:

2024-08-19 00:21:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lkdegknpsfhqgq4qohhgosxwc5lr7xm667nbpeynff4cksvwer5a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/240819-s8texswfpl/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/42461d8b-63d4-43c8-ad56-1706b32e9e74

Unpacked files

SH256 hash:

ade90b8282cf57d023fd6c350ef1df0a7f2e91cf847c0942de7072f8d5ec3ad5

MD5 hash:

6f2e8205ae0124f173c3ba296ebb8ea7

SHA1 hash:

34d52baf653f7567e2b265960166d762723a06c1

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/8a5cea77-3517-4967-933b-7b3996bb8b12/

Parent samples :

46b74e87fffe9aeb77171bd1c51e4b502e5f9aa7810b246d8125d2a37dccf88e
65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9
8254d25a2c54050f8621c6ff69869e94b4cba878b5b246c00ac73377b4ae65b1
3efc2b27292ebddae979c22e9d9098832f35faa1c3403ef58f5b20e8e1e2f0c9
7eafa69b06a236e9dda3903e82a08228808f1bbb3c470eb7bfae0a2f4b13ae4f
e69cbec2c6a28dca27558736ea04f1b998ed42c2e70cf2934b12330df04bf3be
cbeee5f0d63a9178155739c1eca36e16ceaffc7ccda4154d991f068766df52ba
7aedd5e4277e592d13cb250945dac96a7b4877de807904f7caa9d8ffb14963a5
5d11fdb4cd576bd6d6785cc8fb787a36777347d69861c465797fb8b9875577f2
95b2a3c2a70e4a5c5bf76b86846d166140a537dd9e9aac6674a074864b035857
ee331b107bd18dfd8db52add917a98c284ef9d199d74bbc45e1fac0c3dbc477f
af238245a288eef2b2b3d4bf1c93d242406457f6e33b07ddec388c9f8788bd72
799053a90679ef7c3326656b1d341d66cae5ff7e274cafb37adf537c7729dc9e
4eaacedcb5c204340fb5b45bbf5b625f8951efdb4a4035b9b621d07880bd0002
00e001de6abc566bef2764d860c3d80f7a5907d3e32c23f53cd9d8182dd2e632
2328201990de5c77c0353c61e628c68a01aaef1d4566ef9816a1f0333562c5ea
db0f9627eb6f6d633f7211ce94d2ab53277140634443909f78b96a7b18c48b9e
38104a8e8f0fe6c31cac6a7b7a9c65d30ed8ca9186b7df9279821c1ecb238d77
3adc38e157c7b668b850a0f1aab6a426136537aa545516c75a23d5ee288c1f3d
2f05bb0856cb3780c5a18a2b84272956b34227a83113f180ca2d33baa4eee413
0ec10872b158b00d43ef67e8070174c9bb72dbd71c0a09da6b11c1512100d03a
244f3a2fad1afa232909355901f33cca18ea95444c5d142c7aa308170db5294f
4ce7efd002043fab126453cabaccb1fb4600d725c1d3c5f99c9664cbfc277a9f
26c64dc4553b8f6267967b05f024f5e887f24b397025eebcf202a6e43ad58bc7
0dd9a973afdffa9c3b64ef40aebbdeb13843aa39dde313a5c6693c41ff14b48c
ddea918e0f507e1cdab135b871112ded7f068a604b74873091a8a2afa6b64abb
5a864329af914f03439071ce674af617571fdd9ef7da17930d2978254ab6247a
55e7b8d1f820450960ca17726b799d4ff4a7722866427cd9e3058d591d074e80
15e428d7a7c1290d4249cc1b9e0f9f1abb801b15ace9e785babeedb6329806d5
25a2064d88df7b8a4d10beb5047e6d9781e1225fe4c05da6e7a2addcb63109e0
c733793c396f98ec7eccf793a4ecb71c1af71b6106d202afe28df463d5a60a24

SH256 hash:

3bfc92e9de0e24a9e40afe9c09304aed0c40e137213c7d2ae7d152ba0b04f273

MD5 hash:

669e7569b2c1e89c9c19c55f4d8d373b

SHA1 hash:

0d9bd2fc1015bd527f622c9ed697c01877350bbd

Link:

https://www.unpac.me/results/8a5cea77-3517-4967-933b-7b3996bb8b12/

SH256 hash:

5a864329af914f03439071ce674af617571fdd9ef7da17930d2978254ab6247a

MD5 hash:

64a8834adbae73dbf2c6e743b32ab57b

SHA1 hash:

408defcc25eb99a742f9f2c99ea5f16c36fb65bb

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/8a5cea77-3517-4967-933b-7b3996bb8b12/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

StrelaStealer

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a864329af914f03439071ce674af617571fdd9ef7da17930d2978254ab6247a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample