MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6
SHA3-384 hash: 8f64f53bb8ab0c32eb0376bc767ef4f87a3dbf097ec124cd2c0f531e112f1cdccc870e1600b078bf51d2b1d98acd0d1e
SHA1 hash: 288b89f5101ab52b51b3ac3db70e602ecaf2f18e
MD5 hash: f8971cceae9419a4d2d3d8d83ec0c45d
humanhash: cat-robert-oxygen-yellow
File name:file
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:617'984 bytes
First seen:2024-07-31 23:22:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 95d4113c25a148a48f2688574ed71076 (3 x LummaStealer, 2 x Stealc, 1 x PureLogsStealer)
ssdeep 12288:hK3DnvTNTXL5Jmzkh18h6dlsU25GD68RFEX7eeErD+etA9:hK3DvJn0w18GAyhqku
TLSH T110D4015271C0C472EA63193709A5D7B89A7EFE704EA46E8F6B840F7F4F31281DA21619
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter Bitsight
Tags:exe PureLogStealer


Avatar
Bitsight
url: https://vk.com/doc869877400_679197239?hash=uZopX6MjpFWcK8u3tI3vyxQ4DeApWNeZjTOzxQg4vrP&dl=OOg4BEArnZ4BPl3OkvTT92dEzIm2brZtGOQ9VUlrGzk&api=1&no_preview=1#xin

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-07-31 23:26:08 UTC
Tags:
netreactor stealer metastealer
Link:
https://app.any.run/tasks/26e620d4-da4b-49d9-b01f-bdc6f3ae5753

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66aac75cb7a04efc74397bbe
Tags:
Crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a file
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66aac7585568402317171251/reports/dfdfa0d8-9d95-4e9d-98b3-7d928df04e96/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e26f1f13-029b-49f8-820a-ef6b559a2d46
Result
Threat name:
PureLog Stealer, RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1485703
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2024-07-30 15:28:50 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lk73mcbsplbpeqobcwvvqtomlvubd2ndiqpi2ttd5v4bxu4tu33a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240731-3c5hesyfkr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/17bda762-2963-4da4-bbfc-6fad64346e79
Unpacked files
SH256 hash:
f54fb0606acf9ce87a795fdbd1dc14be611616e2aacf740adc801aa823d53dcb
MD5 hash:
5627d0cacd30d2249be66e85529eabbe
SHA1 hash:
935c7ae6b972199046879c0a8443be0959db9a7a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/4cfc6d9d-5d09-4856-a91e-5668b9b69acc/
Parent samples :
7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2
5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6
c4af46f2a357b68ce8e5830d9639e0c9212c61ae5d0fd1bb283812217a14ab72
SH256 hash:
5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6
MD5 hash:
f8971cceae9419a4d2d3d8d83ec0c45d
SHA1 hash:
288b89f5101ab52b51b3ac3db70e602ecaf2f18e
Link:
https://www.unpac.me/results/4cfc6d9d-5d09-4856-a91e-5668b9b69acc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5abfb608327a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::VirtualAllocEx
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
KERNEL32.dll::CreateThreadpoolWork
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments