MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b
SHA3-384 hash: 280bc9148ca87c037fdc30741024acddd61ffc49d65921a8e30472b53f8abdc284fc5424e7b878efed81155413926b2c
SHA1 hash: e6d057c501381d3604e24d73edc81254ddf7bbb1
MD5 hash: f333f0a16c7bb7129e6659e145525be6
humanhash: fanta-colorado-fanta-muppet
File name:SecuriteInfo.com.Trojan.DownLoaderNET.960.127.1983
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:184'616 bytes
First seen:2024-04-19 05:20:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:ZJgCU1m6NcbkgbpA9QPqym0Mxqwg0QSNU6Ji3G8uNLt9N18Y+ECc:Zuz1pNc8WGQwgVSri3G8uP9N/+
Threatray 562 similar samples on MalwareBazaar
TLSH T15604F8D043B8C03EC6D98531EBB501C70EB6DA63AD4AEFD7B59168A5A9033C056C1F9B
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter SecuriteInfoCom
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://csacsadhe.duckdns.org/byfronbypass.html/css/mss/
Verdict:
Malicious activity
Analysis date:
2024-04-18 17:38:06 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/d6180b56-f836-440c-a56e-53ae5face4da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Forced system process termination
Creating a process from a recently created file
Deleting a recently created file
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d757ded-6299-4435-908d-a08ce3a6fabc
Result
Threat name:
PureLog Stealer, Xmrig, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1428541
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Downloads files with wrong headers with respect to MIME Content-Type
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Child Process of AspNetCompiler
Sigma detected: Xmrig
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428541 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 65 miliutyhgdue.duckdns.org 2->65 67 juytlioojbni.duckdns.org 2->67 69 3 other IPs or domains 2->69 89 Sigma detected: Xmrig 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Malicious sample detected (through community Yara rule) 2->93 97 18 other signatures 2->97 11 AlgorithmType.exe 2->11         started        14 Type.exe 14 3 2->14         started        16 sexev.exe 2->16         started        18 4 other processes 2->18 signatures3 95 Uses dynamic DNS services 67->95 process4 dnsIp5 111 Antivirus detection for dropped file 11->111 113 Multi AV Scanner detection for dropped file 11->113 115 Machine Learning detection for dropped file 11->115 21 AlgorithmType.exe 11->21         started        117 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->117 119 Modifies the context of a thread in another process (thread injection) 14->119 121 Injects a PE file into a foreign processes 14->121 24 Type.exe 2 14->24         started        26 sexev.exe 16->26         started        71 juytlioojbni.duckdns.org 91.92.246.15, 49706, 49707, 49712 THEZONEBG Bulgaria 18->71 123 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->123 125 Loading BitLocker PowerShell Module 18->125 29 SecuriteInfo.com.Trojan.DownLoaderNET.960.127.1983.exe 6 18->29         started        31 conhost.exe 18->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        signatures6 process7 file8 99 Writes to foreign memory regions 21->99 101 Modifies the context of a thread in another process (thread injection) 21->101 103 Injects a PE file into a foreign processes 21->103 37 aspnet_compiler.exe 21->37         started        40 MSBuild.exe 24->40         started        57 C:\Users\user\AppData\...\AlgorithmType.exe, PE32+ 26->57 dropped 59 C:\Users\user\AppData\Local\...\Type.exe, PE32+ 29->59 dropped signatures9 process10 signatures11 105 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->105 107 Modifies the context of a thread in another process (thread injection) 37->107 109 Injects a PE file into a foreign processes 37->109 42 aspnet_compiler.exe 37->42         started        47 MSBuild.exe 40->47         started        process12 dnsIp13 75 bnfjdbhgo.duckdns.org 91.92.254.152 THEZONEBG Bulgaria 42->75 61 C:\Users\user\AppData\Local\Temp\hunsmn.exe, PE32 42->61 dropped 127 Writes to foreign memory regions 42->127 129 Modifies the context of a thread in another process (thread injection) 42->129 131 Injects a PE file into a foreign processes 42->131 49 hunsmn.exe 42->49         started        52 AddInProcess.exe 42->52         started        77 miliutyhgdue.duckdns.org 91.92.253.47, 49714, 49716, 49718 THEZONEBG Bulgaria 47->77 63 C:\Users\user\AppData\Local\Temp\sexev.exe, PE32+ 47->63 dropped file14 signatures15 process16 dnsIp17 79 Antivirus detection for dropped file 49->79 81 Multi AV Scanner detection for dropped file 49->81 83 Writes to foreign memory regions 49->83 85 Injects a PE file into a foreign processes 49->85 55 RegAsm.exe 49->55         started        73 91.92.246.62 THEZONEBG Bulgaria 52->73 87 Query firmware table information (likely to detect VMs) 52->87 signatures18 process19
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2024-04-10 02:53:33 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
13
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpfin3co2nixlxjt3muuh4p4pa424nlfekp4l7mse655t4fkmn5q._file
Verdict:
malicious
Similar samples:
1b1b9cad3a2bd2c8bdabd5677e3c5043f66d8cdb46c2825e27b051d48e0afa8d
PureLogsStealer
35b3427883c0b04f7b8be643ae1d4403e1908bae3fb09c1965a560e2bf63b3fb
PureLogsStealer
40c251a8afb49d3b567a370e67ca7861a4cc2008c7deef39c3739284c1b7e3e8
PureLogsStealer
5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b
PureLogsStealer
b20de9452f77b912c49bd307cc1e2550abb4e17d8497655e64ed0883ce4cfcbe
PureLogsStealer
fe5543492a9e4e16791d47d369be38cca870b124a009a073cdb6cdf215e26a80
PureLogsStealer
+ 552 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240419-f1zwhsah5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b
MD5 hash:
f333f0a16c7bb7129e6659e145525be6
SHA1 hash:
e6d057c501381d3604e24d73edc81254ddf7bbb1
Link:
https://www.unpac.me/results/6a48d06c-b908-4a2f-8a39-a608b15981fe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5bca86ec4ed3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments