MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad
SHA3-384 hash: 9cce1903b94eb7d52c5d54b72bd46da6b6a0f0967e37d6e5e047cf0f400ef444416d13199d589eecf421fade59b299f5
SHA1 hash: eb4058134cd74c681445a1a81c31ef729c80a7ec
MD5 hash: 08cee68cb913dd71800f0283c49af6d3
humanhash: double-mockingbird-north-nevada
File name:08cee68cb913dd71800f0283c49af6d3
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'329'384 bytes
First seen:2024-05-04 09:24:31 UTC
Last seen:2024-05-04 10:30:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'489 x Formbook, 12'212 x SnakeKeylogger)
ssdeep 49152:+8cRU4kwcctnR19Y1Iqdwc2EyEvh6Re14IIQ+cUznT9PuYXVWXCxzhm:+TXkw5RWlifE3vwVIB+cnYXkgm
TLSH T1C5B533572BCC5C98DA99A57C5373AAB15830D7F37902E3403097A9389B77FE2E05C268
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter zbetcheckin
Tags:32 exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
lockbit
Create hunting rule
ID:
1
File name:
5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe
Verdict:
Malicious activity
Analysis date:
2024-05-04 09:25:30 UTC
Tags:
ransomware lockbit
Link:
https://app.any.run/tasks/510dd1c7-9f91-45ca-910a-301129ea22b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Encoder.38868.21325.1047.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Launching a service
Creating a window
Changing a file
Delayed writing of the file
Moving a recently created file
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Modifies multiple files
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Stealing user critical data
Creating a file in the mass storage device
Forced shutdown of a browser
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor overlay packed packed
Link:
https://www.filescan.io/uploads/6635fef3d1046c89340d65f3/reports/c24ba8a7-5d6a-4680-bba3-a05d85eb6803/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad
Malware family:
BlackMatter Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf4eb885-50e6-474e-b544-c2aca78e92f5
Result
Threat name:
LockBit ransomware, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1436337
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected LockBit ransomware
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436337 Sample: mBW2MzlcHN.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 6 other signatures 2->40 7 mBW2MzlcHN.exe 1 2->7         started        10 chrome.exe 1 2->10         started        13 chrome.exe 2->13         started        process3 dnsIp4 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->42 15 mBW2MzlcHN.exe 7->15         started        30 192.168.2.7, 123, 138, 443 unknown unknown 10->30 32 239.255.255.250 unknown Reserved 10->32 17 chrome.exe 10->17         started        20 chrome.exe 13->20         started        signatures5 process6 dnsIp7 22 WerFault.exe 21 16 15->22         started        24 www.google.com 142.250.68.68, 443, 49714, 49715 GOOGLEUS United States 17->24 26 plus.l.google.com 17->26 28 2 other IPs or domains 17->28 process8
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad/
Threat name:
ByteCode-MSIL.Ransomware.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2024-04-29 14:58:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqaeynq7dfuh23buy3kjzanuonxiei7rqo3dvl7mmnlbhwvorgwq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat ransomware rat spyware stealer
Link:
https://tria.ge/reports/240504-ldlm9shh7t/
Behaviour
Modifies Control Panel
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Renames multiple (318) files with added filename extension
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
d79bf27aba30a290c007df642b290cf521dcbf5950230d68a20c11d5205544df
MD5 hash:
e985d51d07a479ba13f6d79d1554e9bb
SHA1 hash:
d98c9ed4dc369112a26a6b9e741221f7e2be3ca2
Link:
https://www.unpac.me/results/42a9aba0-cfdb-4559-a6a2-a6d68cbc4e52/
SH256 hash:
8abb9ad695bab02bce33bd11b1e666dfa82ed237dcf558bc72fe2ee2b5088f04
MD5 hash:
ef980844b4d8160d9e2378bc6c362252
SHA1 hash:
732e3adce9b2c6d211c715fcb3aa32d2d238dc69
Link:
https://www.unpac.me/results/42a9aba0-cfdb-4559-a6a2-a6d68cbc4e52/
SH256 hash:
9cb76090b74457b23fd3daf8af4793510cb94a970046de0ea4d3bb05527ba2e1
MD5 hash:
a7ed7796c84c9b27758f359705741455
SHA1 hash:
58bb54cd72323d0a73a3839e1b00b84d9260dcb3
Detections:
win_lockbit_auto
Create hunting rule
Darkside
Create hunting rule
Link:
https://www.unpac.me/results/42a9aba0-cfdb-4559-a6a2-a6d68cbc4e52/
Parent samples :
5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad
9cb76090b74457b23fd3daf8af4793510cb94a970046de0ea4d3bb05527ba2e1
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/42a9aba0-cfdb-4559-a6a2-a6d68cbc4e52/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/42a9aba0-cfdb-4559-a6a2-a6d68cbc4e52/
SH256 hash:
5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad
MD5 hash:
08cee68cb913dd71800f0283c49af6d3
SHA1 hash:
eb4058134cd74c681445a1a81c31ef729c80a7ec
Link:
https://www.unpac.me/results/42a9aba0-cfdb-4559-a6a2-a6d68cbc4e52/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c004c361f19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2837801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-05-04 09:24:32 UTC

url : hxxp://ghuytyh45.duckdns.org/byfronbypass.html/css/mss/Psojnzwt.exe