MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665
SHA3-384 hash: 45b806de1ff351afcd61828fe5b39ca394a7ad8596b98f0b6fc0444d4c3552e0ac109669465982f15f0e07115b7f189b
SHA1 hash: 04c1b0f70c1a4574474df56d5b2ef233ddcbe9eb
MD5 hash: 457c53a8c4076f6ad84b3df50eeaed40
humanhash: india-failed-papa-chicken
File name:457c53a8c4076f6ad84b3df50eeaed40
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'468'864 bytes
First seen:2024-04-04 21:38:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:qLVfUh2tObNV72FN/J0PX6slSlrt1Vi4Nt1P9BCwB+RsEHU/nqBC:WVw2sbNVO/2PK7/1YYt1zGqEHU/oC
Threatray 2'631 similar samples on MalwareBazaar
TLSH T1ECB52354339C87B7D5EC2278F0250188DBF593ABFA67C79F2418E4F924233129A9365B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665.exe
Verdict:
Malicious activity
Analysis date:
2024-04-04 21:43:08 UTC
Tags:
botnet systembc proxy
Link:
https://app.any.run/tasks/53224452-c9d5-4534-87aa-37854ab0802a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a file
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Sending a custom TCP request
Searching for the window
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/660f1df9391c61c47915a601/reports/8093703c-c08a-4b94-9a1d-356c84915d34/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a0a9843-83c9-483b-9c4f-6a998df53ccf
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1420530
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Send many emails (e-Mail Spam)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1420530 Sample: mrPTE618YB.exe Startdate: 04/04/2024 Architecture: WINDOWS Score: 100 47 securesmtp.ljpremiums.xyz 2->47 49 zuru.com.br 2->49 51 701 other IPs or domains 2->51 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected PureLog Stealer 2->67 69 Yara detected AntiVM3 2->69 73 8 other signatures 2->73 8 mrPTE618YB.exe 2 9 2->8         started        12 $77Pxxiy.exe 5 2->12         started        14 $77Pxxiy.exe 2->14         started        16 5 other processes 2->16 signatures3 71 Performs DNS queries to domains with low reputation 47->71 process4 dnsIp5 35 C:\Users\user\AppData\Roaming\$77Pxxiy.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\Temp\$77da1702, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\Temp\$77a33b33, PE32 8->39 dropped 83 Creates autostart registry keys with suspicious names 8->83 85 Creates multiple autostart registry keys 8->85 87 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->87 93 3 other signatures 8->93 19 $77a33b33 1 8->19         started        23 $77da1702 8->23         started        41 C:\Users\user\AppData\Local\Temp\$77b7a097, PE32 12->41 dropped 89 Multi AV Scanner detection for dropped file 12->89 91 Machine Learning detection for dropped file 12->91 25 $77b7a097 12->25         started        43 C:\Users\user\AppData\Local\Temp\$77561490, PE32 14->43 dropped 27 $77561490 14->27         started        45 127.0.0.1 unknown unknown 16->45 29 conhost.exe 16->29         started        31 conhost.exe 16->31         started        file6 signatures7 process8 dnsIp9 53 93.191.156.9 ZITCOMDK Denmark 19->53 55 200.2.127.152, 465 WiltelComunicacionesSAAR Argentina 19->55 63 105 other IPs or domains 19->63 33 WerFault.exe 16 23->33         started        57 212.51.191.44 RMI-FITECHFR France 25->57 59 150.136.132.149 ORACLE-BMC-31898US United States 25->59 61 72.52.178.23 LIQUIDWEBUS United States 25->61 75 Multi AV Scanner detection for dropped file 27->75 77 Machine Learning detection for dropped file 27->77 79 Creates autostart registry keys with suspicious values (likely registry only malware) 27->79 81 Creates multiple autostart registry keys 27->81 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665/
Threat name:
ByteCode-MSIL.Trojan.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2024-04-04 21:39:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7rbcba3ldifrajt67l53ymim7h4o7or3b6fv4jcf3ojdleiezsq._file
Verdict:
malicious
Similar samples:
407fc451a24a5a7d08b067fc8a1361f57e0f46331c19c4e069ae2d967cd33084
PureLogsStealer
4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d
PureLogsStealer
821c41164399865a1b2cd77d7b6825f9d83834732fd215dab978f30ae48bb5fe
PureLogsStealer
94e31d208cd89ff78bffbd2737d2b629710a46dde9288549e6027008debf7461
PureLogsStealer
9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5
PureLogsStealer
b40a76ca3b6098ed3e3c862442012dded937ee4c987d6fcb3e955bcbf36089da
PureLogsStealer
c4e838a74e5baf5dbd86beedff96c1c9353b49ecf2ad362f47a4b134453701ab
PureLogsStealer
d545f5b27e90abc54cf5a37c35e866c08336a500cecd95e8267c0c729a6b9bbc
PureLogsStealer
fea4dd76fdaa4ce2a97ac7e163c87da2fba16949296e8efd97037b7ed329e0e5
PureLogsStealer
+ 2'621 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:purelogstealer family:zgrat evasion persistence rat stealer
Link:
https://tria.ge/reports/240404-1hlw6aba5w/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
Modifies security service
PureLog Stealer
PureLog Stealer payload
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Unpacked files
SH256 hash:
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
MD5 hash:
152e3f07bbaf88fb8b097ba05a60df6e
SHA1 hash:
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
Link:
https://www.unpac.me/results/ee643867-a6b5-4050-8f03-86009a5314dd/
SH256 hash:
5f0d48ddad27743b08d1ff7f3e9f698fe821bacebab8b1e5d05d89101fd58ca5
MD5 hash:
e8fdba24a9b16778ded8094cd46ccf81
SHA1 hash:
a9bb8963ef420a3bab508c3dfbcab1868e2b0ad2
Link:
https://www.unpac.me/results/ee643867-a6b5-4050-8f03-86009a5314dd/
SH256 hash:
4fe8bbdb5141c1be3c1e4960d1ba2aa49c0a3aa9b6e1316fccbe6f7bff7831ae
MD5 hash:
d9ea0a60267fdc954275906dadb48b80
SHA1 hash:
a4db8b34991d63cfcc4147cfe6538f840464091f
Link:
https://www.unpac.me/results/ee643867-a6b5-4050-8f03-86009a5314dd/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/ee643867-a6b5-4050-8f03-86009a5314dd/
SH256 hash:
e90df8e9052500e002f67c67b67a0e6b6733c415e0e4987307e754cd409ff3c8
MD5 hash:
5fb920b7281e60e670a3098b5989bad7
SHA1 hash:
447d7ca0839a424eb76c8b2d6e3d929aec568676
Link:
https://www.unpac.me/results/ee643867-a6b5-4050-8f03-86009a5314dd/
SH256 hash:
d5a325376439b25f2b6c66d4018aac35d64150be84197be34902ba8e74fc983b
MD5 hash:
cfbadc3d61b831a007c4008cda632af0
SHA1 hash:
35007d4accfd909f542ee81924874903af84f48c
Link:
https://www.unpac.me/results/ee643867-a6b5-4050-8f03-86009a5314dd/
SH256 hash:
db90c41cb800a8c0ed320848b860addcb440d495e3b16978a6fd08e8e9919d3f
MD5 hash:
383a11d67ee747ac640a1d8a1db01442
SHA1 hash:
1241c38499f629e4fbb4c87708e7868a408e6419
Link:
https://www.unpac.me/results/ee643867-a6b5-4050-8f03-86009a5314dd/
SH256 hash:
5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665
MD5 hash:
457c53a8c4076f6ad84b3df50eeaed40
SHA1 hash:
04c1b0f70c1a4574474df56d5b2ef233ddcbe9eb
Link:
https://www.unpac.me/results/ee643867-a6b5-4050-8f03-86009a5314dd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fe211041b58/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-04-04 21:38:13 UTC

url : hxxp://racimbo.maclawcloudboxes.com/5743463532/DtsApo4Service.exe