MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22
SHA3-384 hash: 0a04d318646a37db5b3006bad4b812ee2481e438d5d297c22d3594574675432dfbae67e3dce751498b5ddd212907a2c4
SHA1 hash: 85d5c63505b5ae41bd6f23ff5eed284aff00ff25
MD5 hash: 4a9119576c02d6707f5914f5ea020730
humanhash: lima-comet-four-helium
File name:4a9119576c02d6707f5914f5ea020730
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'508'336 bytes
First seen:2023-12-15 03:53:17 UTC
Last seen:2023-12-21 05:12:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:dnHkiJpLM/qG7sGnRiTwXpD1EPRN42n0dpMP53edgtO9wPhm:5dJpCsGRiTSpDWpN4lLMZ0gtO9w5m
Threatray 4'292 similar samples on MalwareBazaar
TLSH T1AC651204940D2583F2402738C8AEF3B32AA58E6499E2D54FA0D17D3B727D6AF7D394D6
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f08e9686dad89ac4 (5 x zgRAT, 4 x PureLogsStealer, 3 x Amadey)
Reporter zbetcheckin
Tags:64 exe PureLogStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
458
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4a9119576c02d6707f5914f5ea020730
Verdict:
Malicious activity
Analysis date:
2023-12-15 03:56:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cde1cb2c-0e12-4c60-9237-8c832ad359fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467522/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.21174.1345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Sending a custom TCP request
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/657bcddcffafd83ebc906894/reports/b7e250f0-1cf5-4d76-b610-242ff7041689/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8d1ccf5-5d9a-45de-935a-9f1a28a33454
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362508
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1362508 Sample: UCV4U0pGDc.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for domain / URL 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 8 ContextProperties.exe 1 2->8         started        11 UCV4U0pGDc.exe 1 2->11         started        13 ContextProperties.exe 2->13         started        15 liaihb.exe 2->15         started        process3 signatures4 54 Multi AV Scanner detection for dropped file 8->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->56 58 Modifies the context of a thread in another process (thread injection) 8->58 17 ContextProperties.exe 2 8->17         started        60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->60 62 Injects a PE file into a foreign processes 11->62 64 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->64 20 UCV4U0pGDc.exe 6 11->20         started        23 ContextProperties.exe 13->23         started        process5 file6 40 Writes to foreign memory regions 17->40 42 Modifies the context of a thread in another process (thread injection) 17->42 44 Injects a PE file into a foreign processes 17->44 25 InstallUtil.exe 1 17->25         started        32 C:\Users\user\...\ContextProperties.exe, PE32+ 20->32 dropped signatures7 process8 signatures9 66 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->66 68 Modifies the context of a thread in another process (thread injection) 25->68 70 Injects a PE file into a foreign processes 25->70 28 InstallUtil.exe 15 3 25->28         started        process10 dnsIp11 36 185.196.8.238, 49711, 80 SIMPLECARRER2IT Switzerland 28->36 38 80.85.241.193, 49710, 49713, 49714 MEDIAL-ASRU Russian Federation 28->38 34 C:\Users\user\AppData\Local\Temp\liaihb.exe, PE32+ 28->34 dropped file12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2023-12-14 00:48:19 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
18
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpp3qb4xtwd7ojok7tl5tno6lxy3gldiahfjugyfqjd5umu5zmra._file
Verdict:
malicious
Similar samples:
5afb99657fd9ddae3a21399d562c2e78933122000db26ca208c363d71c938e6b
PureLogsStealer
63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22
PureLogsStealer
8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
PureLogsStealer
9308672369748963a12d1fda1ad2151df4c8b6b8a092bd72eab3fe13d6fb86cf
PureLogsStealer
9331f9970a83bda8893c6ace5048f736426c8cbddbd7cc0857a7a7306efa9ff0
PureLogsStealer
d0f93d98529b19fc436ea00567f23e9e012d440669b8e728e17d8d8e20a147cd
PureLogsStealer
d1637b302478288a64dd847d79fe797e7994cc2fe73e02f92849a8830d808efe
PureLogsStealer
f8ee8795b3fd842a279823aa8925cb2c681457194f6d0bb5e392ab1b24d360fb
PureLogsStealer
+ 4'282 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231215-ef76qabgb4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22
MD5 hash:
4a9119576c02d6707f5914f5ea020730
SHA1 hash:
85d5c63505b5ae41bd6f23ff5eed284aff00ff25
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/3475a27b-83a2-4b11-9fe8-568a8f2323bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2740630/
Cape
Cape
https://www.capesandbox.com/analysis/467522/

Comments


Avatar
zbet commented on 2023-12-15 03:53:19 UTC

url : hxxp://185.196.8.248/Dvvyjoogg.exe