MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 767a462177afad357ef0318ae2cc755ae78328049fabbc0cc59a01dce8050191. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 767a462177afad357ef0318ae2cc755ae78328049fabbc0cc59a01dce8050191
SHA3-384 hash: cc356cd6fde07009245c67bb4b68aef59474c461dc03010c085f083cb3701f1f27357cec35b2da7bda618ff18a5582ec
SHA1 hash: cd66cc1a2bef2114d10a9402fab9a484b940b4cb
MD5 hash: 3b7c9a9a528494a1e9d271ec0c2b42bd
humanhash: comet-don-social-zulu
File name:Shipment 400183759XXXX.rar
Download: download sample
Signature PureStealer
Create hunting rule
File size:1'473'647 bytes
First seen:2024-01-15 12:08:18 UTC
Last seen:2024-01-16 07:16:56 UTC
File type: rar
MIME type:application/x-rar
ssdeep 24576:O5/15ARZm5o8rWquq369mk6ft+2lWOc2SO0yc8Ud1iatbUOxLm+sflC2eS4XTu0m:m/12Tv8/B6BoYfTOzNUd1iatbUoL8fNz
TLSH T12E6533E55B760936E4DEFB015BFA791476872D04CD952C81680F1E3CE8254B4ECBB227
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:PureStealer rar Shipping


Avatar
cocaman
Malicious email (T1566.001)
From: "airintl@eafusa.com" (likely spoofed)
Received: "from [103.67.163.162] (unknown [103.67.163.162]) "
Date: "16 Jan 2024 02:30:10 +0700"
Subject: "shipping documents SST2112-250"
Attachment: "Shipment 400183759XXXX.rar"

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Shipment 400183759XXXX.exe
File size:1'512'960 bytes
SHA256 hash: e893ac9a6d04a539249db958bdf41e17738b23a8e5f3e6f98eb42b7e5066ecdf
MD5 hash: 72b231a9b009ba2c62fed4eb8b7b80aa
MIME type:application/x-dosexec
Signature PureStealer
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/767a462177afad357ef0318ae2cc755ae78328049fabbc0cc59a01dce8050191/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/65a5205f94d1aebfb2a169dd/reports/7afaae2c-f8c2-4c9a-a15a-4e77f34f525d/overview
Verdict:
Suspicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/767a462177afad357ef0318ae2cc755ae78328049fabbc0cc59a01dce8050191
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/767a462177afad357ef0318ae2cc755ae78328049fabbc0cc59a01dce8050191/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-15 11:24:43 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oz5emilxv6wtk7xqggfoftdvlltygkaet6v3ydgftia5z2afagiq._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat collection persistence rat spyware stealer
Link:
https://tria.ge/reports/240115-psby6aggd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Detect ZGRat V1
ZGRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/767a462177afad357ef0318ae2cc755ae78328049fabbc0cc59a01dce8050191

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureStealer

rar 767a462177afad357ef0318ae2cc755ae78328049fabbc0cc59a01dce8050191

(this sample)

PureStealer

Executable exe e893ac9a6d04a539249db958bdf41e17738b23a8e5f3e6f98eb42b7e5066ecdf

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e893ac9a6d04a539249db958bdf41e17738b23a8e5f3e6f98eb42b7e5066ecdf
  
Dropping
PureStealer
  
Dropping
MD5 72b231a9b009ba2c62fed4eb8b7b80aa

Comments