MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57
SHA3-384 hash: 604531817e0c92de20ca86ee84307c89e0d3659f84ea4e8b257b9f0f81451b3382cd53b1438c26793648874704bcada8
SHA1 hash: 3d681383899c36f8b68f5dcd07467fe5500b62e2
MD5 hash: 015f263e759ee7d432477896b133e2e1
humanhash: michigan-green-robin-failed
File name:015f263e759ee7d432477896b133e2e1.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'825'792 bytes
First seen:2024-08-21 07:01:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:JtGL2S0VHoPxdKRo2sTjgL9R2fk5RbMqhpFhjSpY:JtG63VOuo2E8LOCI2U
Threatray 3'594 similar samples on MalwareBazaar
TLSH T19785238893D9DB63D2EF1BB864B6455486B3A651F102DB8DFCDDE0C06482B58A3502FF
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter abuse_ch
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c10cc05f3b3d59c92b1ae9cd99246cb8.exe
Verdict:
Malicious activity
Analysis date:
2024-08-19 08:41:10 UTC
Tags:
loader smokeloader uac stealer purecrypter purelogs netreactor exfiltration
Link:
https://app.any.run/tasks/3b4e642d-57cf-4537-8723-48896a6799cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.43.1976.559.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c590efb2a4681a729669b0
Tags:
Network Stealth Heur
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66c590eda3292d51061e2e4d/reports/d400678c-9dda-44fa-bfbf-1cfd9593de89/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1324da31-1378-4445-ac3e-14c12da021a3
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1496387
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 05:54:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcseozjmcnss2yn2wnmmjd3dj2oaaxjy2bxg7e5oeyghvjzdnrlq._file
Verdict:
malicious
Similar samples:
2f18e5a39393e55def4b051e5a0faf2f9cc0d6dae5d79056d85d3074aa18cd26
PureLogsStealer
4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59
PureLogsStealer
4fe2c3ce085537c3e50dfab194e50e21eefd26bf8859175035191f4448924f0e
PureLogsStealer
62261f31057f5a67f22ef2837b1750b9ac068825dc4e88b6cafa8fe65c8007e9
PureLogsStealer
6a7ed8cfc785a7769552ee84bcb86a1d133a9e4ff005ae9635f3c2a93d06c74e
PureLogsStealer
78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57
PureLogsStealer
ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98
PureLogsStealer
+ 3'584 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/240821-hts6havflh/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9e68c093-4a71-4be4-ab9b-fca32930d7b9
Unpacked files
SH256 hash:
e55c54a222af04672cb8a0416b8f5266ddfccdaff7144748b6b41b48ef2b14d2
MD5 hash:
fa2a7d7d933507801ef429f0bf39107f
SHA1 hash:
a45c544b67902fbba8f2ee42cd0fee8117b679a8
Link:
https://www.unpac.me/results/dc24a321-7c7d-4ff5-901d-923362445299/
SH256 hash:
5787acd9d9c7892e8094fe2eea42add8b56f70622da32d7418b7f7199810eda2
MD5 hash:
c1c8d1544fd1c09dd218b9cd55349fa6
SHA1 hash:
6f2cabefdc025978d2a08fdf54ad2f5f7fcb2996
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/dc24a321-7c7d-4ff5-901d-923362445299/
Parent samples :
4fe2c3ce085537c3e50dfab194e50e21eefd26bf8859175035191f4448924f0e
78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57
SH256 hash:
8db27fd0881dd5eebaecc84fb2508e59220d733a80b0d429b9889f739a8b5325
MD5 hash:
83d05bc6e54a8b0931dfb981da9f2232
SHA1 hash:
8a12f428528ac89d4d05e209762b9d369b646dba
Link:
https://www.unpac.me/results/dc24a321-7c7d-4ff5-901d-923362445299/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/dc24a321-7c7d-4ff5-901d-923362445299/
SH256 hash:
8703fd5b9d8648846212b4ce1934d9c22b4a2f57ab38a7193e67760865217a0a
MD5 hash:
be91eb1411d728c7ecbf8e4cce3c5bad
SHA1 hash:
0f3cb865017fa28509b35a43a2286312f5478605
Link:
https://www.unpac.me/results/dc24a321-7c7d-4ff5-901d-923362445299/
SH256 hash:
831b18622fd6827a5883e121135349f0818ff8fa64ff4a06bcd6478d3c3d5965
MD5 hash:
37c502475af2aef2195439b76dba4116
SHA1 hash:
0d903b46ad62fa78453662d7cc7e53eaa515b237
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/dc24a321-7c7d-4ff5-901d-923362445299/
Parent samples :
4fe2c3ce085537c3e50dfab194e50e21eefd26bf8859175035191f4448924f0e
78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57
SH256 hash:
937af435b2ac5bc3bc4eb23cf5602a90c987148358b1e7091b627990baaf7d64
MD5 hash:
a31837c01384b86412716273679dc2ec
SHA1 hash:
252940edc2ff1a685bbcfb31688d3a3cdf8e2886
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/dc24a321-7c7d-4ff5-901d-923362445299/
SH256 hash:
78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57
MD5 hash:
015f263e759ee7d432477896b133e2e1
SHA1 hash:
3d681383899c36f8b68f5dcd07467fe5500b62e2
Link:
https://www.unpac.me/results/dc24a321-7c7d-4ff5-901d-923362445299/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78a447652c13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78a447652c13652d61bab358c48f634e9c005d38d06e6f93ae260c7aa7236c57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments