MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2
SHA3-384 hash: 2eee7901ad1cb132e06d7d8e165fa1ec8a021cb3376750b18c9202af0016d6f027c20d6b52dd720bc11c778c8fc12d3c
SHA1 hash: 6d46e5f13b7fa00b0034a4881d07b8d5776faa10
MD5 hash: 9e96179dbd4fa2006157a4617e270555
humanhash: don-sodium-papa-river
File name:hObXeMHkSShI8GL7378ICT2M.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:573'440 bytes
First seen:2024-07-26 17:19:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6addd02d82538c2ca23958c8c292883b (4 x RedLineStealer, 1 x Stealc, 1 x PureLogsStealer)
ssdeep 12288:eem1DVVYweJUFHk8oVw/oKMlfx062I4Nt91gYgs:e7DzESHkfsoKMlfxUIJYgs
TLSH T1E2C4F11279C1C0B3D6772A350AE4D7B8AA7EF9604E719DAF77540B3E0F305C2EA21616
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter aachum
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2
Verdict:
Malicious activity
Analysis date:
2024-07-26 01:39:18 UTC
Tags:
stealer metastealer
Link:
https://app.any.run/tasks/f2737056-da7d-4baa-be58-41e87e46b587

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Keylogger.Lazy-10031941-0
Create hunting rule

Win.Malware.Fragtor-10033838-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a3da9bde3a92a81b2bb6d5
Tags:
Variant
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint keylogger microsoft_visual_cc packed redline zusy
Link:
https://www.filescan.io/uploads/66a3dac34c5c17942a7e74a3/reports/9a92f650-d3c4-49df-82eb-0c349c03ee86/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c718977-ee6f-4cc5-8f62-705a4031836a
Result
Threat name:
PureLog Stealer, RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1483179
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 23:47:21 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjfv5eoqeiwbiwsfyteeie3l4kckjx4yon6g3lsytvs4iooq43ja._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240726-vwd6kssdpj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0433f0ab-59ac-45f9-a273-7039ca873299
Unpacked files
SH256 hash:
f54fb0606acf9ce87a795fdbd1dc14be611616e2aacf740adc801aa823d53dcb
MD5 hash:
5627d0cacd30d2249be66e85529eabbe
SHA1 hash:
935c7ae6b972199046879c0a8443be0959db9a7a
Detections:
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/fa7c0799-e743-4cd9-94b7-2288ae4accb5/
Parent samples :
7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2
5abfb608327ac2f241c115ab584dcc5d6811e9a3441e8d4e63ed781bd393a6f6
c4af46f2a357b68ce8e5830d9639e0c9212c61ae5d0fd1bb283812217a14ab72
SH256 hash:
7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2
MD5 hash:
9e96179dbd4fa2006157a4617e270555
SHA1 hash:
6d46e5f13b7fa00b0034a4881d07b8d5776faa10
Link:
https://www.unpac.me/results/fa7c0799-e743-4cd9-94b7-2288ae4accb5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a4b5e91d022/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

zip bb9a55a6931365518be4719a2a118d5de678fc9a33f35e39d764d7f66ea1423b

PureLogsStealer

Executable exe 7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2

(this sample)

  
Link
https://tria.ge/240726-vsmcsasblp
  
Dropped by
SHA256 bb9a55a6931365518be4719a2a118d5de678fc9a33f35e39d764d7f66ea1423b
  
Dropped by
MD5 3a1f9204a1f08953bacef8cb1bdeefc0

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::VirtualAllocEx
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
KERNEL32.dll::CreateThreadpoolWork
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments