MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96b67999e3f0a8105cc90ad4fc2180b0bf2137ff7d0ce11d894b122be307decf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96b67999e3f0a8105cc90ad4fc2180b0bf2137ff7d0ce11d894b122be307decf
SHA3-384 hash: d3b1181a319184b08f21e7a6684d69ed197f4f8b88f3e58b4fdb68eaccf11feb6a7e4549bbe078ecd68bb0e1e8e11d58
SHA1 hash: 96b2fe8aafc48565e42d82a1522d56e8e770e75a
MD5 hash: 4862892e997da3ce790745f253673c76
humanhash: johnny-oranges-tennessee-autumn
File name:YT#payment_705427_82908_04321_983653_37510_0975211.gz
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:36'376 bytes
First seen:2024-05-10 08:37:29 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 768:AMJ+GJ1QdUCAMKxpidwGkHJ6UjfGeL8F6GYZtxm4nNN/6x76uKy:AM0WpxpidwRH1p8F2ZtxiN6dy
TLSH T1CAF2F1935E6F6B27F705D2AC586339849C8A4AB0A95F7B4C8BB974209F40385CB24739
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:gz payment PureLogStealer SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: "Panita Ungkanawin <panita.u@messe-muenchen-de.com>" (likely spoofed)
Received: "from mail.messe-muenchen-de.com (server.messe-muenchen-de.com [104.168.146.134]) "
Date: "9 May 2024 11:18:49 +0200"
Subject: "swiftreference_310311"
Attachment: "YT#payment_705427_82908_04321_983653_37510_0975211.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:YT#payment_705427_82908_04321_983653_37510_0975211.exe
File size:75'504 bytes
SHA256 hash: fd20c43c250724b2fa1ce40b7edc6e8616f6a63573da5b04fd87a307b02333c8
MD5 hash: bad18478169b1e5d1a4e9f55a105bc94
MIME type:application/x-dosexec
Signature PureLogStealer
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated overlay packed packed phishing smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/663ddcf9a2d36d9500f46a9c/reports/d909f14b-6af5-4a9f-aa9b-8b5b7241b27c/overview
Verdict:
Suspicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/96b67999e3f0a8105cc90ad4fc2180b0bf2137ff7d0ce11d894b122be307decf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96b67999e3f0a8105cc90ad4fc2180b0bf2137ff7d0ce11d894b122be307decf/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-05-09 11:20:21 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s23htgpd6cubaxgjblkpyimawc7scn77pugochmjjmjcxyyh33hq._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat collection rat spyware stealer
Link:
https://tria.ge/reports/240510-mm9xwsda46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Detect ZGRat V1
ZGRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DYEPACK
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96b67999e3f0a8105cc90ad4fc2180b0bf2137ff7d0ce11d894b122be307decf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Saudi_Phish_Trojan
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a trojan used in Saudi Aramco Phishing
Reference:https://goo.gl/Z3JUAA
Rule name:Saudi_Phish_Trojan_RID2E2F
Create hunting rule
Author:Florian Roth
Description:Detects a trojan used in Saudi Aramco Phishing
Reference:https://goo.gl/Z3JUAA
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogStealer

gz 96b67999e3f0a8105cc90ad4fc2180b0bf2137ff7d0ce11d894b122be307decf

(this sample)

PureLogsStealer

Executable exe fd20c43c250724b2fa1ce40b7edc6e8616f6a63573da5b04fd87a307b02333c8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 fd20c43c250724b2fa1ce40b7edc6e8616f6a63573da5b04fd87a307b02333c8
  
Dropping
MD5 bad18478169b1e5d1a4e9f55a105bc94

Comments