MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c
SHA3-384 hash: 64b234fb74ef9e7ef1554eb445382bf2ea5d8e4fe8aaa6829ff9a76727bfd18fb0726817f8e58c20159cd9bdb26f62f5
SHA1 hash: 3788793637bc32bf1b42eaa9b0b71e7b0a678295
MD5 hash: 0eb5ee530f71aa14ea699e269d58e51d
humanhash: lactose-table-friend-stream
File name:file
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'362'880 bytes
First seen:2024-04-02 20:10:53 UTC
Last seen:2024-04-02 20:48:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:Pl3H4WIwyiyXrPAaHj732ilWpXB6gyuhMqo16om6yRJwjnp4nV4rT:Pl3H4WPy7Rv3u1y8RElF
Threatray 2'438 similar samples on MalwareBazaar
TLSH T1FDB533E1E6345824D703E83FA5969624033A1FD01297C70ED798974E90EAB57EE0FDE2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Bitsight
Tags:exe PureLogStealer


Avatar
Bitsight
url: http://142.202.241.217//238024/plafogCS.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
372
Origin country :
US US
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c.exe
Verdict:
Malicious activity
Analysis date:
2024-04-02 20:12:13 UTC
Tags:
botnet systembc proxy
Link:
https://app.any.run/tasks/f7edf5f2-b589-42eb-9553-c63f275352be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file
Creating a file in the Windows subdirectories
Connection attempt
Sending a custom TCP request
Launching a process
Creating a file in the system32 subdirectories
Forced system process termination
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
net_reactor packed packed
Link:
https://www.filescan.io/uploads/660c665dd463a7b0477c5882/reports/a4486788-6a61-4c68-932a-f08a77a399f5/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fc0e283-8a16-4cda-b579-e6dfbdc500a7
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1419023
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates files in the system32 config directory
Creates multiple autostart registry keys
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Obfuscated command line found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1419023 Sample: file.exe Startdate: 02/04/2024 Architecture: WINDOWS Score: 100 43 Antivirus detection for URL or domain 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 16 other signatures 2->49 7 powershell.exe 2 15 2->7         started        10 file.exe 2 7 2->10         started        process3 file4 51 Writes to foreign memory regions 7->51 53 Modifies the context of a thread in another process (thread injection) 7->53 55 Found suspicious powershell code related to unpacking or dynamic code loading 7->55 57 Injects a PE file into a foreign processes 7->57 13 dllhost.exe 1 7->13         started        16 conhost.exe 7->16         started        35 C:\Users\user\AppData\Roaming\$77Pxxiy.exe, PE32 10->35 dropped 37 C:\Users\user\AppData\Local\Temp\$77f85599, PE32 10->37 dropped 39 C:\Users\user\AppData\Local\Temp\$77bae545, PE32 10->39 dropped 59 Creates autostart registry keys with suspicious names 10->59 61 Creates multiple autostart registry keys 10->61 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->63 18 $77f85599 1 10->18         started        21 $77bae545 1 10->21         started        signatures5 process6 dnsIp7 75 Injects code into the Windows Explorer (explorer.exe) 13->75 77 Contains functionality to inject code into remote processes 13->77 79 Writes to foreign memory regions 13->79 87 3 other signatures 13->87 23 $77Pxxiy.exe 3 13->23         started        27 lsass.exe 13 13->27 injected 29 winlogon.exe 13->29 injected 31 31 other processes 13->31 41 142.202.241.217, 4018, 49736 1GSERVERSUS Reserved 18->41 81 Antivirus detection for dropped file 18->81 83 Multi AV Scanner detection for dropped file 18->83 85 Machine Learning detection for dropped file 18->85 89 2 other signatures 18->89 signatures8 process9 file10 33 C:\Users\user\AppData\Local\Temp\$777c4574, PE32 23->33 dropped 65 Antivirus detection for dropped file 23->65 67 Multi AV Scanner detection for dropped file 23->67 69 Machine Learning detection for dropped file 23->69 71 Creates files in the system32 config directory 27->71 73 Writes to foreign memory regions 27->73 signatures11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-04-02 20:11:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4jxvtw3ugwjeg3jzqk5mxu4m7w4cn2x6kehieuxisjgyf6aemga._file
Verdict:
malicious
Similar samples:
2f7ca180c50ce99d164b5601826e648f88d6db9b932b052dfea9d59a7e2b78ed
PureLogsStealer
9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5
PureLogsStealer
bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0
PureLogsStealer
bfba1372de8815592db5b58d15e36ecfad1428bd34aea1161b3552cedbc6ca49
PureLogsStealer
d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
PureLogsStealer
dbbe21f14ca93d658be3606974e289edf4b205b22d967324c49cba1950f29b9e
PureLogsStealer
+ 2'428 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/240402-yx89wscc4s/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Unpacked files
SH256 hash:
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
MD5 hash:
152e3f07bbaf88fb8b097ba05a60df6e
SHA1 hash:
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
Link:
https://www.unpac.me/results/a2f549f3-345b-49a1-9a07-90c371129cd9/
SH256 hash:
8d3a5e3f0a17320dbe739ff2964b7fe2910ab1a896cd7d0a7e8bb82510efeeff
MD5 hash:
83899ca649512afa1676407fbc401ed0
SHA1 hash:
bb5d718ce11d4f3c3a0dc5be63fa19b3289cffd7
Link:
https://www.unpac.me/results/a2f549f3-345b-49a1-9a07-90c371129cd9/
SH256 hash:
4fe8bbdb5141c1be3c1e4960d1ba2aa49c0a3aa9b6e1316fccbe6f7bff7831ae
MD5 hash:
d9ea0a60267fdc954275906dadb48b80
SHA1 hash:
a4db8b34991d63cfcc4147cfe6538f840464091f
Link:
https://www.unpac.me/results/a2f549f3-345b-49a1-9a07-90c371129cd9/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/a2f549f3-345b-49a1-9a07-90c371129cd9/
SH256 hash:
7431533957aaad0833119648909c28fc0dc8e99d8f520d92c4d9d8e8c50391a7
MD5 hash:
86f235346f4f44b616330bbaa2356af7
SHA1 hash:
40860de307c2788be32318ef658e2acd818c6dc9
Link:
https://www.unpac.me/results/a2f549f3-345b-49a1-9a07-90c371129cd9/
SH256 hash:
69905f90c0007441c089201b78c13555604eb4d7bb95fb4c39d69c264c1152c1
MD5 hash:
f100d26bcb2f3a7fcf58044a9439ad4e
SHA1 hash:
17d87d206561c4233a4a2832ff6940fdbb703fb9
Link:
https://www.unpac.me/results/a2f549f3-345b-49a1-9a07-90c371129cd9/
SH256 hash:
db90c41cb800a8c0ed320848b860addcb440d495e3b16978a6fd08e8e9919d3f
MD5 hash:
383a11d67ee747ac640a1d8a1db01442
SHA1 hash:
1241c38499f629e4fbb4c87708e7868a408e6419
Link:
https://www.unpac.me/results/a2f549f3-345b-49a1-9a07-90c371129cd9/
SH256 hash:
97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c
MD5 hash:
0eb5ee530f71aa14ea699e269d58e51d
SHA1 hash:
3788793637bc32bf1b42eaa9b0b71e7b0a678295
Link:
https://www.unpac.me/results/a2f549f3-345b-49a1-9a07-90c371129cd9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2799406/
  
URLhaus
https://urlhaus.abuse.ch/url/2799717/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments