MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5
SHA3-384 hash: 96c0281557eaf3ef9ff81f8efce1883e34a764c548c4c9b18b95dfdf7fc4b72daf7e32301222cd1dd23b101255213868
SHA1 hash: 8895dd1c71eb276f23b14c6e78c6099d3fb3fdeb
MD5 hash: 61282d04c5c97ac914f116ac4d19a73f
humanhash: romeo-carbon-robert-oven
File name:61282d04c5c97ac914f116ac4d19a73f.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'729'336 bytes
First seen:2024-03-21 19:31:38 UTC
Last seen:2024-03-21 21:44:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:F0hIB1yCTULjq+I+ATfibNz0RBK6R1UjxDsI3dCJVZ76kmpXNL2cC:FCIBACwflI+I9VRGmI3dC3Z71sC
Threatray 2'978 similar samples on MalwareBazaar
TLSH T150C523177A679AB3C2912B7AC1B7014413BDEA857793EB0A35DF13EB04037BA5D1A207
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b2f2bba9abb29ee9 (1 x PureLogsStealer)
Reporter abuse_ch
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5.exe
Verdict:
Malicious activity
Analysis date:
2024-03-21 19:33:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4bdda4fc-c5e1-4332-8708-8995e869b804

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
net_reactor overlay packed packed pitou
Link:
https://www.filescan.io/uploads/65fc8b3a757c624818b57604/reports/a3e36abb-bc25-49ef-8e50-07fafba6166c/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86191112-df5d-48c8-8c6e-d28ee9c5131a
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1413571
Signature
.NET source code contains potential unpacker
Contains functionality to infect the boot sector
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1413571 Sample: ZX4AHXnXsr.exe Startdate: 21/03/2024 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected PureLog Stealer 2->51 53 7 other signatures 2->53 7 ZX4AHXnXsr.exe 4 2->7         started        10 ZX4AHXnXsr.exe 3 2->10         started        12 ZX4AHXnXsr.exe 3 2->12         started        process3 signatures4 55 Contains functionality to infect the boot sector 7->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->57 14 cmd.exe 1 7->14         started        17 cmd.exe 1 7->17         started        19 ZX4AHXnXsr.exe 7->19         started        21 cmd.exe 1 10->21         started        23 cmd.exe 10->23         started        25 ZX4AHXnXsr.exe 10->25         started        27 cmd.exe 1 12->27         started        process5 signatures6 59 Uses ipconfig to lookup or modify the Windows network settings 14->59 29 conhost.exe 14->29         started        31 ipconfig.exe 1 14->31         started        33 conhost.exe 17->33         started        35 ipconfig.exe 1 17->35         started        37 conhost.exe 21->37         started        39 ipconfig.exe 1 21->39         started        41 conhost.exe 23->41         started        43 ipconfig.exe 1 23->43         started        45 2 other processes 27->45 process7
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2024-03-21 19:32:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5iouaqozpt3cup2rbsb364qf3zhqef4bv7q5ygvyar66k342l2q._file
Verdict:
malicious
Similar samples:
7ecf055419ccb76a13fa53d8f5c5888ea369271ceaad4263f952da6d265c4c41
PureLogsStealer
94e31d208cd89ff78bffbd2737d2b629710a46dde9288549e6027008debf7461
PureLogsStealer
9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5
PureLogsStealer
a9f1b1f099d72e3d3bb950a335b612a7e2d551e38bc8d72a9d3035453b3760ed
PureLogsStealer
ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea
PureLogsStealer
bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0
PureLogsStealer
c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c
PureLogsStealer
+ 2'968 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240321-x8yf4ahh7t/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5
MD5 hash:
61282d04c5c97ac914f116ac4d19a73f
SHA1 hash:
8895dd1c71eb276f23b14c6e78c6099d3fb3fdeb
Link:
https://www.unpac.me/results/3ea5f779-4ce7-4368-a403-90aa2b00f1f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9750ea020ecbe7b151fa88641dfb902ef27810bc0d7f0ee0d5c023ef2b7cd2f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments