MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	a843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274
SHA3-384 hash:	72cd888957f4d20c151dc5840351f75cb5e1c8756030b044240938098bad724f4cfad0d12f0ef15f260b39fe90d0d87c
SHA1 hash:	992c119799b3b3899263605930bf9fc2b656afe8
MD5 hash:	460834754a0e145320380e54400b9509
humanhash:	lemon-one-moon-juliet
File name:	x.exe._
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	35'681'704 bytes
First seen:	2022-12-15 09:39:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	786432:4GMFSKzdJxiKFG6KSB19tbr26wpPLzoXeaw3sjkwPLa+GdsZ6LT1EE:H8i16Zfby3Pouaw8jkD+Go6Lp
Threatray	3'146 similar samples on MalwareBazaar
TLSH	T1F67733F4070886CEF617AE7378569E34D6E3EC901653413BDB22A65C2EE3B12779C621
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
dhash icon	f8f26266c8e8a0c0 (1 x PureLogsStealer, 1 x Vidar)
Reporter	VirITeXplorer
Tags:	195-201-23-210 Alibaba2044 downloadpdf-fattura-de exe PureLogs

VirITeXplorer

Italy campaign malspam 2022-12-14

Intelligence

File Origin

# of uploads :

# of downloads :

315

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

x.exe._

Verdict:

Malicious activity

Analysis date:

2022-12-15 09:40:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5826a23b-711c-4a33-826e-1409410293bf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Creating a file

Verdict:

Unknown

Threat level:

n/a -.1/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/639aeb3b4eb0cc4ebcdd1d93/reports/4546f989-95ea-4793-8322-1c437427e0ed/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1134907

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Encrypted powershell cmdline option found

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-12-15 09:40:42 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vbbvc6ybt2dk6qrffnli4bw75encf6idjtvzs323bxzs3ta6ij2a._file

Verdict:

malicious

PureLogsStealer

0f4929da9001eab23942eab268ece5da252c8b654273cc6ddaad9f87dcfbb1fa

PureLogsStealer

2271dd64f293714d67e83203208ad1a9bfaa4ac31dd9c0b252645b0a3d3bfb94

PureLogsStealer

34b5a57ce8e27e71daf65bf6b98c76cc7151ff0cee92a4be48b700600690a5c2

PureLogsStealer

55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c

PureLogsStealer

81bf53fbfc3cac4f4e2a4d35692127d7a5f32d8b2c06fc44e30775c4ac0be8af

PureLogsStealer

8c85bc3ecc8b4aac2d61677da26f2846eb883a0137d28fcb8a59becd689f54ce

PureLogsStealer

a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e

PureLogsStealer

af866cc249dd0bd2f0fc7cf644fbedbb88e887269d9cdab7f4190b08d0cae06e

PureLogsStealer

b13700f6b5654760b7462c832b65592d6cccd3498f4094293fff020fb2b40970

PureLogsStealer

+ 3'136 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/221215-lmrwmscb23/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads user/profile data of web browsers

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1a813f10-f829-4705-ba18-b8edda03e6cc

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample