MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c
SHA3-384 hash: 3ce498ededfffaa1882f1a5b4a772e6259ec1888ac2d6fb65752746279be098dc1efb9e5a29214659be4f4c49cbc34b5
SHA1 hash: c19b8351ffb9ff619b164906687159810e9b6822
MD5 hash: 2bce80c8629a07a4d30d63ddb18e8696
humanhash: tennis-paris-beer-oregon
File name:file
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'447'424 bytes
First seen:2025-03-26 13:04:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:0iO3TvOtigeFegEqNUwU11V86K3VKhCrlvM8spTRXf8z7fJF:qf85l1Vgkglk8oR0XJ
Threatray 2'935 similar samples on MalwareBazaar
TLSH T1C865123D6798B943CBBB437FE4A3890C9238E121C867FF4FE5C591B85027394A44669E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter jstrosch
Tags:.NET exe MSIL PureLogStealer


Avatar
jstrosch
Found at hxxp://195.82.147[.]2/abba/031825-bdd/pricevariety.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
485
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-03-26 13:23:07 UTC
Tags:
stealer purecrypter netreactor purehvnc rat asyncrat remote
Link:
https://app.any.run/tasks/4652386b-40cb-4008-980a-907cbe9bbb77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e3fba8cb6d38a89f3e59cd
Tags:
asyncrat virus micro msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e3fba1631830704a87cea0/reports/759933c6-5ddc-4d50-bbc1-ed771561c9bc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9414fa25-4d61-46f7-9c0f-f6f4b8ffb002
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1649099
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c/
Threat name:
ByteCode-MSIL.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 13:05:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vi5cxamkpnshhibn456bn763rbt4wpznjj4gf7pwavlyqzotugoa._file
Verdict:
malicious
Label(s):
sorano
Create hunting rule
Similar samples:
022ea38dadfe09c2538d91cc4938406ac328aabc9bafcfb8f794c980e1a25fb5
PureLogsStealer
2a9cbddab53ca2b1376d3d66da8f1cc434afa650762f7fa31fd327daf82498a7
PureLogsStealer
58a7b0a9c1be07f3771be0c79810df2b6d7237d76dcb05082e141b9247785e32
PureLogsStealer
6ae91782bc6a429b1381d2c63d05d268be691a616c46e4c01481b2bab60938a8
PureLogsStealer
a8dcaebe7a4a322066c4534b9c80a2dac34c13a7f3ddd3e3e2adbb2bfb944ca8
PureLogsStealer
aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c
PureLogsStealer
bbc2fbe13e348c67850c778e740e7a7675a8df75845af11aca6aae8c68d7a20b
PureLogsStealer
error
PureLogsStealer
+ 2'925 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250326-qbrhysvzgt/
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd2b7227-11c0-4bdc-a91c-d7dd2bab3953
Unpacked files
SH256 hash:
aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c
MD5 hash:
2bce80c8629a07a4d30d63ddb18e8696
SHA1 hash:
c19b8351ffb9ff619b164906687159810e9b6822
Link:
https://www.unpac.me/results/0306fe55-d5b0-4011-8789-c04370bdc88d/
SH256 hash:
c53b74259eccce910a4d90128a9841e02ded001ab6441562d5112df7deec8322
MD5 hash:
39b665e36d8c805f0aa514fdf4f89fc3
SHA1 hash:
db8951dceef5290a58e4a3b329f0178d4d720c60
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0306fe55-d5b0-4011-8789-c04370bdc88d/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/0306fe55-d5b0-4011-8789-c04370bdc88d/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/0306fe55-d5b0-4011-8789-c04370bdc88d/
SH256 hash:
b0737eed28d14828f364a21b38c24c4a6b25b406a47ce546f061879405d8aecc
MD5 hash:
dfbb14ad105fe7705865fd1be982ec76
SHA1 hash:
4a76a0daf1929e92c033b761ab0eef58941a0f8b
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0306fe55-d5b0-4011-8789-c04370bdc88d/
Parent samples :
490dc81f099791d36d291b2c3f0232f72649d31c9b069a472bda0d5a0cf36be6
aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c
SH256 hash:
3898d24704a5bb0442c0e52a24a195615e6b90b0c2a0d1e80224933c56629582
MD5 hash:
3931e4ae67e811c30c2a3220cf1eecf6
SHA1 hash:
500cbc1d9b1e3f44c30eea13f214e3035f2e047b
Link:
https://www.unpac.me/results/0306fe55-d5b0-4011-8789-c04370bdc88d/
SH256 hash:
04953649cc41d97da5dea1ce9872fc06d16397e20ca98dfd63b1d2555de64522
MD5 hash:
1643de578083d7b154ae8aa79fa8a529
SHA1 hash:
9641185e7609f4c1c6fb333a1ef6b83254d4998f
Link:
https://www.unpac.me/results/0306fe55-d5b0-4011-8789-c04370bdc88d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe aa3a2b818a7b6473a02de77c16ffdb8867cb3f2d4a7862fdf605578865d3a19c

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments