MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea
SHA3-384 hash: 45b82b354fcb529d80ee532bbc313cef08f28a23af67feb3f40b1d0dbe5846d85028a625598fc1546dfdd92dd6214038
SHA1 hash: 398ece03bc82a284caf4aa001f8f335e9c0605cd
MD5 hash: 7b9611d8a0144297915006d6c4a8439f
humanhash: robin-carpet-red-social
File name:7b9611d8a0144297915006d6c4a8439f.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:3'046'912 bytes
First seen:2024-03-17 07:54:57 UTC
Last seen:2024-03-17 09:25:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:0EgcjqZnisX/Xy+VHW/inPevcTyJzUqTuDbsL81lriFLTUXSKs6nmAL:dgAYisX/9V2/inPkEyRclr4wSKAAL
Threatray 750 similar samples on MalwareBazaar
TLSH T181E501E156C0C25EC80A573A702D1C19D7B2AE657A7DE3A8DD8EB2A7FB33381444125F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0e63c3c549350d00 (2 x PureLogsStealer)
Reporter abuse_ch
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
425
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea.exe
Verdict:
Malicious activity
Analysis date:
2024-03-17 07:59:34 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/8401d2a8-0e5c-4529-8e7d-29dead17a25e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.20016.12935.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/65f6a1d987137159d445e7f2/reports/10ce65c2-09b4-4c6a-a6fc-af37cfe3106b/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dark Crystal RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4e71e49-a530-4fb5-8592-0c590d6737f3
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410309
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410309 Sample: VeaQpjNeMZ.exe Startdate: 17/03/2024 Architecture: WINDOWS Score: 100 64 yosire.duckdns.org 2->64 78 Snort IDS alert for network traffic 2->78 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for submitted file 2->82 86 7 other signatures 2->86 9 VeaQpjNeMZ.exe 1 6 2->9         started        13 Yisspwzh.exe 2->13         started        15 Yisspwzh.exe 2->15         started        17 svchost.exe 1 2 2->17         started        signatures3 84 Uses dynamic DNS services 64->84 process4 dnsIp5 60 C:\Users\user\AppData\Roaming\Yisspwzh.exe, PE32 9->60 dropped 96 Found many strings related to Crypto-Wallets (likely being stolen) 9->96 98 Encrypted powershell cmdline option found 9->98 100 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->100 102 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->102 20 AppLaunch.exe 2 9->20         started        24 powershell.exe 23 9->24         started        26 powershell.exe 23 9->26         started        104 Multi AV Scanner detection for dropped file 13->104 106 Machine Learning detection for dropped file 13->106 108 Writes to foreign memory regions 13->108 28 powershell.exe 13->28         started        30 AppLaunch.exe 13->30         started        110 Allocates memory in foreign processes 15->110 112 Injects a PE file into a foreign processes 15->112 32 powershell.exe 15->32         started        34 AppLaunch.exe 15->34         started        62 127.0.0.1 unknown unknown 17->62 file6 signatures7 process8 dnsIp9 66 yosire.duckdns.org 91.92.252.228, 49716, 56001 THEZONEBG Bulgaria 20->66 88 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 20->88 90 Found many strings related to Crypto-Wallets (likely being stolen) 20->90 92 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->92 94 3 other signatures 20->94 36 chrome.exe 9 24->36         started        39 conhost.exe 24->39         started        41 conhost.exe 26->41         started        43 WmiPrvSE.exe 26->43         started        45 chrome.exe 28->45         started        47 conhost.exe 28->47         started        49 chrome.exe 32->49         started        51 conhost.exe 32->51         started        signatures10 process11 dnsIp12 68 192.168.2.5, 443, 49476, 49703 unknown unknown 36->68 70 239.255.255.250 unknown Reserved 36->70 53 chrome.exe 36->53         started        56 chrome.exe 45->56         started        58 chrome.exe 49->58         started        process13 dnsIp14 72 142.250.80.4, 443, 49735 GOOGLEUS United States 53->72 74 google.com 142.251.40.142, 443, 49712 GOOGLEUS United States 53->74 76 www.google.com 142.251.40.196, 443, 49719, 49720 GOOGLEUS United States 53->76
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea/
Threat name:
ByteCode-MSIL.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-03-14 03:27:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxrmufvvpbakkvknjj3so2mt3jsp4fmyxt7kiskt3dwypag2txva._file
Verdict:
malicious
Similar samples:
02a690404a3d82ed7aef87f8518cac02809384d6b0550a36fc837c8552255d3d
PureLogsStealer
94e31d208cd89ff78bffbd2737d2b629710a46dde9288549e6027008debf7461
PureLogsStealer
ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea
PureLogsStealer
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
PureLogsStealer
+ 740 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/240317-jr41nahh5s/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
459f1c9ddfcd176b200056024f324399e907c08ec7b40bcd95f5ca1970a6d06b
MD5 hash:
1f07063d4f6dac3a630e2f3b7f9c39f8
SHA1 hash:
dc144e5ebed04dbdb4587b39971ffb26e48c53d6
Link:
https://www.unpac.me/results/b04363e6-1d4e-445d-9422-f4d3087b9592/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/b04363e6-1d4e-445d-9422-f4d3087b9592/
SH256 hash:
47b688592f25175ba7207ab738015c942c9d7ee3860a7238c9e3580bd0c90745
MD5 hash:
22c7861d1fa84767d36a01de79fb5ebf
SHA1 hash:
406c8ab157f67a6d0ced58d013874ad2d0e91459
Link:
https://www.unpac.me/results/b04363e6-1d4e-445d-9422-f4d3087b9592/
SH256 hash:
ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea
MD5 hash:
7b9611d8a0144297915006d6c4a8439f
SHA1 hash:
398ece03bc82a284caf4aa001f8f335e9c0605cd
Link:
https://www.unpac.me/results/b04363e6-1d4e-445d-9422-f4d3087b9592/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ade2ca16b57840a5554d4a77276993da64fe1598bcfea44953d8ed8780da9dea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments