MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3e052743e942d601719b413754f2d7539be318e8af20de6c476e175dc1bd000. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3e052743e942d601719b413754f2d7539be318e8af20de6c476e175dc1bd000
SHA3-384 hash: 68b9575dd392d482855293d5cf3542977af72b94aca9a641a442d695358ce4bff9f572467153768b92f2f8539432adb3
SHA1 hash: c4f3b0e4d2c4e84cfe9b38447910c032ade38aa9
MD5 hash: a72bbdcafba3b40c6f2e7d86844ac059
humanhash: montana-snake-papa-delaware
File name:a72bbdcafba3b40c6f2e7d86844ac059
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:3'263'488 bytes
First seen:2024-01-29 07:08:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:xKuv6JXD+yHot/1Jl/7dCwBxzqxti+Cz6DWmhknc6ea73GhlfMQdSHmzMce30yp6:Ytz9IttJpTPUGsQc6ea7uNMQdSGFis
Threatray 2'765 similar samples on MalwareBazaar
TLSH T1EAE5226373065A73CB956736DAB7A7050320FA672503D70BA7C962A9240B3BF1F92707
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-01-30 00:26:25 UTC
Tags:
hausbomber loader stealer stealc opendir redline keylogger phorpiex trojan payload agenttesla marsstealer arechclient2 backdoor ramnit amadey botnet risepro laplasclipper rhadamanthys netsupport unwanted lokibot evasion gcleaner asyncrat socks5systemz proxy doina miner lumma remote rat gh0st raccoon arkei ransomware quasar
Link:
https://app.any.run/tasks/567b0b71-40b4-4423-a113-0b88267c8c3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473345/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Sending a UDP request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65b74f101f6a03f0c4e55958/reports/80d4055b-92f8-410c-bed0-54f686d6038c/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/b3e052743e942d601719b413754f2d7539be318e8af20de6c476e175dc1bd000
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac224210-076b-4d70-a30b-551176a849a1
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1382496
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b3e052743e942d601719b413754f2d7539be318e8af20de6c476e175dc1bd000
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3e052743e942d601719b413754f2d7539be318e8af20de6c476e175dc1bd000/
Threat name:
Win64.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2024-01-28 22:01:01 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpqfe5b6sqwwafyzwqjxktznou434mmorlza3zweo3qxlxa32aaa._file
Verdict:
malicious
Similar samples:
0452dcaafbe9bc6dfee7a44e35738477a4e99a00983593aba7698c4636a5f59c
PureLogsStealer
05e54dba8d44042c6546f6acf6750346061dffb4392e8c7d1f5de9336ed91194
PureLogsStealer
4acddc15352051552d4684fff6d07d18305cf7276d208adf7e2f59c5a70c909a
PureLogsStealer
57796415e63c65c46e5b50b07c05691a7389dca60a7fe5ba80607431a8c2051a
PureLogsStealer
63dfb807979d87f725cafcd7d9b5de5df1b32c6801ca9a1b058247da329dcb22
PureLogsStealer
85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd
PureLogsStealer
90f43f41f50f5c7f266f9353d21c3733468bad8644be318d48568415a6d9b89b
PureLogsStealer
cf8bd7afba19441ccbda49f2de67963319fe44002b9ad3edf1f65eeee7f1be34
PureLogsStealer
d13bebabc4063d86102cef3bdaed105d826ee3f604986eebefa2e8be3620f29d
PureLogsStealer
+ 2'755 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240129-hysqjaeadj/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
b3e052743e942d601719b413754f2d7539be318e8af20de6c476e175dc1bd000
MD5 hash:
a72bbdcafba3b40c6f2e7d86844ac059
SHA1 hash:
c4f3b0e4d2c4e84cfe9b38447910c032ade38aa9
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/da30e697-3da6-45a9-a4ac-835f452393db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3e052743e942d601719b413754f2d7539be318e8af20de6c476e175dc1bd000

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe b3e052743e942d601719b413754f2d7539be318e8af20de6c476e175dc1bd000

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2752964/
Cape
Cape
https://www.capesandbox.com/analysis/473345/

Comments


Avatar
zbet commented on 2024-01-29 07:08:34 UTC

url : hxxp://185.196.10.146/Iiympojf.exe