MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3ebf4be0b4811457b9e366c08c5543ae9904dc028417aa378095ca9c8036984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments 1

SHA256 hash:	c3ebf4be0b4811457b9e366c08c5543ae9904dc028417aa378095ca9c8036984
SHA3-384 hash:	5d89c15d176eeb2dd47b3b0dade589751ddee85593f8b20869554f5b4757d4a4e3037cfddfbb85bceb2369b338f6f364
SHA1 hash:	89013252009fb87d3426e2af410262c60e6b580a
MD5 hash:	9281e132092aa6f21a89301ade20ab55
humanhash:	lake-burger-fillet-ohio
File name:	9281e132092aa6f21a89301ade20ab55
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	5'472'312 bytes
First seen:	2024-02-26 09:30:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	49152:/A9/U293yDrnaUOIHYwoSVxYLpUwtI/zg7/r:t293yDrnaUOGYcuKD/Sr
Threatray	160 similar samples on MalwareBazaar
TLSH	T199464B01FFFA5E8AC246177F895345D762A6E9CC9343EB2F069CE91F1D007492E992C2
TrID	70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.ICL) Windows Icons Library (generic) (2059/9) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	64 exe PureLogStealer

Intelligence

File Origin

# of uploads :

# of downloads :

327

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/477778/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Win.Trojan.Generic-10014419-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Enabling autorun by creating a file

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger overlay packed

Link:

https://www.filescan.io/uploads/65dc5a59e304215defb7d727/reports/1e34a1cf-64d2-4138-b868-cabf79006234/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c3ebf4be0b4811457b9e366c08c5543ae9904dc028417aa378095ca9c8036984

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/021da78e-3552-494d-8f86-a8cf0d396950

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1398629

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Potential dropper URLs found in powershell memory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c3ebf4be0b4811457b9e366c08c5543ae9904dc028417aa378095ca9c8036984

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c3ebf4be0b4811457b9e366c08c5543ae9904dc028417aa378095ca9c8036984/

Threat name:

Win64.Trojan.Smokeloader

Status:

Malicious

First seen:

2024-02-26 09:31:11 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ypv7jpqljaiuk646gzwarrkuhluzatoafbaxvi3ybfoktsadngca._file

Verdict:

malicious

PureLogsStealer

552686b2265e72d6eb05add08edb3415b932393b65370d087660dff37d4616b8

PureLogsStealer

68d282c16c83a849e29fb395b3e1864c3df158edf47a92ffb078b81dcafd7888

PureLogsStealer

72f5f9230c025a393d1362241679fd0dd5c48b7e3786591f35b3f74eccf53978

PureLogsStealer

936b6537581510b28c42dfc24d97d1c668e12744942ac4ad723e4b66c43c68f8

PureLogsStealer

b12ca6670877a54a4762123516c35021e8ec9c5c231f31a134cde611fea65490

PureLogsStealer

d9112ca0fbd3b9456db0410639f4380531cc0cf60c736ebc13189ad0b917f102

PureLogsStealer

ddd3762a1f95e1f86b86a92e54f2d52b2e9b96499a6fdc07fab98813eeaca8a2

PureLogsStealer

+ 150 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat rat

Link:

https://tria.ge/reports/240226-lg2tnaaf3z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in System32 directory

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

c3ebf4be0b4811457b9e366c08c5543ae9904dc028417aa378095ca9c8036984

MD5 hash:

9281e132092aa6f21a89301ade20ab55

SHA1 hash:

89013252009fb87d3426e2af410262c60e6b580a

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/bc369c94-03c9-4db7-93f1-0b9f31599cc3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c3ebf4be0b48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research