MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c
SHA3-384 hash: 6ab7dda607b3940bd4bbf04ce2aa76fe314f568653b2acd84e19ce6c764010fe974349f67995e8f47b00d1bec2290d2f
SHA1 hash: 104e60ea49811a2b33442c5192b0d5f539fd235e
MD5 hash: 002f6f310a1ea664bfe07e5dd7045676
humanhash: enemy-snake-lamp-idaho
File name:002f6f310a1ea664bfe07e5dd7045676.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:5'862'400 bytes
First seen:2024-03-17 08:12:02 UTC
Last seen:2024-03-17 09:25:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:V2wSiJSTjLc3oYusZhfoFH/Ydc4ajxG/zSDZyqBJEJaO6JrRe7kEcEAL:gw1gT84Y1ha/YdAftyziJrRnE
TLSH T1D04622E546D0C25ED80D573A707C2E18EAB2EE246A79E35DDD8EB497FA73392440021F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0e63c3c549350d00 (2 x PureLogsStealer)
Reporter abuse_ch
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
420
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c.exe
Verdict:
Malicious activity
Analysis date:
2024-03-17 08:15:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/234853f0-64f1-42dd-9005-9554cf8f759b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.16904.25807.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/65f6a5d40ef6f5eba4940626/reports/988f4648-9116-4dcf-a66b-ffd508df279d/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dark Crystal RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e3d3cf6-084d-4703-a293-dbd44fd933fb
Result
Threat name:
CyberGate, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410311
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Yara detected CyberGate RAT
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410311 Sample: QwXO1tx5vB.exe Startdate: 17/03/2024 Architecture: WINDOWS Score: 100 83 john0071.duckdns.org 2->83 85 bhosrida.duckdns.org 2->85 87 google.com 2->87 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for URL or domain 2->105 107 Multi AV Scanner detection for submitted file 2->107 111 7 other signatures 2->111 10 QwXO1tx5vB.exe 1 7 2->10         started        14 Ilasx.exe 2->14         started        16 Ilasx.exe 2->16         started        18 3 other processes 2->18 signatures3 109 Uses dynamic DNS services 85->109 process4 dnsIp5 79 C:\Users\user\AppData\Roaming\Ilasx.exe, PE32 10->79 dropped 81 C:\Users\user\AppData\Local\...behaviorgrapheynnlzh.exe, PE32 10->81 dropped 123 Encrypted powershell cmdline option found 10->123 125 Creates multiple autostart registry keys 10->125 127 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->127 129 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->129 21 Geynnlzh.exe 1 5 10->21         started        25 QwXO1tx5vB.exe 2 10->25         started        28 powershell.exe 23 10->28         started        30 powershell.exe 23 10->30         started        131 Multi AV Scanner detection for dropped file 14->131 133 Machine Learning detection for dropped file 14->133 135 Injects a PE file into a foreign processes 14->135 32 powershell.exe 14->32         started        34 Ilasx.exe 14->34         started        36 powershell.exe 16->36         started        38 Ilasx.exe 16->38         started        89 127.0.0.1 unknown unknown 18->89 file6 signatures7 process8 dnsIp9 77 C:\Users\user\AppData\Roaming\Ocgocvy.exe, PE32 21->77 dropped 113 Found evasive API chain (may stop execution after checking mutex) 21->113 115 Machine Learning detection for dropped file 21->115 117 Encrypted powershell cmdline option found 21->117 119 9 other signatures 21->119 40 Geynnlzh.exe 21->40         started        43 powershell.exe 21->43         started        97 bhosrida.duckdns.org 91.92.252.228, 1555, 49734 THEZONEBG Bulgaria 25->97 45 chrome.exe 28->45         started        48 conhost.exe 28->48         started        58 2 other processes 30->58 50 chrome.exe 32->50         started        52 conhost.exe 32->52         started        54 chrome.exe 36->54         started        56 conhost.exe 36->56         started        file10 signatures11 process12 dnsIp13 121 Injects a PE file into a foreign processes 40->121 60 Geynnlzh.exe 40->60         started        62 chrome.exe 43->62         started        64 conhost.exe 43->64         started        99 192.168.2.4, 138, 1555, 443 unknown unknown 45->99 101 239.255.255.250 unknown Reserved 45->101 66 chrome.exe 45->66         started        69 chrome.exe 50->69         started        71 chrome.exe 54->71         started        signatures14 process15 dnsIp16 73 Geynnlzh.exe 60->73         started        75 chrome.exe 62->75         started        91 google.com 142.250.65.174, 443, 49737, 49760 GOOGLEUS United States 66->91 93 142.251.40.100, 443, 49757 GOOGLEUS United States 66->93 95 www.google.com 142.251.40.132, 443, 49741, 49742 GOOGLEUS United States 66->95 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c/
Threat name:
ByteCode-MSIL.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-03-14 03:28:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zb25jdusil77o4uds4uahkemuj5jarjydjbmk7eu6ec45z7aksoa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:purelogstealer family:zgrat persistence rat stealer
Link:
https://tria.ge/reports/240317-j3valahh34/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Detect ZGRat V1
PureLog Stealer
PureLog Stealer payload
ZGRat
Unpacked files
SH256 hash:
efa1d99177b0e3312109a595c3081af215257b3d902632851cc400fa80e20ca7
MD5 hash:
e607cab9c2a3ddf46fec4522add23f0e
SHA1 hash:
d26a66614e8ef4af3660a25d69cc3d2fd614a645
Link:
https://www.unpac.me/results/75334445-f469-442a-a9c2-dfa375ef2c9d/
SH256 hash:
9d0230e27ddb48fecab2a64aa63bf2808b3a4ed47faa07c713060a138ea0b477
MD5 hash:
b0e2064f969746081380ab244a5a95ae
SHA1 hash:
a863a4187eb2967d5975a21a5fa8fa86bad47a9f
Link:
https://www.unpac.me/results/75334445-f469-442a-a9c2-dfa375ef2c9d/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/75334445-f469-442a-a9c2-dfa375ef2c9d/
SH256 hash:
c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c
MD5 hash:
002f6f310a1ea664bfe07e5dd7045676
SHA1 hash:
104e60ea49811a2b33442c5192b0d5f539fd235e
Link:
https://www.unpac.me/results/75334445-f469-442a-a9c2-dfa375ef2c9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments