MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81
SHA3-384 hash: 40ccdd8f2717b3a62d996a1d5c7ca271e790d1f6a6235ff6968a2e47e43e46c9123a4c8772e64f33f5ecb092c939ad72
SHA1 hash: 0a88bb498001120fc5ae83764c5339f06ae70bac
MD5 hash: d18dbc8c3596af59d661a2d0437bb173
humanhash: moon-johnny-beryllium-oklahoma
File name:file
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'799'840 bytes
First seen:2024-05-13 17:03:45 UTC
Last seen:2024-05-13 17:19:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6df573862725a7261d77e9eebaebd3a (1 x AgentTesla, 1 x Stealc, 1 x Glupteba)
ssdeep 24576:IRoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvWB5VA0UC1dUUKj/yZ8j3gV:KoKmo4jC6TovwRUC1doj/ngV
Threatray 17 similar samples on MalwareBazaar
TLSH T1F1D5AE15D3F801A5D47BD634CA2D8733D6B0B8561B34E28B0A09D7962F73A928B7F721
TrID 45.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
33.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
8.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter jstrosch
Tags:exe PureLogStealer signed X64

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-12T18:35:31Z
Valid to:2025-05-12T18:35:31Z
Serial number: dfdc0967326b0892d0a37f9213a03ec3
Thumbprint Algorithm:SHA256
Thumbprint: 5414dc5991ef4fda57e27bbbb62d91501d9dff8641a8ce3f9c879ecf34767aff
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
jstrosch
Found at hxxp://5.42.96[.]78/files/file300un.exe by #subcrawl

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81.exe
Verdict:
Malicious activity
Analysis date:
2024-05-13 17:06:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fdf5bc68-b9e6-4db1-b254-02915be698c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.6570.24593.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Searching for analyzing tools
Searching for synchronization primitives
Modifying a system file
Using the Windows Management Instrumentation requests
Replacing files
Creating a window
Creating a file in the %temp% directory
Launching a service
Sending a UDP request
Reading critical registry keys
Moving a file to the %temp% directory
Running batch commands
Launching cmd.exe command interpreter
Deleting a system file
Moving a recently created file
Connection attempt to an infection source
Query of malicious DNS domain
Blocking the Windows Defender launch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint hacktool lolbin overlay packed regedit remote shell32
Link:
https://www.filescan.io/uploads/664248051c9796b80abdf98b/reports/bcb26fa4-d6ea-4512-9827-1ae738b45f8a/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24fd510b-34fd-466b-be88-8d88a5cf393f
Result
Threat name:
PureLog Stealer, Vidar, zgRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1440729
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1440729 Sample: file.exe Startdate: 13/05/2024 Architecture: WINDOWS Score: 100 152 Found malware configuration 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 Antivirus detection for URL or domain 2->156 158 14 other signatures 2->158 12 file.exe 1 2->12         started        15 cmd.exe 2->15         started        17 svchost.exe 2->17         started        20 3 other processes 2->20 process3 dnsIp4 190 Writes to foreign memory regions 12->190 192 Allocates memory in foreign processes 12->192 194 Sample uses process hollowing technique 12->194 196 Injects a PE file into a foreign processes 12->196 22 MSBuild.exe 15 180 12->22         started        27 conhost.exe 12->27         started        29 RegSvcs.exe 12->29         started        31 conhost.exe 15->31         started        33 Conhost.exe 15->33         started        138 40.119.6.228 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->138 signatures5 process6 dnsIp7 146 186.145.236.93 TelmexColombiaSACO Colombia 22->146 148 5.42.96.64 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 22->148 150 19 other IPs or domains 22->150 130 C:\Users\...\zr1oLJmEGrhu05MEbRrA9F9q.exe, PE32 22->130 dropped 132 C:\Users\...\y8g6W5YClH8jefbT5CtfgRFL.exe, PE32 22->132 dropped 134 C:\Users\...\vFfEhyxftwpFKO2uza6gcLlh.exe, PE32 22->134 dropped 136 162 other malicious files 22->136 dropped 182 Suspicious powershell command line found 22->182 184 Installs new ROOT certificates 22->184 186 Drops script or batch files to the startup folder 22->186 188 3 other signatures 22->188 35 60DBL7P87RNYf8tLHH8MZZvN.exe 11 55 22->35         started        40 ueZupCNCAZjWaNdx7Rt9G0EA.exe 22->40         started        42 p9lzFGT3ZZAY4AYJaImWZjGz.exe 22->42         started        44 10 other processes 22->44 file8 signatures9 process10 dnsIp11 140 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 35->140 142 95.142.206.1 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 35->142 144 23 other IPs or domains 35->144 112 C:\Users\...\yeXIc1XIimM_CpFipdG3grY2.exe, PE32 35->112 dropped 114 C:\Users\...\pq5G_u6Ru_HGbQk8xXpiw5g7.exe, PE32 35->114 dropped 116 C:\Users\...\p9oeR9hazKAzXgYvh4cq_CpN.exe, PE32 35->116 dropped 126 25 other malicious files 35->126 dropped 166 Query firmware table information (likely to detect VMs) 35->166 168 Drops PE files to the document folder of the user 35->168 170 Creates HTML files with .exe extension (expired dropper behavior) 35->170 180 9 other signatures 35->180 118 C:\Users\user\AppData\Local\...\changepk.exe, PE32+ 40->118 dropped 120 C:\Users\user\AppData\Local\Temp\...\calc.exe, PE32+ 40->120 dropped 122 C:\Users\user\AppData\Local\...\Install.exe, PE32 40->122 dropped 46 Install.exe 40->46         started        124 C:\Users\user\AppData\Local\...\changepk.exe, PE32+ 42->124 dropped 128 2 other malicious files 42->128 dropped 49 Install.exe 42->49         started        172 Detected unpacking (changes PE section rights) 44->172 174 Tries to detect sandboxes and other dynamic analysis tools (window names) 44->174 176 Hides threads from debuggers 44->176 178 Found direct / indirect Syscall (likely to bypass EDR) 44->178 file12 signatures13 process14 signatures15 202 Multi AV Scanner detection for dropped file 46->202 204 Modifies Windows Defender protection settings 46->204 51 cmd.exe 46->51         started        54 forfiles.exe 46->54         started        56 cmd.exe 49->56         started        58 forfiles.exe 49->58         started        process16 signatures17 160 Suspicious powershell command line found 51->160 162 Uses cmd line tools excessively to alter registry or file data 51->162 164 Modifies Windows Defender protection settings 51->164 60 forfiles.exe 51->60         started        63 forfiles.exe 51->63         started        65 forfiles.exe 51->65         started        67 conhost.exe 51->67         started        73 2 other processes 54->73 69 forfiles.exe 56->69         started        71 forfiles.exe 56->71         started        75 2 other processes 56->75 77 2 other processes 58->77 process18 signatures19 79 cmd.exe 60->79         started        82 cmd.exe 63->82         started        84 cmd.exe 65->84         started        198 Modifies Windows Defender protection settings 69->198 86 cmd.exe 69->86         started        88 Conhost.exe 69->88         started        90 cmd.exe 71->90         started        92 powershell.exe 73->92         started        94 cmd.exe 75->94         started        200 Suspicious powershell command line found 77->200 96 2 other processes 77->96 process20 signatures21 206 Uses cmd line tools excessively to alter registry or file data 79->206 98 reg.exe 79->98         started        100 reg.exe 82->100         started        102 reg.exe 84->102         started        104 reg.exe 86->104         started        106 reg.exe 90->106         started        108 WMIC.exe 92->108         started        110 WMIC.exe 96->110         started        process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-05-12 21:55:40 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjmkc77gmxczs7lhhz7fgf6su4g4eis45uo352qbbceiosxerkaq._file
Verdict:
malicious
Similar samples:
1615d4396467f0c5db3061b4b438a518da24667e8117fb65d917ae6048bbfa31
PureLogsStealer
5dd5ba8ed48b93b53007a7abe8f253672fcd5b73af78abf0cdea3838ef807557
PureLogsStealer
716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
PureLogsStealer
a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
PureLogsStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader family:xmrig bootkit discovery dropper evasion execution loader miner persistence ransomware spyware stealer themida trojan upx
Link:
https://tria.ge/reports/240513-vk87kseh21/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Registers COM server for autorun
Themida packer
UPX packed file
Unexpected DNS network traffic destination
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Installed Components in the registry
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
Modifies firewall policy service
PrivateLoader
xmrig
Unpacked files
SH256 hash:
ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81
MD5 hash:
d18dbc8c3596af59d661a2d0437bb173
SHA1 hash:
0a88bb498001120fc5ae83764c5339f06ae70bac
Link:
https://www.unpac.me/results/d8f7077c-76db-44ef-8689-02b5d8f82225/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca58a17fe665/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2845856/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::VirtualAllocExNuma
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::DeleteVolumeMountPointW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::ReplaceFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
ADVAPI32.dll::RegSetValueExA

Comments