MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de
SHA3-384 hash: dcb17b700d54982e00dc8864660c10a8ae3a8b2f402d7b9ed82135e2a995facf7ee162472d6a07a9623fcb72b6837ebb
SHA1 hash: ce837c7ac128e361217316041891da0872b87290
MD5 hash: bda9523d7221942e46def67ed473e33e
humanhash: whiskey-one-enemy-oven
File name:Stien.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:49'664 bytes
First seen:2024-05-22 04:34:40 UTC
Last seen:2024-05-22 05:27:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:+GJzSq8Maq5s9OIyziuT/2dcWhzzkOFbQBU669RhQM+8M+FG:+RqfKOtiuTuRbQALK
TLSH T111236F5063A8FBA5D4690BF4E42210F10FBD6D1AE926D68B1CCCBDCE74B2BC74511A93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 5106d0d4d4d40145 (1 x PureLogsStealer)
Reporter 1ZRR4H
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de.exe
Verdict:
Malicious activity
Analysis date:
2024-05-22 04:35:32 UTC
Tags:
loader purecrypter purelogs exfiltration stealer payload
Link:
https://app.any.run/tasks/e4cf56ad-76be-4c62-8ab3-e73dd82dd135

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.14328.24344.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664d76338e7dbc7fe29b478fwin7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Static Stealth Psdownloader Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Searching for the window
DNS request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Forced system process termination
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint
Link:
https://www.filescan.io/uploads/664d75f9f0c7e56a745a57b2/reports/f65c366c-ad72-4b4a-a5f5-5e269aeeafd7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65d44577-7f4d-4402-b387-d5069d21e4fb
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1445524
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to capture screen (.Net source)
Drops PE files to the startup folder
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Copy file to startup via Powershell
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445524 Sample: Stien.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 92 voucher-01-static.com 2->92 94 fallback-01-static.com 2->94 96 3 other IPs or domains 2->96 108 Multi AV Scanner detection for domain / URL 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for URL or domain 2->112 114 22 other signatures 2->114 11 Stien.exe 6 2->11         started        15 hggzshwo.exe 2->15         started        17 Sys.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 82 C:\Users\Public\user.inf, Windows 11->82 dropped 84 C:\Users\Public\D.ps1, ASCII 11->84 dropped 124 Suspicious powershell command line found 11->124 21 powershell.exe 12 11->21         started        23 powershell.exe 28 11->23         started        126 Multi AV Scanner detection for dropped file 15->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->128 130 Modifies the context of a thread in another process (thread injection) 15->130 27 powershell.exe 15->27         started        29 hggzshwo.exe 15->29         started        132 Injects a PE file into a foreign processes 17->132 32 powershell.exe 17->32         started        34 Sys.exe 17->34         started        134 Loading BitLocker PowerShell Module 19->134 36 conhost.exe 19->36         started        38 WmiPrvSE.exe 19->38         started        40 2 other processes 19->40 signatures6 process7 dnsIp8 42 Xwemz.exe 21->42         started        47 curl.exe 2 21->47         started        49 conhost.exe 21->49         started        78 C:\Users\user\AppData\...\3ty1lipo.cmdline, Unicode 23->78 dropped 116 Found many strings related to Crypto-Wallets (likely being stolen) 23->116 118 Drops PE files to the startup folder 23->118 120 Suspicious execution chain found 23->120 51 csc.exe 3 23->51         started        53 cmstp.exe 9 7 23->53         started        55 conhost.exe 23->55         started        80 C:\Users\user\AppData\Roaming\...\Sys.exe, PE32+ 27->80 dropped 122 Powershell drops PE file 27->122 57 conhost.exe 27->57         started        106 adobeartsia.com 111.90.159.210 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 29->106 59 conhost.exe 32->59         started        file9 signatures10 process11 dnsIp12 100 fallback-01-static.com 111.90.145.132, 49733, 49740, 7722 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 42->100 86 C:\Users\user\AppData\Local\Temp\Uxfai.exe, PE32 42->86 dropped 136 Antivirus detection for dropped file 42->136 138 Multi AV Scanner detection for dropped file 42->138 140 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->140 144 6 other signatures 42->144 61 Uxfai.exe 42->61         started        102 voucher-01-static.com 94.154.172.166, 49732, 49741, 49742 LVLT-10753US Germany 47->102 104 127.0.0.1 unknown unknown 47->104 88 C:\Users\Public\Xwemz.exe, PE32 47->88 dropped 142 Drops PE files to the user root directory 47->142 90 C:\Users\user\AppData\Local\...\3ty1lipo.dll, PE32 51->90 dropped 64 cvtres.exe 1 51->64         started        file13 signatures14 process15 signatures16 146 Multi AV Scanner detection for dropped file 61->146 148 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->148 150 Bypasses PowerShell execution policy 61->150 152 Injects a PE file into a foreign processes 61->152 66 powershell.exe 61->66         started        69 Uxfai.exe 61->69         started        process17 dnsIp18 74 C:\Users\user\AppData\Roaming\...\Uxfai.exe, PE32 66->74 dropped 72 conhost.exe 66->72         started        98 strang-01-static.com 111.90.145.141, 49743, 49744, 49746 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 69->98 76 C:\Users\user\AppData\Local\...\hggzshwo.exe, PE32+ 69->76 dropped file19 process20
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de/
Threat name:
ByteCode-MSIL.Trojan.PsDownloader
Create hunting rule
Status:
Malicious
First seen:
2024-05-18 08:57:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2htnszgbjpd2a72we3ciienkmkvdno4qlras6452odqpqziklpa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection execution spyware stealer
Link:
https://tria.ge/reports/240522-e7nw6acb69/
Behaviour
Kills process with taskkill
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ef89521f-ca2f-4c4d-bd04-6599f96e3117
Unpacked files
SH256 hash:
ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de
MD5 hash:
bda9523d7221942e46def67ed473e33e
SHA1 hash:
ce837c7ac128e361217316041891da0872b87290
Link:
https://www.unpac.me/results/fcbea417-e7f8-4b4e-80d9-ed27ff288305/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments