MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40
SHA3-384 hash: 7b968af5aeee1bbf75ccbb3aeab8c5b1e207083446ad9db48393ab565224cee6411228e4a5e20b6b9593daaedb56e876
SHA1 hash: a091aad8999eb8c9b833091044b6d7a0a89e4a4e
MD5 hash: e43b76667963ad1cdf1f1603a1a67b79
humanhash: minnesota-september-monkey-friend
File name:responsibilitylead.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:6'887'424 bytes
First seen:2024-04-08 15:44:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:SAERid74MOMmrcKlW17Lv3+btkw0NBIdA8gkt8sYg:SA8idEMmrHlW1fWJtFBv
Threatray 351 similar samples on MalwareBazaar
TLSH T1AB66332432F8827AE5EFA67BE8481A445FF9403AB786F3A2704163F41417B15678736F
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter joju29
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40.exe
Verdict:
Malicious activity
Analysis date:
2024-04-08 15:46:52 UTC
Tags:
meduza stealer
Link:
https://app.any.run/tasks/222ca9a2-bf42-48fb-985a-006f55992f71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Moving a file to the Program Files subdirectory
Replacing files
Creating a window
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6614110735699b4745c17bc3/reports/787e40a0-a554-4170-8795-ab6520358f22/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b258286b-86ae-44b5-85b5-e7a21676d5b9
Result
Threat name:
CredGrabber, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1422452
Signature
.NET source code contains potential unpacker
Contains functionality to inject code into remote processes
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected CredGrabber
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2024-04-08 02:44:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4yqey3ka4axrt2xlpaoq4h5u6vdfwkn2yaa2rw6oic5azfqxvaa._file
Verdict:
malicious
Similar samples:
07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92
PureLogsStealer
0f8b8e294577598a477970e3e2ac5b5a1bda0b90aacb61eca90b2b1cb80a119d
PureLogsStealer
5803fdc567c98f8d902020390105fb26fc61370a21a5af7aa1152ce1414db0e2
PureLogsStealer
74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251
PureLogsStealer
907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc
PureLogsStealer
dbbe21f14ca93d658be3606974e289edf4b205b22d967324c49cba1950f29b9e
PureLogsStealer
dfa2a1ac549c911af8183707ba1fed1e8c401f8e448ea36bb7825d03df0f4c5a
PureLogsStealer
+ 341 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:meduza family:purelogstealer family:zgrat collection rat stealer
Link:
https://tria.ge/reports/240408-s62zaada76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Detect ZGRat V1
Meduza
Meduza Stealer payload
PureLog Stealer
PureLog Stealer payload
ZGRat
Malware Config
C2 Extraction:
109.107.181.83
Unpacked files
SH256 hash:
cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40
MD5 hash:
e43b76667963ad1cdf1f1603a1a67b79
SHA1 hash:
a091aad8999eb8c9b833091044b6d7a0a89e4a4e
Link:
https://www.unpac.me/results/f2536bb5-8cb5-49e8-8c21-463dedf8252b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf3102636a07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments