MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d76abbbbe5ab5c33f007a95ac87c2e522eeb446b62ef8d970c4f09022fd77670. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d76abbbbe5ab5c33f007a95ac87c2e522eeb446b62ef8d970c4f09022fd77670
SHA3-384 hash: 07dc84488d6fa788076d7c7d4b27115a8c54611288f65820d8c1905e84a0ba0726920f6f0b03fab4a1aab372b6ad3146
SHA1 hash: ec76fe7ff2b09efc07d424b411dc90a528a0bc27
MD5 hash: dd05330febb9988d2bcdc1d0b6123a2b
humanhash: nineteen-social-louisiana-queen
File name:SecuriteInfo.com.Win32.RATX-gen.24946.23294
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:9'382'912 bytes
First seen:2024-06-28 10:32:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:RZ+ICBPSX5rcu1/NggOUO6j44epDYV9BQMv0eMnPiMDEhyi:REOTNQxDYfBQlZnl
TLSH T19D9633529B5CE592F8AD777EF420F098EBF1C128F626E38DBA916CD448473C609C2257
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
364
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.24946.23294.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667e91a717db6c2841b20d7ewin10vpnfull_triage
Tags:
Stealth Malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/667e916bef9fdf64aa700a2b/reports/b7d6c167-2ff1-49fe-aa6b-7375ede30457/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/d76abbbbe5ab5c33f007a95ac87c2e522eeb446b62ef8d970c4f09022fd77670
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b8fa99b-c028-4fd6-a554-1b4a33243033
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1464092
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1464092 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 28/06/2024 Architecture: WINDOWS Score: 100 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected PureLog Stealer 2->34 36 6 other signatures 2->36 6 SecuriteInfo.com.Win32.RATX-gen.24946.23294.exe 1 5 2->6         started        10 cvchost.exe 3 2->10         started        12 cvchost.exe 2 2->12         started        process3 file4 22 C:\Users\user\AppData\Local\cvchost.exe, PE32 6->22 dropped 24 C:\Users\user\...\cvchost.exe:Zone.Identifier, ASCII 6->24 dropped 26 SecuriteInfo.com.W...24946.23294.exe.log, ASCII 6->26 dropped 38 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->38 40 Writes to foreign memory regions 6->40 42 Injects a PE file into a foreign processes 6->42 44 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 6->44 14 MSBuild.exe 2 6->14         started        46 Antivirus detection for dropped file 10->46 48 Multi AV Scanner detection for dropped file 10->48 50 Machine Learning detection for dropped file 10->50 18 MSBuild.exe 2 10->18         started        52 Allocates memory in foreign processes 12->52 20 MSBuild.exe 2 12->20         started        signatures5 process6 dnsIp7 28 185.125.50.121, 49723, 49725, 58001 INPLATLABS-ASRU Russian Federation 14->28 54 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->54 signatures8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d76abbbbe5ab5c33f007a95ac87c2e522eeb446b62ef8d970c4f09022fd77670
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d76abbbbe5ab5c33f007a95ac87c2e522eeb446b62ef8d970c4f09022fd77670/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-04-08 20:20:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25vlxo7fvnodh4ahvfnmq7bokixowrdlmlxy3fymj4eqel6xozya._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/240628-mlltnsxdqm/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
61d2f105b2665d9c7b56e1baf44cca5c67ea1bb90d26d99cc41289c25d038c38
MD5 hash:
3b551dba90b4a829cc62d0475b84a58e
SHA1 hash:
62319d101fcec7754cb29c6605847919551a9f12
Link:
https://www.unpac.me/results/258beed5-9036-42ac-a17c-b22e81c9f519/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/258beed5-9036-42ac-a17c-b22e81c9f519/
SH256 hash:
ae18105029b047cb5c86835011389aefe00a19edb95431f65aec832e16bc9d34
MD5 hash:
efa94b850af9926fed80da9ac8e73cf2
SHA1 hash:
1ae2da76ac64290ac5515c809851b9b5f94c50e0
Link:
https://www.unpac.me/results/258beed5-9036-42ac-a17c-b22e81c9f519/
SH256 hash:
d76abbbbe5ab5c33f007a95ac87c2e522eeb446b62ef8d970c4f09022fd77670
MD5 hash:
dd05330febb9988d2bcdc1d0b6123a2b
SHA1 hash:
ec76fe7ff2b09efc07d424b411dc90a528a0bc27
Link:
https://www.unpac.me/results/258beed5-9036-42ac-a17c-b22e81c9f519/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments