MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6
SHA3-384 hash:	3b9cff15230e862b2c4a5fa2f3dfdcb10c8b9367f68b75ebb25422510f404b75a86c226ce371e5b6436774f8f9e01e95
SHA1 hash:	226057cb1cfaea1660f72e63623d4f8329e6a06d
MD5 hash:	0d2ba08917783332f6a5b7ac5fff6fda
humanhash:	berlin-jig-nebraska-orange
File name:	0d2ba08917783332f6a5b7ac5fff6fda
Download:	download sample
Signature	PureLogsStealer Alert Create hunting rule
File size:	11'776 bytes
First seen:	2023-12-21 03:21:01 UTC
Last seen:	2023-12-21 05:20:45 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	192:x8klVoREakd1CB1NeT63CNeT4+vDrjnXo:x8yVoREVw1NeRNek+vDHX
TLSH	T18F32B62063408690D651CE328D93DA440537FC17887EAB5937CC5E5F9F33F9A8522B79
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	zbetcheckin
Tags:	64 exe PureLogStealer

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

310

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

New Text Document mod.exe

Verdict:

Malicious activity

Analysis date:

2023-12-21 04:06:28 UTC

Tags:

opendir loader stealer redline hausbomber amadey botnet guloader trojan lokibot originbotnet agenttesla

Link:

https://app.any.run/tasks/ba74f21c-6321-47bc-98d1-73bbe05a2cca

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468707/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.DownLoaderNET.897.16746.8323.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connecting to a non-recommended domain

Sending an HTTP GET request

Sending a custom TCP request

Launching a process

Creating a file

Creating a window

Unauthorized injection to a system process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

89%

Tags:

obfuscated packed packed smartassembly smart_assembly

Link:

https://www.filescan.io/uploads/6583af1f6b1c246046fef71e/reports/a86768f7-636b-4596-b2af-8f6cd815da66/overview

Hybrid Analysis MSILHeracles.Generic

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d5f66d6f-1db8-4b22-a51a-23c6bc1f5922

Joe Sandbox PureLog Stealer

Result

Threat name:

PureLog Stealer

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1365396

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

DLL side loading technique detected

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

99%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Seraph

Threat name:

ByteCode-MSIL.Trojan.Seraph

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-20 18:19:40 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

9

AV detection:

18 of 23 (78.26%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=26rk43kmrk25cpkctazu5hmv7atxblhgfm53mlgwqpjqc73wrwta._file

Threatray malicious

Verdict:

malicious

Hatching Triage zgrat

Result

Malware family:

zgrat

Alert

Create hunting rule

Score:

  10/10

Tags:

family:zgrat collection rat

Link:

https://tria.ge/reports/231221-dwbl1saba7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Detect ZGRat V1

ZGRat

UnpacMe INDICATOR_EXE_Packed_SmartAssembly

Unpacked files

SH256 hash:

d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6

MD5 hash:

0d2ba08917783332f6a5b7ac5fff6fda

SHA1 hash:

226057cb1cfaea1660f72e63623d4f8329e6a06d

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Alert

Create hunting rule

Link:

https://www.unpac.me/results/afcef123-7b1f-4726-85a9-79ded2818b46/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d7a2ae6d4c8a/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Trojan

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

exe d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2742876/

Cape

https://www.capesandbox.com/analysis/468707/

  

URLhaus

https://urlhaus.abuse.ch/url/2742879/

  

URLhaus

https://urlhaus.abuse.ch/url/2742880/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-21 03:21:02 UTC

url : hxxp://45.67.228.183/lina/ClamAV-0.103.2.exe