MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8
SHA3-384 hash: 0291d70a229eccca9a39a78ddb7befea8182a4d7feca26fd630b6801b224bf46e8c5a957eb7390885198202998751b6c
SHA1 hash: 9c79e454b2be4586651c0dffdcc3d9069c4aa6a7
MD5 hash: bc6d085a203913266fde3530393ebba7
humanhash: ink-four-hot-mars
File name:bc6d085a203913266fde3530393ebba7
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:86'016 bytes
First seen:2024-01-30 03:54:30 UTC
Last seen:2024-01-30 05:32:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:LMYZLSz9QxNU84ybdvXiglUOQShjWSRsUYAhVdPu//FbnSjB:YYZLSJodkMsZAvdPg/FbnS1
Threatray 114 similar samples on MalwareBazaar
TLSH T1CA83D717FA5A98F3C2545FFBC59B408003ACD683F6A3E70E798E639619037EA9D4054B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8.exe
Verdict:
Malicious activity
Analysis date:
2024-01-30 03:54:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c1a77241-07c7-4ddb-973d-5400f17aedea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473529/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.922.26280.16147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/65b8731716a447dc38fff833/reports/f79002d0-5668-4ddf-9031-258c42eaef5c/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6199887-692e-4f49-aa14-e36030c1a93c
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383112
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops executable to a common third party application directory
Drops large PE files
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1383112 Sample: XwjTIqYgG2.exe Startdate: 30/01/2024 Architecture: WINDOWS Score: 100 118 Multi AV Scanner detection for domain / URL 2->118 120 Antivirus detection for URL or domain 2->120 122 Antivirus / Scanner detection for submitted sample 2->122 124 12 other signatures 2->124 9 prngj.exe 2->9         started        13 Rwshevq.exe 2->13         started        15 Unrestricted.exe 14 3 2->15         started        17 7 other processes 2->17 process3 dnsIp4 86 C:\Users\user\AppData\Roaming\Rwshevq.exe, PE32+ 9->86 dropped 144 Modifies the context of a thread in another process (thread injection) 9->144 146 Injects a PE file into a foreign processes 9->146 20 prngj.exe 9->20         started        25 Rwshevq.exe 13->25         started        148 Antivirus detection for dropped file 15->148 150 Multi AV Scanner detection for dropped file 15->150 152 Machine Learning detection for dropped file 15->152 27 Unrestricted.exe 15->27         started        102 172.67.162.192 CLOUDFLARENETUS United States 17->102 104 23.63.206.91 AKAMAI-ASUS United States 17->104 106 127.0.0.1 unknown unknown 17->106 88 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 17->88 dropped 90 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 17->90 dropped 92 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 17->92 dropped 94 13 other files (8 malicious) 17->94 dropped 154 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->154 156 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->156 158 Drops large PE files 17->158 160 Potential dropper URLs found in powershell memory 17->160 29 XwjTIqYgG2.exe 6 17->29         started        31 conhost.exe 17->31         started        33 conhost.exe 17->33         started        35 3 other processes 17->35 file5 signatures6 process7 dnsIp8 114 38.170.242.108 COGENT-174US United States 20->114 62 C:\Users\user\AppData\Local\...\Ozjvgneyw.exe, PE32 20->62 dropped 64 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 20->64 dropped 126 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->126 128 Tries to steal Mail credentials (via file / registry access) 20->128 130 Tries to harvest and steal browser information (history, passwords, etc) 20->130 37 Ozjvgneyw.exe 20->37         started        66 C:\Users\user\AppData\Local\Temp\Fedznv.exe, PE32 25->66 dropped 132 Tries to harvest and steal Bitcoin Wallet information 25->132 41 Fedznv.exe 25->41         started        134 Writes to foreign memory regions 27->134 136 Injects a PE file into a foreign processes 27->136 43 InstallUtil.exe 27->43         started        45 InstallUtil.exe 27->45         started        68 C:\Users\user\AppData\...\Unrestricted.exe, PE32 29->68 dropped file9 signatures10 process11 file12 70 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 37->70 dropped 72 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 37->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 37->74 dropped 82 10 other files (4 malicious) 37->82 dropped 138 Drops large PE files 37->138 47 main.exe 37->47         started        76 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 41->76 dropped 78 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 41->78 dropped 80 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 41->80 dropped 84 8 other files (3 malicious) 41->84 dropped 51 main.exe 41->51         started        140 Injects a PE file into a foreign processes 43->140 54 InstallUtil.exe 43->54         started        142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->142 signatures13 process14 dnsIp15 96 C:\Users\user\AppData\Roaming\...\Updater.exe, PE32 47->96 dropped 116 Drops executable to a common third party application directory 47->116 56 main.exe 47->56         started        108 51.83.3.90 OVHFR France 51->108 110 192.145.234.17 IMH-WESTUS United States 51->110 58 main.exe 51->58         started        60 main.exe 51->60         started        112 194.33.191.53 AQUA-ASRO unknown 54->112 98 C:\Users\user\AppData\Local\Temp\prngj.exe, PE32+ 54->98 dropped 100 C:\Users\user\AppData\Local\...\legnumv.exe, PE32 54->100 dropped file16 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 00:39:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qyguu4mcdeojxwynw33drdeqgi5w5mbw5wfa26ptlkrdjisbkua._file
Verdict:
malicious
Similar samples:
3522c4380138f81dce5085c66b158b6069238c6737ece7be4b433c29fcfcc39b
PureLogsStealer
7693aae819937d6b3d4a8427a16dedc38c0caf0a3988a284c5d1dd7b269eb60d
PureLogsStealer
b1398b586db65eb82d0cb0ab8bc6065c987fbbbfa6c11678f0393a2842a3f793
PureLogsStealer
d5ad3ead1976ce0c12c5e8918d3d63be5977e32dce67c46116b78d908bf7eb83
PureLogsStealer
d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6
PureLogsStealer
dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171
PureLogsStealer
e1407224ef8bf4ca74997f4389bd427dca0e57bf1918d12a8d3f27625d6ee368
PureLogsStealer
+ 104 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat collection persistence rat spyware stealer
Link:
https://tria.ge/reports/240130-egsgnahcen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8
MD5 hash:
bc6d085a203913266fde3530393ebba7
SHA1 hash:
9c79e454b2be4586651c0dffdcc3d9069c4aa6a7
Link:
https://www.unpac.me/results/a8c9aec2-1554-4126-8563-9a5a8768b596/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc306a538c10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe dc306a538c10c8e4ded86db7b1c4648191db7581b76c506bcf9ad511a5120aa8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473529/
  
URLhaus
https://urlhaus.abuse.ch/url/2753380/

Comments


Avatar
zbet commented on 2024-01-30 03:54:31 UTC

url : hxxps://magic.poisontoolz.com/Azerty.exe