MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98
SHA3-384 hash: e006bdb9ca1565a384c71d0716ea8b281f32e91dc66e1979a4b69cc1e8bd5e64541a8b572fa83ce4d34ed3538dbd6c0b
SHA1 hash: f28ecacc539d5ebd1955d58e35a34ce2af56d90d
MD5 hash: 4144335348b436acf63055618c78175a
humanhash: oklahoma-double-two-ohio
File name:RFQ QUG24-2003700542.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'809'408 bytes
First seen:2024-08-19 06:47:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 49152:hTvC/MTQYxsWR7aeKtt2wKleYJR/e5eh4IEL:9jTQYxsWRYttpKleYkobEL
Threatray 8 similar samples on MalwareBazaar
TLSH T10B85E1023381C062FF9B91734F5AF6515ABC79260523E62F13981DBABE705B1463E7A3
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter lowmal3
Tags:exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ QUG24-2003700542.exe
Verdict:
Malicious activity
Analysis date:
2024-08-19 06:51:15 UTC
Tags:
purecrypter purelogs netreactor stealer exfiltration
Link:
https://app.any.run/tasks/e57e7f87-06c6-4eaa-95c3-3a2f9c2b0a3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c2eaa6aa5b40be0aa07c5f
Tags:
Malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66c2eaa854f23f7e0b073619/reports/adbf5d35-5a87-431d-8f6a-ab58c0ac3f52/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1dd988b-0b2d-4bce-92c6-539550247050
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1494750
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to capture screen (.Net source)
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-08-07 02:21:32 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zmwz4bj3qexioqnxh35bdeqqahhp6i2qh2vqutcczyc4qs5b6ma._file
Verdict:
malicious
Similar samples:
0a99def57e91c53041c3fa4e50007eee16fa84c6c417e31a31dc219ed6c390af
PureLogsStealer
1f68e889d3c4c7f8049bad4abd042fcd05e84ac96bf23d86e2e95aa8fe346593
PureLogsStealer
3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676
PureLogsStealer
8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23
PureLogsStealer
9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3
PureLogsStealer
aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211
PureLogsStealer
ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98
PureLogsStealer
ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846
PureLogsStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery
Link:
https://tria.ge/reports/240819-hkr7vazclf/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d93915a7-cc46-4a58-a278-67d4a4a63af6
Unpacked files
SH256 hash:
9774ec6122ac29b41f40fd8bd26abcb97030886bc310ac7de5c16af15459f841
MD5 hash:
c0211768f4ca8fc35c867de66f30d13f
SHA1 hash:
dd39cb307698c2f6ac60b19143a98c790a4a7e38
Link:
https://www.unpac.me/results/0512b15f-4955-4c1e-bba9-fc0ceb376cdd/
SH256 hash:
37f88110420e85db46d4856640b6d57c7e1afa4c521d1575b8852b532f27341f
MD5 hash:
f514bcd7eb3e7b50571de2d8088fd6a2
SHA1 hash:
2faae114ad51503997c8eef680eabdeb83a2ccf0
Link:
https://www.unpac.me/results/0512b15f-4955-4c1e-bba9-fc0ceb376cdd/
SH256 hash:
a15b71c3bda0aa7d3ecb367c37b1b0c29f800a0d468b72bad5fc6ed007280025
MD5 hash:
32815ea1db465d68b350b6212e9351eb
SHA1 hash:
0d4d9eafaa2ce52c78648cd6bb7892ba265de6d1
Link:
https://www.unpac.me/results/0512b15f-4955-4c1e-bba9-fc0ceb376cdd/
SH256 hash:
433fb04e4463b8de54c68d6729373c30ee96131b73f33ff7b1cc37505573d073
MD5 hash:
06e855e0c8a2ac374d664b7912626c29
SHA1 hash:
871906a1f939c8ca7702978754d4becf38e5ad13
Link:
https://www.unpac.me/results/0512b15f-4955-4c1e-bba9-fc0ceb376cdd/
SH256 hash:
ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98
MD5 hash:
4144335348b436acf63055618c78175a
SHA1 hash:
f28ecacc539d5ebd1955d58e35a34ce2af56d90d
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/0512b15f-4955-4c1e-bba9-fc0ceb376cdd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

Executable exe ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments