MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be
SHA3-384 hash: 4d93c79efe4e1c6e4df2ad146bdaec9f25711c8def1196039bd29b1ab4fb13226ddabaeb49828be06b43ad236322bd1d
SHA1 hash: 617eb940a77fffe2e8363f9a11430ebb56b4c988
MD5 hash: 0d28c308c7d3af1f50a24cd98d59adbe
humanhash: maryland-delaware-johnny-violet
File name:0d28c308c7d3af1f50a24cd98d59adbe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:4'060'386 bytes
First seen:2024-04-23 14:47:47 UTC
Last seen:2024-04-23 15:42:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4e6049ebe9b9b358b43e39f88c5de46 (2 x PureLogsStealer, 2 x Stealc, 1 x CoinMiner)
ssdeep 49152:/YQ9p/TMILu3UAJvYIJ7PBJw47zI8gFEtYnEZhNa+uOTapp5pP7eoi:DpgQEZPPT4Yj
Threatray 64 similar samples on MalwareBazaar
TLSH T12D16AE1AE7D805D5E56BC630CA2AC732D671F8960735D74B052BC3491F73AA28F7B222
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
452
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-04-23 23:45:47 UTC
Tags:
loader opendir hausbomber stealer stealc amadey botnet risepro evasion gcleaner smtp exfiltration agenttesla phorpiex phishing greatness telegram redline meta metastealer worm xehook neoreklami asyncrat rat rhadamanthys adware
Link:
https://app.any.run/tasks/541df088-0354-43fa-ab6f-13b81d2771bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a service
Launching a service
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/61a70059-4b13-4442-b5ba-e2dbda66d3a2
Result
Threat name:
PureLog Stealer, Xmrig, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1430439
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Disable Task Manager(disabletaskmgr)
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Drops PE files to the user root directory
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Xmrig
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430439 Sample: 23xCOZerXg.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 73 gjhfhgdg.insane.wang 2->73 89 Sigma detected: Xmrig 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 9 other signatures 2->95 9 23xCOZerXg.exe 1 2->9         started        12 23xCOZerXg.exe 3 3 2->12         started        15 23xCOZerXg.exe 2->15         started        17 svchost.exe 1 2 2->17         started        signatures3 process4 dnsIp5 113 Multi AV Scanner detection for dropped file 9->113 115 Writes to foreign memory regions 9->115 117 Allocates memory in foreign processes 9->117 20 csc.exe 16 2 9->20         started        24 powershell.exe 9->24         started        26 conhost.exe 9->26         started        69 C:\Users\user\23xCOZerXg.exe, PE32+ 12->69 dropped 119 Drops PE files to the user root directory 12->119 121 Modifies the context of a thread in another process (thread injection) 12->121 123 Adds a directory exclusion to Windows Defender 12->123 127 3 other signatures 12->127 28 aspnet_wp.exe 12 12->28         started        30 powershell.exe 23 12->30         started        32 conhost.exe 12->32         started        125 Injects a PE file into a foreign processes 15->125 34 powershell.exe 15->34         started        36 aspnet_wp.exe 15->36         started        38 conhost.exe 15->38         started        71 127.0.0.1 unknown unknown 17->71 file6 signatures7 process8 dnsIp9 75 gjhfhgdg.insane.wang 185.196.10.233, 35662, 39001, 49804 SIMPLECARRIERCH Switzerland 20->75 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->97 99 Found strings related to Crypto-Mining 20->99 101 Writes to foreign memory regions 20->101 107 2 other signatures 20->107 40 AddInProcess.exe 20->40         started        43 AddInProcess.exe 20->43         started        45 conhost.exe 24->45         started        47 chrome.exe 9 28->47         started        50 chrome.exe 28->50         started        103 Loading BitLocker PowerShell Module 30->103 52 conhost.exe 30->52         started        54 conhost.exe 34->54         started        56 chrome.exe 36->56         started        58 chrome.exe 36->58         started        signatures10 105 Detected Stratum mining protocol 75->105 process11 dnsIp12 109 Query firmware table information (likely to detect VMs) 40->109 83 192.168.2.5, 138, 35662, 39001 unknown unknown 47->83 85 192.168.2.13 unknown unknown 47->85 87 5 other IPs or domains 47->87 60 chrome.exe 47->60         started        63 chrome.exe 50->63         started        65 chrome.exe 56->65         started        67 chrome.exe 58->67         started        signatures13 111 Detected Stratum mining protocol 83->111 process14 dnsIp15 77 microsoftmscompoc.tt.omtrdc.net 60->77 79 mdec.nelreports.net 60->79 81 14 other IPs or domains 60->81
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be/
Threat name:
Win64.Trojan.XMrig
Create hunting rule
Status:
Malicious
First seen:
2024-04-23 14:48:06 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7el4xmaesdzhneijoca5w56mhdipo5wtoszpxvaojnms53xvpc7a._file
Verdict:
malicious
Similar samples:
0f8b8e294577598a477970e3e2ac5b5a1bda0b90aacb61eca90b2b1cb80a119d
PureLogsStealer
8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9
PureLogsStealer
f0f1b858d0010a822374ab8381f6bf6be7c8ff88bab30b5cdf89e72f93062d51
PureLogsStealer
f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be
PureLogsStealer
fcc68f6e41b44762bd7e9ce1213b366ee10790b5b0e668a8f74d050a36fdfd1f
PureLogsStealer
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
brand:microsoft evasion persistence phishing
Link:
https://tria.ge/reports/240423-r6ey3shc27/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Unpacked files
SH256 hash:
f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be
MD5 hash:
0d28c308c7d3af1f50a24cd98d59adbe
SHA1 hash:
617eb940a77fffe2e8363f9a11430ebb56b4c988
Link:
https://www.unpac.me/results/bd89fd31-3470-4868-912f-20a3fc6057ce/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f917cbb00490/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2824194/
  
URLhaus
https://urlhaus.abuse.ch/url/2824195/
  
URLhaus
https://urlhaus.abuse.ch/url/2824234/
  
URLhaus
https://urlhaus.abuse.ch/url/2824267/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::VirtualAllocExNuma
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments


Avatar
zbet commented on 2024-04-23 14:47:48 UTC

url : hxxp://gjhfhgdg.insane.wang/main/klkjjk.exe