MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56
SHA3-384 hash: 7c4920f8856856997626d410ff1d07bac286b25c6b5a49c378163d334484d72e7966f1974f6bfd83e243c8b1a2e9eb07
SHA1 hash: b0eff518a41fbf3ccafc79ae0cf8b195266fcbf8
MD5 hash: b71112887e2b67a93960842b156d3807
humanhash: speaker-east-ten-sixteen
File name:b71112887e2b67a93960842b156d3807
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:641'536 bytes
First seen:2024-02-02 17:22:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:yURiMnuidG00+Dw9d8b9JEjnA3VVnKC2/z+bsOBxLkzNk:4MuIGH+090CA3KvLI4zNk
Threatray 2'863 similar samples on MalwareBazaar
TLSH T107D4E1A967528D17CB7667B5897397020740F6F74423A34BA3C9A275B01B2BF1FA1B03
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe PureLogStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56.exe
Verdict:
Malicious activity
Analysis date:
2024-02-02 17:23:47 UTC
Tags:
systembc proxy botnet opendir loader
Link:
https://app.any.run/tasks/50a3da6d-1b64-4e54-9312-c7899c25bd93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474220/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65bd24f71a072d5652641d02/reports/11cc15f0-a24e-4b60-8c9f-471b603c01a9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d7ef880-e86d-40e2-93bd-45a11768a76c
Result
Threat name:
PureLog Stealer, SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385726
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1385726 Sample: Z8HulxCzcB.exe Startdate: 02/02/2024 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for dropped file 2->61 63 14 other signatures 2->63 7 kguvdg.exe 2->7         started        11 Z8HulxCzcB.exe 1 3 2->11         started        13 Rnpbix.exe 3 2->13         started        15 3 other processes 2->15 process3 file4 43 C:\Windows\SysWOW64\config\...\Rnpbix.exe, PE32 7->43 dropped 67 Antivirus detection for dropped file 7->67 69 Multi AV Scanner detection for dropped file 7->69 71 Machine Learning detection for dropped file 7->71 79 2 other signatures 7->79 17 kguvdg.exe 7->17         started        45 C:\Users\user\AppData\Roaming\Rnpbix.exe, PE32 11->45 dropped 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->73 75 Tries to detect virtualization through RDTSC time measurements 11->75 77 Injects a PE file into a foreign processes 11->77 20 Z8HulxCzcB.exe 1 2 11->20         started        24 Rnpbix.exe 13->24         started        26 Z8HulxCzcB.exe 2 15->26         started        28 Z8HulxCzcB.exe 2 15->28         started        30 Rnpbix.exe 15->30         started        32 2 other processes 15->32 signatures5 process6 dnsIp7 51 Creates multiple autostart registry keys 17->51 47 69.10.60.115, 4018, 49734, 49736 IS-AS-1US United States 20->47 41 C:\Users\user\AppData\Local\Temp\kguvdg.exe, PE32 20->41 dropped 53 Creates autostart registry keys with suspicious values (likely registry only malware) 20->53 49 127.0.0.1 unknown unknown 24->49 55 Injects a PE file into a foreign processes 26->55 34 Z8HulxCzcB.exe 26->34         started        37 Z8HulxCzcB.exe 26->37         started        39 Z8HulxCzcB.exe 28->39         started        file8 signatures9 process10 signatures11 65 Creates autostart registry keys with suspicious values (likely registry only malware) 34->65
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2024-02-02 17:23:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7n2a4jikzuxz2xk54wozfevu6soim3oqvzgm4ul2ong7qffmtnla._file
Verdict:
malicious
Similar samples:
5fe7b0950f37579b7d800c316c1c26f0a217bc796bfff881a8938e4d7f09fdb7
PureLogsStealer
87e7fce64ab334392c6676f01885c5210b1b3235a76314d1326b6eb285978ffb
PureLogsStealer
a1e1569dfcaedc7962d5af6fcb5b022b5faddeef372cd7458fd3f383e0dcd560
PureLogsStealer
bc1a45d03104b8f5e54f8e0967bc1166cc6891ae5290620d7f89b5db49756fd3
PureLogsStealer
d75c9d4be8e7c01012b95bcd0378a9540333b9deceb56904af353d9a53344cc7
PureLogsStealer
dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b
PureLogsStealer
f150f98d8db9547e50591b84478d2c815b43515f160dbc2f55332c27a2474e70
PureLogsStealer
fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56
PureLogsStealer
+ 2'853 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:systembc family:zgrat persistence rat trojan
Link:
https://tria.ge/reports/240202-vx5d6addgn/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Downloads MZ/PE file
Detect ZGRat V1
SystemBC
ZGRat
Malware Config
C2 Extraction:
69.10.60.115:4018
Unpacked files
SH256 hash:
fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56
MD5 hash:
b71112887e2b67a93960842b156d3807
SHA1 hash:
b0eff518a41fbf3ccafc79ae0cf8b195266fcbf8
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/de84f05f-44b3-4e8e-956e-5bf392ef2665/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe fb740e250acd2f9d5d5de59d9292b4f49c866dd0ae4cce517a734df814ac9b56

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2755572/
Cape
Cape
https://www.capesandbox.com/analysis/474220/

Comments


Avatar
zbet commented on 2024-02-02 17:22:23 UTC

url : hxxp://69.10.60.115/gplmpn/Qcufhitwfzg.exe