MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a
SHA3-384 hash: b81d8bd0364183afb2dc4b786f56e90c375b9f47b770d904d8489042342dbf49dc83ee3a671140eb38500e788e31975f
SHA1 hash: 229484accad0a2f744b0f7c857b12de1c2896f38
MD5 hash: 946f9875958c6ff0a4ccbcc8717068a0
humanhash: oscar-early-nineteen-robin
File name:946f9875958c6ff0a4ccbcc8717068a0
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:10'256'896 bytes
First seen:2024-04-14 10:39:22 UTC
Last seen:2024-04-14 11:31:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 196608:VFg/KSH4rynHHiJrWnfossDb9NfwSdcvTP5AUewGUeF1w:VK/ZH4OniJrcOfwSdcv1A02w
TLSH T11EA622517EACB815D0EA4635D9A70C381BB3AD417521E71B228A3264ED7339A4FCDF0B
TrID 48.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
28.5% (.EXE) InstallShield setup (43053/19/16)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe PureLogStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe
Verdict:
Malicious activity
Analysis date:
2024-04-14 10:42:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/361dda46-62fd-409c-af48-e6bfd7c20d0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Creating a process from a recently created file
Searching for the window
Creating a window
Loading a suspicious library
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Launching a process
Moving a file to the %temp% subdirectory
Searching for synchronization primitives
Replacing files
Sending an HTTP POST request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b246c9ea-acec-4ca4-98f7-911dd7706123
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.spre
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1425732
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
Drops executable to a common third party application directory
Drops script or batch files to the startup folder
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425732 Sample: tqtYy7oBD5.exe Startdate: 14/04/2024 Architecture: WINDOWS Score: 100 61 api.ipify.org 2->61 77 Antivirus detection for dropped file 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 7 other signatures 2->83 11 tqtYy7oBD5.exe 37 2->11         started        15 cmd.exe 1 2->15         started        signatures3 process4 file5 45 C:\Users\Public\...\selenium-manager.exe, PE32 11->45 dropped 47 C:\Users\Public\Release\ZstdNet.dll, PE32 11->47 dropped 49 C:\Users\Public\Release\WebDriver.dll, PE32 11->49 dropped 51 14 other malicious files 11->51 dropped 85 Drops script or batch files to the startup folder 11->85 17 cmd.exe 1 11->17         started        19 SysInitVal.exe 4 15->19         started        21 conhost.exe 15->21         started        signatures6 process7 process8 23 SysInitVal.exe 15 7 17->23         started        27 conhost.exe 17->27         started        dnsIp9 67 142.93.177.59, 3306, 49742, 49745 DIGITALOCEAN-ASNUS United States 23->67 69 api.ipify.org 104.26.12.205, 443, 49741, 49751 CLOUDFLARENETUS United States 23->69 43 C:\Users\Public\...\chromedriver.exe, PE32 23->43 dropped 29 selenium-manager.exe 153 23->29         started        33 cmd.exe 1 23->33         started        file10 process11 file12 53 C:\Users\user\Desktop\tqtYy7oBD5.exe, PE32 29->53 dropped 55 C:\Users\user\...\gtqtYy7oBD5.exe (copy), PE32 29->55 dropped 57 C:\Users\user\AppData\Roamingbehaviorgraphallery.exe, PE32 29->57 dropped 59 148 other malicious files 29->59 dropped 87 Drops executable to a common third party application directory 29->87 89 Infects executable files (exe, dll, sys, html) 29->89 35 chrome.exe 33->35         started        38 conhost.exe 33->38         started        signatures13 process14 dnsIp15 63 192.168.2.4, 138, 3306, 443 unknown unknown 35->63 65 239.255.255.250 unknown Reserved 35->65 40 chrome.exe 35->40         started        process16 dnsIp17 71 142.250.189.4, 443, 49750, 49755 GOOGLEUS United States 40->71 73 plus.l.google.com 172.217.14.78, 443, 49775 GOOGLEUS United States 40->73 75 2 other IPs or domains 40->75
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Suspicious
First seen:
2024-04-14 10:40:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
151
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vsd36sj45artfbjlf43a27wqzm53mupdfbp5ahwcsljnvfkbuva._file
Verdict:
unknown
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240414-mqh9caga34/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
e6bac72a03aa30fa8dd5b781273a420d9a971fd8da0f651fecca2555e965cade
MD5 hash:
5c451248a1d0304c9379c5ba3805720b
SHA1 hash:
eb8411d7e3672ad6a3b386d3d4a62df6d9d7a4f7
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
6140a8e35f8831db715da4a44212a66ae56d914d1cacfe6f6abad7c42e415bad
MD5 hash:
f91eed516acad224800b2995bd75f886
SHA1 hash:
eaa486a62275ab78a04df630cb5346213b98f6d6
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
07d22515df0a9278509a42d8285162163fee93cba9d11ab37f1a28362ff8d980
MD5 hash:
384a204e3c69c824cf817d5c9105bdcb
SHA1 hash:
d42e884301c01aa6fd20d937e0c09c8919e38c87
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
56b7d4ae39749f000e75b4b6c11d6617715b8463ba7305623b1810c428efed20
MD5 hash:
7e04d20f79cb5882698cddc408666bf3
SHA1 hash:
ac0643668506f2ee25a0bf487bd37c6323b7d8dd
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
d29794c4f973f6bbcbc06ca9193f8c41387920e9428279343261787a85c12a55
MD5 hash:
606de333bd7d405ca00e74d8d351918a
SHA1 hash:
7c340fb867a22279123d21b6fe09b5cecaa5d026
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
d2ffe1744ddd9333775e5c85fee39c482e65da0798e876e75ffad138c927584d
MD5 hash:
4097c68f3d399eb5b4c8b3149ba52df8
SHA1 hash:
7322f7611b6416d532bb9c736ca455ad50079373
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
a244e538ea0b6e2a2bfc01cf8991e4a1e5a55b3cda7c48d309ee15c026c1fc24
MD5 hash:
fa4c682cbc8333cc045650b307e2cd63
SHA1 hash:
5431ee0769349e94534121afca8d0e58c6450631
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
1048237f7881f53ea70056320db6cbade0a969178ad81a29980283315a07f552
MD5 hash:
fd6177debf8077e7fa0e43c0d372e12a
SHA1 hash:
49c5d3408c694636b06032d46066f9a2869d2a64
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
dd7d49080709461e4c88e5228ef00c10b03d8d94b3aa93d3940bb5a9bd63bed8
MD5 hash:
a612d2f6cd3da6c8f53b0327880e2cf0
SHA1 hash:
430cda2f2366037c5c718e7e616a1474919def08
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
b354b2d539095a42ab4a9ed20f4c0101faf71bd6dcf0d208e36533f3925c75b6
MD5 hash:
6af16e46f1dd8ae4433673d6fd9766b4
SHA1 hash:
1d3363f76d144c48c1f606cc2c4dc7fcd437162d
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
SH256 hash:
fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a
MD5 hash:
946f9875958c6ff0a4ccbcc8717068a0
SHA1 hash:
229484accad0a2f744b0f7c857b12de1c2896f38
Link:
https://www.unpac.me/results/1c705fd2-3623-4b35-994c-7aaa0f2e3c99/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2811803/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-04-14 10:39:23 UTC

url : hxxp://sdshsjakdjsaljdkasda.ru/images/logo2.jpg