purelogs | 588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2023, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe
Size

1.5MB
MD5

6367fb0d52b90b807550b3eedbb277f0
SHA1

426f118550fa5006fbcab8c6d78b105600bf82c3
SHA256

588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d
SHA512

185171a50f2ce8d0742dc2e1fee5b2b91fd6884f899726495823124eed8b83094a9d570b04f7a9fbcaac56eca7e48a1c1679a3f284ea0ac3707340df1584b671
SSDEEP

24576:Aj3JaPnj1wF03rp/EKWVgdG2rhQpG458wNNqZ:Aj3JE1wclEKMgdGpGydNy

Score

10^/10

purelogs zgrat rat stealer

Malware Config

Signatures

Detect PureLogs payload 4 IoCs

resource	yara_rule
behavioral2/memory/2540-0-0x000002E19F090000-0x000002E19F20A000-memory.dmp	family_purelogs
behavioral2/files/0x00070000000231da-2217.dat	family_purelogs
behavioral2/files/0x00070000000231da-2218.dat	family_purelogs
behavioral2/files/0x00070000000231da-2222.dat	family_purelogs

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/5100-11-0x0000020A25540000-0x0000020A25624000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-17-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-23-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-21-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-31-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-29-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-27-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-33-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-37-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-47-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-49-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-61-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-63-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-67-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-69-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-75-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-73-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-71-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-65-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-59-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-57-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-55-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-53-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-51-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-45-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-43-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-41-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-39-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-35-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-25-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-19-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-15-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1
behavioral2/memory/5100-14-0x0000020A25540000-0x0000020A25620000-memory.dmp	family_zgrat_v1

PureLogs
PureLogs is an infostealer written in C#.
stealer purelogs
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
2752	MajorRevision.exe
3276	MajorRevision.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 5100	2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe	90
PID 2752 set thread context of 3276	2752	MajorRevision.exe	93
PID 3276 set thread context of 4964	3276	MajorRevision.exe	94
PID 4964 set thread context of 3536	4964	MSBuild.exe	95

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe
2752	MajorRevision.exe
3276	MajorRevision.exe
3276	MajorRevision.exe
4964	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe
Token: SeDebugPrivilege	5100	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe
Token: SeDebugPrivilege	2752	MajorRevision.exe
Token: SeDebugPrivilege	3276	MajorRevision.exe
Token: SeDebugPrivilege	4964	MSBuild.exe
Token: SeDebugPrivilege	3536	MSBuild.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 5100	2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe	90
PID 2540 wrote to memory of 5100	2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe	90
PID 2540 wrote to memory of 5100	2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe	90
PID 2540 wrote to memory of 5100	2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe	90
PID 2540 wrote to memory of 5100	2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe	90
PID 2540 wrote to memory of 5100	2540	588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe	90
PID 2752 wrote to memory of 3276	2752	MajorRevision.exe	93
PID 2752 wrote to memory of 3276	2752	MajorRevision.exe	93
PID 2752 wrote to memory of 3276	2752	MajorRevision.exe	93
PID 2752 wrote to memory of 3276	2752	MajorRevision.exe	93
PID 2752 wrote to memory of 3276	2752	MajorRevision.exe	93
PID 2752 wrote to memory of 3276	2752	MajorRevision.exe	93
PID 3276 wrote to memory of 4964	3276	MajorRevision.exe	94
PID 3276 wrote to memory of 4964	3276	MajorRevision.exe	94
PID 3276 wrote to memory of 4964	3276	MajorRevision.exe	94
PID 3276 wrote to memory of 4964	3276	MajorRevision.exe	94
PID 3276 wrote to memory of 4964	3276	MajorRevision.exe	94
PID 3276 wrote to memory of 4964	3276	MajorRevision.exe	94
PID 3276 wrote to memory of 4964	3276	MajorRevision.exe	94
PID 4964 wrote to memory of 3536	4964	MSBuild.exe	95
PID 4964 wrote to memory of 3536	4964	MSBuild.exe	95
PID 4964 wrote to memory of 3536	4964	MSBuild.exe	95
PID 4964 wrote to memory of 3536	4964	MSBuild.exe	95
PID 4964 wrote to memory of 3536	4964	MSBuild.exe	95
PID 4964 wrote to memory of 3536	4964	MSBuild.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe
"C:\Users\Admin\AppData\Local\Temp\588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe
  C:\Users\Admin\AppData\Local\Temp\588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5100

C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\soefca\MajorRevision.exe
C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\soefca\MajorRevision.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\soefca\MajorRevision.exe
  C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\soefca\MajorRevision.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\soefca\MajorRevision.exe

Filesize
1.5MB

MD5
6367fb0d52b90b807550b3eedbb277f0

SHA1
426f118550fa5006fbcab8c6d78b105600bf82c3

SHA256
588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d

SHA512
185171a50f2ce8d0742dc2e1fee5b2b91fd6884f899726495823124eed8b83094a9d570b04f7a9fbcaac56eca7e48a1c1679a3f284ea0ac3707340df1584b671

Download Submit
C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\soefca\MajorRevision.exe

Filesize
1.5MB

MD5
6367fb0d52b90b807550b3eedbb277f0

SHA1
426f118550fa5006fbcab8c6d78b105600bf82c3

SHA256
588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d

SHA512
185171a50f2ce8d0742dc2e1fee5b2b91fd6884f899726495823124eed8b83094a9d570b04f7a9fbcaac56eca7e48a1c1679a3f284ea0ac3707340df1584b671

Download Submit
C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\soefca\MajorRevision.exe

Filesize
1.5MB

MD5
6367fb0d52b90b807550b3eedbb277f0

SHA1
426f118550fa5006fbcab8c6d78b105600bf82c3

SHA256
588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d

SHA512
185171a50f2ce8d0742dc2e1fee5b2b91fd6884f899726495823124eed8b83094a9d570b04f7a9fbcaac56eca7e48a1c1679a3f284ea0ac3707340df1584b671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\588506d91ec77a608a62417ea1d67204b1b173bd90af7e17cf52bbd0f03f7d2d.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MSBuild.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MajorRevision.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
memory/2540-10-0x00007FFF6CD20000-0x00007FFF6D7E1000-memory.dmp

Filesize
10.8MB

Download
memory/2540-6-0x000002E1A0E30000-0x000002E1A0E7C000-memory.dmp

Filesize
304KB

Download
memory/2540-0-0x000002E19F090000-0x000002E19F20A000-memory.dmp

Filesize
1.5MB

Download
memory/2540-5-0x000002E1B9810000-0x000002E1B98D8000-memory.dmp

Filesize
800KB

Download
memory/2540-4-0x000002E1A0E10000-0x000002E1A0E20000-memory.dmp

Filesize
64KB

Download
memory/2540-2-0x000002E1B9740000-0x000002E1B9808000-memory.dmp

Filesize
800KB

Download
memory/2540-3-0x00007FFF6CD20000-0x00007FFF6D7E1000-memory.dmp

Filesize
10.8MB

Download
memory/2540-1-0x000002E1B9660000-0x000002E1B9740000-memory.dmp

Filesize
896KB

Download
memory/2752-2220-0x0000020B3A320000-0x0000020B3A330000-memory.dmp

Filesize
64KB

Download
memory/2752-2219-0x00007FFF6C7E0000-0x00007FFF6D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/2752-2224-0x00007FFF6C7E0000-0x00007FFF6D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-2227-0x0000021BD19D0000-0x0000021BD19E0000-memory.dmp

Filesize
64KB

Download
memory/3276-4427-0x0000021BD19D0000-0x0000021BD19E0000-memory.dmp

Filesize
64KB

Download
memory/3276-2226-0x00007FFF6C7E0000-0x00007FFF6D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-4429-0x00007FFF6C7E0000-0x00007FFF6D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-4434-0x00007FFF6C7E0000-0x00007FFF6D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-6634-0x00007FFF6C7E0000-0x00007FFF6D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-6635-0x0000013E7B630000-0x0000013E7B640000-memory.dmp

Filesize
64KB

Download
memory/4964-4428-0x00007FFF6C7E0000-0x00007FFF6D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/4964-4430-0x0000018BAF490000-0x0000018BAF4A0000-memory.dmp

Filesize
64KB

Download
memory/4964-4435-0x00007FFF6C7E0000-0x00007FFF6D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-57-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-2213-0x0000020A0CC90000-0x0000020A0CCE6000-memory.dmp

Filesize
344KB

Download
memory/5100-71-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-65-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-59-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-75-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-55-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-53-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-51-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-45-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-43-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-41-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-39-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-35-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-25-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-19-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-15-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-14-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-2212-0x0000020A0B470000-0x0000020A0B478000-memory.dmp

Filesize
32KB

Download
memory/5100-73-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-2214-0x0000020A25860000-0x0000020A258B4000-memory.dmp

Filesize
336KB

Download
memory/5100-2216-0x00007FFF6CD20000-0x00007FFF6D7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-69-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-67-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-63-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-61-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-49-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-47-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-37-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-33-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-27-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-29-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-31-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-21-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-23-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-17-0x0000020A25540000-0x0000020A25620000-memory.dmp

Filesize
896KB

Download
memory/5100-7-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5100-11-0x0000020A25540000-0x0000020A25624000-memory.dmp

Filesize
912KB

Download
memory/5100-13-0x0000020A25650000-0x0000020A25660000-memory.dmp

Filesize
64KB

Download
memory/5100-12-0x00007FFF6CD20000-0x00007FFF6D7E1000-memory.dmp

Filesize
10.8MB

Download