MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0541c3c455289e9d6b5c530eb553193b3eae7349304ce601fd5b4111b206fa61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0541c3c455289e9d6b5c530eb553193b3eae7349304ce601fd5b4111b206fa61
SHA3-384 hash: 8b02ffb847c68a89880e0fe312be2f02eae3f104f2b69dd09d49c623ddecb38a8b7b1b657d4f5b4e8364184594651e72
SHA1 hash: 2d40bdab2a5497396b00054fc180002ced921564
MD5 hash: 23f967d487284635323e0b0b9e71c6ba
humanhash: eleven-pennsylvania-delaware-tango
File name:wecreatedbestnetworkingskillwithbetterattitudeformegood.hta
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'044 bytes
First seen:2025-07-17 18:40:43 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:hPgXw2dSATPohe0GOO+DZCCbr7wOxQnRixnUC1xgpNypwyTYpiMCO:tggqSrl0+DYTOeRixnFM3ywlCO
TLSH T1B541CB23C505C8B8017129AE5CAFC889FCE521E349C69C263B4C4C7A4FF43AF56D964E
Magika txt
Reporter abuse_ch
Tags:hta PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HTA.Agent-E.23937.12261.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687943ce2f623871a5ef361e
Tags:
obfuscate xtreme sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/0541c3c455289e9d6b5c530eb553193b3eae7349304ce601fd5b4111b206fa61/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd evasive lolbin lolbin obfuscated timeout wscript
Link:
https://www.filescan.io/uploads/6919a126a130a437f88eb155/reports/a907a0a4-9739-4812-8758-3d81701aac98/overview
Verdict:
Malicious
Labled as:
Trojan[Downloader]/VBS.SLoad
Link:
https://www.hybrid-analysis.com/sample/0541c3c455289e9d6b5c530eb553193b3eae7349304ce601fd5b4111b206fa61
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1739066
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Bypasses PowerShell execution policy
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected VBS Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1739066 Sample: wecreatedbestnetworkingskil... Startdate: 17/07/2025 Architecture: WINDOWS Score: 100 53 pastefy.app 2->53 83 Suricata IDS alerts for network traffic 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 18 other signatures 2->89 12 mshta.exe 2 2->12         started        signatures3 process4 file5 49 C:\Windows\Temp\cargos.bat, DOS 12->49 dropped 15 cmd.exe 2 12->15         started        process6 file7 51 C:\Windows\Temp\healthless.vbs, ASCII 15->51 dropped 71 Potential malicious VBS script found (suspicious strings) 15->71 73 Command shell drops VBS files 15->73 19 wscript.exe 1 15->19         started        23 conhost.exe 15->23         started        25 timeout.exe 1 15->25         started        signatures8 process9 dnsIp10 55 pastefy.app 49.13.5.8, 443, 49711 HETZNER-ASDE Germany 19->55 91 System process connects to network (likely due to code injection or exploit) 19->91 93 Suspicious powershell command line found 19->93 95 Wscript starts Powershell (via cmd or directly) 19->95 97 3 other signatures 19->97 27 powershell.exe 15 16 19->27         started        signatures11 process12 dnsIp13 59 104.243.40.138, 49721, 80 RELIABLESITEUS United States 27->59 61 96.44.159.132, 49715, 80 ASN-QUADRANET-GLOBALUS United States 27->61 99 Writes to foreign memory regions 27->99 101 Found suspicious powershell code related to unpacking or dynamic code loading 27->101 103 Injects a PE file into a foreign processes 27->103 31 aspnet_compiler.exe 4 27->31         started        35 conhost.exe 27->35         started        signatures14 process15 dnsIp16 69 212.23.222.56, 20341, 49722, 49741 TMRDE unknown 31->69 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->75 77 Tries to steal Mail credentials (via file / registry access) 31->77 79 Tries to harvest and steal browser information (history, passwords, etc) 31->79 81 5 other signatures 31->81 37 chrome.exe 1 31->37         started        40 chrome.exe 31->40 injected 42 chrome.exe 31->42 injected 44 4 other processes 31->44 signatures17 process18 dnsIp19 57 192.168.2.4, 138, 20341, 443 unknown unknown 37->57 46 chrome.exe 37->46         started        process20 dnsIp21 63 www.google.com 142.250.80.100, 443, 49724, 49727 GOOGLEUS United States 46->63 65 googlehosted.l.googleusercontent.com 142.250.80.33, 443, 49731, 49732 GOOGLEUS United States 46->65 67 clients2.googleusercontent.com 46->67
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/0541c3c455289e9d6b5c530eb553193b3eae7349304ce601fd5b4111b206fa61
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Html
Link:
https://app.malva.re/file/23f967d487284635323e0b0b9e71c6ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0541c3c455289e9d6b5c530eb553193b3eae7349304ce601fd5b4111b206fa61/
Threat name:
Script-WScript.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-17 07:39:08 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ava4hrcvfcpj2224kmhlkuyzhm7k442jgbgomap5lnardmqg7jqq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection defense_evasion discovery execution
Link:
https://tria.ge/reports/250717-xbvzpsbj2y/
Behaviour
Delays execution with timeout.exe
Enumerates system info in registry
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
http://96.44.159.132/xampp/cv/universe-1733359315202-8750.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0541c3c455289e9d6b5c530eb553193b3eae7349304ce601fd5b4111b206fa61

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

HTML Application (hta) hta 0541c3c455289e9d6b5c530eb553193b3eae7349304ce601fd5b4111b206fa61

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3585040/
  
Delivery method
Distributed via web download

Comments