MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 6 File information Comments

SHA256 hash:	09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1
SHA3-384 hash:	1b9ecf03783680ae6a6b78141809690556d7098ac219ef38585e987dad921bed441a9044766a4f5cf34bb68f45d690c0
SHA1 hash:	54d1327d42cfbf0fade7b67a9345e4eedd1dbac0
MD5 hash:	6f26c2a3ce76e080fabf6b4201774e8c
humanhash:	equal-emma-west-kentucky
File name:	6F26C2A3CE76E080FABF6B4201774E8C.exe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	434'176 bytes
First seen:	2026-02-01 09:00:23 UTC
Last seen:	2026-02-01 09:31:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4d1adb8c36a03a7a69c0e198ec96a536 (6 x AsyncRAT, 4 x XWorm, 4 x PureLogsStealer)
ssdeep	12288:YNJGuKURHQ0rrH/Mu+BlL3HXvPoEw1Wx54At:EK4wAwuu3Xo+
TLSH	T1C894F142FD42C075E9B308B58DB259AD8E2D7A1017055DDBB3C819AA8F326D1BE31D3B
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe PureLogsStealer

abuse_ch

PureLogsStealer C2:
38.180.137.181:2285

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
38.180.137.181:2285	https://threatfox.abuse.ch/ioc/1739688/

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

6F26C2A3CE76E080FABF6B4201774E8C.exe

Verdict:

Malicious activity

Analysis date:

2026-02-01 09:01:54 UTC

Tags:

stealer purecrypter amsi-bypass netreactor purehvnc

Link:

https://app.any.run/tasks/ffa48e6e-53c7-48ff-8d56-ab29b2e875ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51095/

Detection(s):

SecuriteInfo.com.Win32.Agent-BDOZ.38268441.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697f1646848d0f834c8c5a51

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug crypt hijackloader microsoft_visual_cc packed purelogs stealer unsafe

Link:

https://www.filescan.io/uploads/697f163b2ffccda097653d28/reports/2d2a08ff-7d49-4675-85ea-45ff8e51cf0b/overview

Verdict:

Malicious

Labled as:

Trojan.Kryptik

Link:

https://www.hybrid-analysis.com/sample/09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-29T01:19:00Z UTC

Last seen:

2026-02-02T08:13:00Z UTC

Hits:

~10

Detections:

PDM:Exploit.Win32.Generic HEUR:Trojan.MSIL.InjectorNetT.gen HEUR:Trojan-PSW.Win32.PureLogs.gen Trojan-PSW.PureLogs.TCP.C&C PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd696ff2-c9e7-4de2-b9d9-d28acbd67c8d

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1861187

Signature

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/6f26c2a3ce76e080fabf6b4201774e8c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1/

Verdict:

Malicious

Threat:

Family.PURELOGSSTEALER

Link:

https://tip.neiki.dev/file/09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1

Threat name:

Win32.Trojan.PureLogs

Status:

Malicious

First seen:

2026-01-28 18:39:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bh43vlf6q6bb2bqjqayp2whr2urdoebshowl53cvieycjcvm66qq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/260201-kyp1rafw9b/

Behaviour

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Windows directory

Accesses Microsoft Outlook profiles

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1

MD5 hash:

6f26c2a3ce76e080fabf6b4201774e8c

SHA1 hash:

54d1327d42cfbf0fade7b67a9345e4eedd1dbac0

Link:

https://www.unpac.me/results/ae484d23-c0af-4c49-926f-e630544173ed/

SH256 hash:

479a27280693af6dc6cf740a0939d7b2f11cf69ae1d21e8342b9ed285750413e

MD5 hash:

fad6658ac7220097f26fcd350b94b7df

SHA1 hash:

a05c9e9f110ae592ddb360b7dbf817dab131e856

Link:

https://www.unpac.me/results/ae484d23-c0af-4c49-926f-e630544173ed/

SH256 hash:

8836a416a1e1952e6352ded3403ba0b367a320534b00ba7ad7afd0a53895fb75

MD5 hash:

e14891b4a599dca0723678606cab90ab

SHA1 hash:

cc0d6f615e2345367799fef567ee885975b76d17

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ae484d23-c0af-4c49-926f-e630544173ed/

Parent samples :

09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1
6adc0f459fd9fb7e09777b07add53e8d4dc5d8011e1b0cb98f28d4b72b22a938

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/09f9baacbe87/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

zgRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/09f9baacbe87821d06098030fd58f1d5223710323bacbeec554130248aacf7a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51095/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample