MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 3 File information Comments

SHA256 hash:	0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819
SHA3-384 hash:	283dec95644d1073788d742720f2f4a44e5f1f078924c3d31d8d1a885a13ddaf92caca94cc22fc4dd47ef1c3b2e6f5ef
SHA1 hash:	166eeaa34791465cde69526a01cda71e34996a5f
MD5 hash:	3074464547b17af64e3a302400444954
humanhash:	lactose-eleven-nineteen-fish
File name:	Enq-01431003525.exe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	1'063'424 bytes
First seen:	2025-12-04 23:40:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:uIBmGFhVSSvRDxzJing9qpwjRK09aN+n/Z+I+v:pBmG7VPDx1VqyjRK09cc
TLSH	T1333522A6529ADD22C49407B01DB0E33857787EAEE472D34F89DEBDFF3235B001914A96
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe PureLogsStealer

abuse_ch

PureLogsStealer C2:
191.101.51.135:7705

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
191.101.51.135:7705	https://threatfox.abuse.ch/ioc/1667840/

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/6f99854d-303d-4fbb-a57c-422eda1fe879/

Malware family:

n/a

ID:

File name:

_0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819.exe

Verdict:

Malicious activity

Analysis date:

2025-12-04 23:40:31 UTC

Tags:

purehvnc netreactor

Link:

https://app.any.run/tasks/476f20bb-df98-422c-a90e-1bec9f7ca9cd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42588/

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69321be9221589dfd96c2c43

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

krypt packed vbnet

Link:

https://www.filescan.io/uploads/69321be5ff25e40750d413ec/reports/4cf37656-a82a-40cc-90b0-ccb82d1bf74d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-04T09:49:00Z UTC

Last seen:

2025-12-06T04:32:00Z UTC

Hits:

~100

Detections:

HEUR:Backdoor.MSIL.XWorm.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-PSW.PureLogs.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen

Link:

https://opentip.kaspersky.com/0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/723d9b67-cad3-47f0-adad-8b68a3ee796a

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1826901

Signature

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.52 Win 32 Exe x86

Link:

https://app.malva.re/file/3074464547b17af64e3a302400444954

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819/

Verdict:

Malicious

Threat:

VHO:Backdoor.MSIL.XWorm

Link:

https://tip.neiki.dev/file/0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-12-04 13:43:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bnt5fgghfvooisdcq4fckprpvzybd2n3mfnu5wyx73tce7zffamq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/251204-3n2kxafm9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/45bb01e3-5dd6-4db3-8f78-affc14137a7b

Unpacked files

SH256 hash:

0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819

MD5 hash:

3074464547b17af64e3a302400444954

SHA1 hash:

166eeaa34791465cde69526a01cda71e34996a5f

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

SH256 hash:

53600ca841d526bae2339487258c0b38559bde661411e0a1b75823ec4d0c6356

MD5 hash:

bb53c1e82a78aa0ed6b9531f2b04376b

SHA1 hash:

3fec0d55928e43880c3fc921e4a171e3cc9dbc62

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

SH256 hash:

3ca2eefda3ec5ee589ef965053ca19685a6d978e49d0064bc8cf5e3e0d765021

MD5 hash:

724c703570e19bc4aef8c7c4817b4828

SHA1 hash:

c2e51e5ecaf2a3f4d96e15f3b6b812466838e38a

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

SH256 hash:

3889e23b6e2c208f5290a26c427b2521552783dbed27d210ca4e77d268d58327

MD5 hash:

323b3542b97410f75b33738490b0fd60

SHA1 hash:

2926db47f205ec41ae01bc48fc642163ff73bae3

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

SH256 hash:

0922491c905be325d212118a37422854891117b937ee3248ed2ef50a899e376a

MD5 hash:

ca75850e305b22cc320bf43554d1adc2

SHA1 hash:

3b0eaab7b8b576e626f528d1ec3af1c07a9df98e

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

SH256 hash:

f8cd94d7f5dd195b5833cc860fa1cb6bffa7e0439077e0c6e449f92e208d6cba

MD5 hash:

ef7ee8b3575e77d3dc108c9ce66d2368

SHA1 hash:

5af06a0792927afcbb6bf75e033acc5996ba969e

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

SH256 hash:

65ff3c159e0d6207aca43001079c062646d480ff9558454ac5666d5c0921ff70

MD5 hash:

2cc742abf147d316fb4243482b739fa7

SHA1 hash:

768f08baf401a952f2eb27cb0e9476d34a48f05b

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

Parent samples :

6e2b1a9ba0fb924774b35d3fe97e5ee232de78f7292fd7a79c678d6de974751a
d4ac4a98170b7b5606fc03e625be2973bd0f4ad38c653ba4db1558fead88dc0a
f50d4bf5151fc2f9f89ff48f4ead9ea615bc85a951b88a6d83d0dd53bd17a942
e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819
ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
de0892e8c62f21f2fb6669f8b4bf28a7bd9c014cc5820735491c44ce93fe0f09
549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721

SH256 hash:

afb8d59f9a77e50fe278d88071834e79d614c714198cb33ae91987e9b887070b

MD5 hash:

5cd57351e3795e1e2806a839c08d1e98

SHA1 hash:

8716c3629acb0b5800021ca37d27bbdd5ea12700

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

SH256 hash:

99e9fa6264be5f12e950457d54a4ceef1450f8a8d9d2c7394336cec361a2ee82

MD5 hash:

90a28392067c5f2c4b01e67416e09d82

SHA1 hash:

b0837d1a6a97e391c446cf9c31a032eae72189e1

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

SH256 hash:

f0430a517433cd22df531d6e2eb26b1f3b9750c7f9c1e18334c08cd79178540d

MD5 hash:

3bbcc340c547a4ffb7da58196cc6ffed

SHA1 hash:

8999969c7cb9c8631a226d3edeb71b68d8db8c4e

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/f77787a7-aaa2-416b-b0ba-481aa5876bdd/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0b67d298c72d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

zgRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/42588/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample