MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc
SHA3-384 hash: c0d877a6bb2f1b319258a46d23f8189661a3e8bc01fdc9875d6385d03f7ae180a14dea8a383a1448c3a513f07907df36
SHA1 hash: 7e856aabfc8268e2e5cde76cc595e18fec149177
MD5 hash: e4a2c3ce2cf98a931ae3feaabd0bbb2e
humanhash: robert-asparagus-batman-victor
File name:tv9IK83.bat
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'165'257 bytes
First seen:2025-08-25 08:50:27 UTC
Last seen:2025-08-25 12:11:49 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:Wr6qc+RJQq+djnSGqOgP9rgsHnOBLiKFq9uGqSe1BoCC0izb6UlCE/7M82SG2zsz:Yy+sFq+Q9uGD8RlUXg8J6vL
TLSH T19AA533014E3D6CBAA73C531D40DE694ABA440ED19C5CFECFABD569C740ABF82061B9E4
Magika batch
Reporter abuse_ch
Tags:bat PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
157.20.182.24:2002

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
157.20.182.24:2002 https://threatfox.abuse.ch/ioc/1573721/

Intelligence

File Origin
# of uploads :
2
# of downloads :
40
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
meterpreter
Create hunting rule
ID:
1
File name:
2to1ep.exe
Verdict:
Malicious activity
Analysis date:
2025-08-25 08:18:33 UTC
Tags:
auto metasploit framework python github backdoor meterpreter payload anti-evasion amadey vidar stealer cobaltstrike botnet telegram evasion tinynuke stealc loader uac lumma generic powershellempire redline quasar rat agenttesla masslogger rhadamanthys havoc tool asyncrat ultravnc rmm-tool anydesk pyinstaller sliver gcleaner coinminer miner snake keylogger exfiltration smtp remote purecrypter ims-api susp-powershell reverseloader pastebin smb xworm ddr remcos vipkeylogger xtinyloader clipper diamotrix nanocore formbook koadic frp m0yv upx dcrat ftp gh0st gh0stcringe svc arch-scr purelogsstealer auto-sch-xml screenconnect rdp valley darkroad ransomware
Link:
https://app.any.run/tasks/57e316a5-8bd4-45fe-9283-9635c8692ac3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23377/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ac23f0eb163e0ec182a28f
Tags:
shell spawn sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
attrib base64 cmd evasive lolbin obfuscated packed powershell xcopy
Link:
https://www.filescan.io/uploads/68ac23f27137d684583b1b28/reports/6d98e0a9-7beb-4612-af7b-6219c0318af0/overview
Verdict:
Malicious
Labled as:
TrojanDropper/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-08-24T20:10:00Z UTC
Last seen:
2025-08-24T20:10:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc/results?tab=lookup
Result
Threat name:
PureLog Stealer, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1764353
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates a thread in another existing process (thread injection)
Found large BAT file
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses attrib.exe to hide files
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1764353 Sample: tv9IK83.bat Startdate: 25/08/2025 Architecture: WINDOWS Score: 100 41 homelog.dynuddns.com 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 10 other signatures 2->59 10 cmd.exe 1 2->10         started        signatures3 process4 signatures5 69 Uses attrib.exe to hide files 10->69 13 tv9IK83.bat.Jta 17 10->13         started        16 xcopy.exe 2 10->16         started        19 conhost.exe 10->19         started        21 3 other processes 10->21 process6 file7 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->71 73 Writes to foreign memory regions 13->73 75 Powershell is started from unusual location (likely to bypass HIPS) 13->75 77 3 other signatures 13->77 23 RegAsm.exe 4 13->23         started        39 C:\Users\user\Desktop\tv9IK83.bat.Jta, PE32 16->39 dropped signatures8 process9 dnsIp10 49 homelog.dynuddns.com 157.20.182.24, 2002, 49691, 49721 FCNUniversityPublicCorporationOsakaJP unknown 23->49 61 Tries to steal Mail credentials (via file / registry access) 23->61 63 Tries to harvest and steal browser information (history, passwords, etc) 23->63 65 Writes to foreign memory regions 23->65 67 3 other signatures 23->67 27 chrome.exe 1 23->27         started        30 chrome.exe 23->30 injected 32 chrome.exe 23->32 injected 34 4 other processes 23->34 signatures11 process12 dnsIp13 51 192.168.2.5, 138, 2002, 443 unknown unknown 27->51 36 chrome.exe 27->36         started        process14 dnsIp15 43 www.google.com 142.250.176.196, 443, 49695, 49699 GOOGLEUS United States 36->43 45 play.google.com 142.251.35.174, 443, 49711, 49713 GOOGLEUS United States 36->45 47 5 other IPs or domains 36->47
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc/
Verdict:
Malicious
Threat:
Trojan-PSW.MSIL.TCP
Link:
https://tip.neiki.dev/file/0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-25 00:39:54 UTC
File Type:
Text
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7pfalrpkfqqv6bxr4yq45brghuqkhtlfdzxskmwyxmcsnzgslga._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250825-kr1tnsdn3x/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Modifies trusted root certificate store through registry
Sets file to hidden
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0fde502e2f51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackGuard_Rule
Create hunting rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Batch (bat) bat 0fde502e2f51610af8378f310e743131e9051e6b28f3792996c5d829372692cc

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/23377/
  
URLhaus
https://urlhaus.abuse.ch/url/3611096/
  
Delivery method
Distributed via web download

Comments