MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513
SHA3-384 hash: 12f5b9ff0de03385e4980933578b36a2ad7302190a9aed3466e646423481c8e5379fa84d603a6f686a17440314417653
SHA1 hash: ae2d2575e07eb8a6958b2dc0651fb64346e76b5c
MD5 hash: 44960fa1b0802a18dc704ada9a101a7c
humanhash: network-fourteen-muppet-march
File name:44960FA1B0802A18DC704ADA9A101A7C.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:564'224 bytes
First seen:2025-10-29 20:05:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:RlBRBPBSE6UIUpsh4Si/SVrLF3JmbhzQBwn06Nw7mJzVkR6s6ip4d3e9Ac:n3SE4Ups+SaSFLibhVq7oKR0E
Threatray 570 similar samples on MalwareBazaar
TLSH T178C42377A94EF496C49282B6A718ABCD0FCBD5116431DB2FB218A3876D1733BD5CE108
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
185.163.204.16:7720

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.163.204.16:7720 https://threatfox.abuse.ch/ioc/1629056/

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
44960FA1B0802A18DC704ADA9A101A7C.exe
Verdict:
Malicious activity
Analysis date:
2025-10-29 20:09:55 UTC
Tags:
netreactor purehvnc
Link:
https://app.any.run/tasks/106bc042-ec92-4cd1-b296-19059be7c3b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34705/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690273a1706befaf4eca199d
Tags:
backdoor botnet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/69027574479a4e95b80f2c0d/reports/1a02adf2-deb8-4431-af98-47d9c7fa04b6/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-26T18:37:00Z UTC
Last seen:
2025-10-26T19:05:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.PureLogs.sb Trojan-PSW.PureLogs.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan.MSIL.Inject.gen Trojan-PSW.MSIL.Agent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.Win32.Disco.sb
Link:
https://opentip.kaspersky.com/17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0b2e46ef-1c47-42f6-801e-d158a5bc2fe3
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1804485
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.97 Win 32 Exe x86
Link:
https://app.malva.re/file/44960fa1b0802a18dc704ada9a101a7c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2025-10-25 09:33:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6wckyktqi3ybuoi35ulan7orkeda4hmakaum5aun3q4j6jtaujq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513
PureLogsStealer
4b905e30ac86d9f77897811e8bb4cdd1ccdfec8a5c09eee4bd75d752d9387283
PureLogsStealer
54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c
PureLogsStealer
7d4341732ef5442ec456c78b82b92912cec787d884b8ec97d620358a341c7478
PureLogsStealer
85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc
PureLogsStealer
97dd1ff0394cec09c7c09b71d7dd7e646630d3351c3d6f55e462a8b0bebaaace
PureLogsStealer
error
PureLogsStealer
+ 560 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/251029-yvhzxstjhz/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513
MD5 hash:
44960fa1b0802a18dc704ada9a101a7c
SHA1 hash:
ae2d2575e07eb8a6958b2dc0651fb64346e76b5c
Link:
https://www.unpac.me/results/cf4592f5-085c-4e88-a2f3-4659f6b56433/
SH256 hash:
16b768745227f8dc81c066857b6c5c1d2fb70a14bc5e8b4011bd196f78b850ee
MD5 hash:
43423f3f75462e901b2ff43683514a3a
SHA1 hash:
207d98587411aa429d47614439d78e5955d36d6e
Link:
https://www.unpac.me/results/cf4592f5-085c-4e88-a2f3-4659f6b56433/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/17ac25615382/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
StrelaStealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17ac256153823780d1c8df68b037ee8a883070ec02814674146ee1c4f9330513

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34705/

Comments