MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057
SHA3-384 hash: 4db647515912c441921035823a758df4a0d75fc7340dc5c4b0bb21c57e388861bc598c7da4bdb885d87e307659d19ef4
SHA1 hash: f51b695d060ac8b90e2ad55246b34c01f44d9cd0
MD5 hash: cd965ee2ff847fce13327260e6a6048c
humanhash: speaker-tango-vermont-mirror
File name:Demande dispo et tarif DOC 29400294958920 20.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'011'136 bytes
First seen:2025-10-28 09:00:24 UTC
Last seen:2025-11-06 11:29:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'669 x AgentTesla, 19'482 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:HrL/R/Lfd+eX7VPIGPeyJwjdk5Ck8rr09vXtRP6bv8+cXk3Ryyhw3N/5qSoelM:3Rs07Ooe+F574r0FvP6bEuw3NB
TLSH T1B395CE186AD01B17D73E83B589E38AA973BA94D8FF4BC70B9944B46614013E1A7431FF
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
94.74.191.25:5888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.74.191.25:5888 https://threatfox.abuse.ch/ioc/1628005/

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057.exe
Verdict:
Suspicious activity
Analysis date:
2025-10-28 09:01:54 UTC
Tags:
auto-startup netreactor purehvnc
Link:
https://app.any.run/tasks/0bcfeaa9-d771-43f2-8c10-07890a87e152

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34467/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69008660706befaf4ec99701
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Verdict:
Malicious
Labled as:
Trojan.Mardom.IN.Generic
Link:
https://www.hybrid-analysis.com/sample/1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-28T05:52:00Z UTC
Last seen:
2025-10-30T05:57:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Agent.sba Trojan.MSIL.Inject.sb Trojan-PSW.PureLogs.TCP.C&C Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Agentb.sb HEUR:Trojan-PSW.MSIL.PureLogs.gen HEUR:Trojan.Win32.Generic Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.PureLogs.sb Trojan.Win32.Agent.sb Trojan.MSIL.Dnoper.sb Trojan.MSIL.Agent.sb Trojan-PSW.Win32.Stealer.sb
Link:
https://opentip.kaspersky.com/1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ecbe2d76-1be6-451e-8ea2-5d79569c3f83
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1803075
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1803075 Sample: Demande dispo et tarif DOC ... Startdate: 28/10/2025 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected PureLog Stealer 2->54 56 11 other signatures 2->56 8 Demande dispo et tarif DOC  29400294958920 20.exe 5 2->8         started        12 wscript.exe 1 2->12         started        process3 file4 34 C:\Users\user\AppData\Roaming\new.exe, PE32 8->34 dropped 36 C:\Users\user\...\new.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Roaming\...\new.vbs, ASCII 8->38 dropped 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->58 60 Writes to foreign memory regions 8->60 62 Injects a PE file into a foreign processes 8->62 14 InstallUtil.exe 3 8->14         started        64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->64 18 new.exe 2 12->18         started        signatures5 process6 dnsIp7 42 94.74.191.25, 49687, 49721, 49722 FARAHOOSHIR Iran (ISLAMIC Republic Of) 14->42 66 Tries to steal Mail credentials (via file / registry access) 14->66 68 Tries to harvest and steal browser information (history, passwords, etc) 14->68 70 Writes to foreign memory regions 14->70 76 4 other signatures 14->76 20 chrome.exe 1 14->20         started        23 chrome.exe 14->23 injected 25 chrome.exe 14->25 injected 29 5 other processes 14->29 72 Multi AV Scanner detection for dropped file 18->72 74 Injects a PE file into a foreign processes 18->74 27 InstallUtil.exe 18->27         started        signatures8 process9 dnsIp10 40 192.168.2.6, 138, 443, 49687 unknown unknown 20->40 31 chrome.exe 20->31         started        process11 dnsIp12 44 googlehosted.l.googleusercontent.com 142.250.217.97, 443, 49704, 49705 GOOGLEUS United States 31->44 46 www.google.com 142.250.73.100, 443, 49690, 49693 GOOGLEUS United States 31->46 48 5 other IPs or domains 31->48
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.44 Win 32 Exe x86
Link:
https://app.malva.re/file/cd965ee2ff847fce13327260e6a6048c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057/
Verdict:
Malicious
Threat:
Trojan-PSW.MSIL.PureLogs
Link:
https://tip.neiki.dev/file/1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2025-10-28 09:00:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dss4u2vcqrak4mcwjuw3lvse7bdikh55qvu5bmiobmvihrtb2blq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery
Link:
https://tria.ge/reports/251028-kyke9swmas/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ce096fa-0a16-40ca-aa9e-7f2f9171e2f0
Unpacked files
SH256 hash:
1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057
MD5 hash:
cd965ee2ff847fce13327260e6a6048c
SHA1 hash:
f51b695d060ac8b90e2ad55246b34c01f44d9cd0
Link:
https://www.unpac.me/results/2a63cc9e-1f43-45b5-a295-78f0de385234/
SH256 hash:
7c25a94853ee57cd97fcd005ce8120b7451cf533b9bc5b324da0594a97f77a62
MD5 hash:
d125ce17656be940a13ce92358c80d5b
SHA1 hash:
9aacd8e0c90402e79de1581fa4b06d39fcdd001a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2a63cc9e-1f43-45b5-a295-78f0de385234/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/2a63cc9e-1f43-45b5-a295-78f0de385234/
SH256 hash:
0d579660359305cbb6110687e25d4862d7a692a54e51ff1de2b1f5ea137c094e
MD5 hash:
d9f17885123e7a8e78828daace733b2d
SHA1 hash:
b9ee6b86938844df60339b079f7aad74060a18ab
Link:
https://www.unpac.me/results/2a63cc9e-1f43-45b5-a295-78f0de385234/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/1ca5ca6aa28440ae30564d2db5d644f846851fbd8569d0b10e0b2a83c661d057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34467/

Comments