MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a
SHA3-384 hash: 5633e0b69eda0fcb5caa7f45f83497c899b845df782f5e4d1c7309c3fdf0e2b8b50158909fd22c1bda942beeb0a2b9c3
SHA1 hash: 187bd6d12d10e894cf7d9efbc301e3dd4b5ab013
MD5 hash: 61954e556932e266ed2aad4e9bd6ed40
humanhash: helium-oregon-quiet-island
File name:Q4pQKhS.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:471'352 bytes
First seen:2025-09-18 06:25:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 941a3b2713c7a12223a7696c8685d4d8 (2 x PureLogsStealer)
ssdeep 6144:+FYt5Kwf3xILRygRX5/DoW1JPBSV7N2jCozS1oiEvRQBlqlLWLdMs:GYiwpIL8IXvSN2jCozS1oiEvRQBlqlIF
TLSH T1D9A48D22F6D558FAE157C034C285D5629A32B88A0721A5FF13AC67316F297F41F3CB29
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer signed

Code Signing Certificate

Organisation:La1TWkGZ
Issuer:La1TWkGZ
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-17T09:51:11Z
Valid to:2026-09-17T10:01:11Z
Serial number: 411a06ab4bd10bac456a2b91c4f2b18e
Thumbprint Algorithm:SHA256
Thumbprint: e36ddef0442b1a4319058298ce27507c39b7686b7b1a09ede411fb08e68f3e43
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a.exe
Verdict:
Malicious activity
Analysis date:
2025-09-17 13:35:47 UTC
Tags:
anti-evasion
Link:
https://app.any.run/tasks/681e66af-a3da-4658-b194-8e2e5b00652f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28055/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cab93288b9544392473d0b
Tags:
obfuscate xtreme keylog
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Setting a global event handler
Setting a global event handler for the keyboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm fingerprint keylogger microsoft_visual_cc obfuscated signed threat
Link:
https://www.filescan.io/uploads/68cba661dbc6f5a29c4b3f7f/reports/e901c2f7-c37a-48f8-a41b-f8b6ab501d03/overview
Verdict:
Suspicious
Labled as:
Malware/MalwareX
Link:
https://www.hybrid-analysis.com/sample/1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-17T10:57:00Z UTC
Last seen:
2025-09-17T10:57:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/62a76b35-54ce-4ca5-9a66-878dc8ffcbf5
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779735
Signature
AI detected suspicious PE digital signature
Bypasses PowerShell execution policy
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Obfuscated command line found
PowerShell case anomaly found
Powershell drops PE file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Script Change Permission Via Set-Acl
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779735 Sample: Q4pQKhS.exe Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 129 001011000101100010110.duckdns.org 2->129 131 files-accl.zohoexternal.com 2->131 133 5 other IPs or domains 2->133 157 Malicious sample detected (through community Yara rule) 2->157 159 Yara detected PureLog Stealer 2->159 161 Yara detected zgRAT 2->161 165 14 other signatures 2->165 14 Q4pQKhS.exe 1 2->14         started        18 powershell.exe 2->18         started        20 mshta.exe 2->20         started        22 7 other processes 2->22 signatures3 163 Uses dynamic DNS services 129->163 process4 dnsIp5 113 q6SIZi2FeNXay8GWq6...DPuQOCnjw.venividiv, ASCII 14->113 dropped 203 Obfuscated command line found 14->203 205 Bypasses PowerShell execution policy 14->205 207 Hides threads from debuggers 14->207 209 Found direct / indirect Syscall (likely to bypass EDR) 14->209 25 powershell.exe 14 40 14->25         started        115 C:\Windows\System64NetworkNet.exe, PE32+ 18->115 dropped 117 C:\Windows\System64NetworkNative.exe, PE32+ 18->117 dropped 119 C:\Windows\System32NetworkNet.exe, PE32 18->119 dropped 121 2 other malicious files 18->121 dropped 211 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->211 213 Modifies the hosts file 18->213 215 Loading BitLocker PowerShell Module 18->215 29 powershell.exe 18->29         started        31 powershell.exe 18->31         started        41 4 other processes 18->41 217 Suspicious powershell command line found 20->217 33 powershell.exe 20->33         started        135 127.0.0.1 unknown unknown 22->135 35 powershell.exe 22->35         started        37 powershell.exe 22->37         started        39 powershell.exe 22->39         started        43 7 other processes 22->43 file6 signatures7 process8 dnsIp9 137 uswest.zohoaccl.com 169.62.81.213, 443, 49702, 49706 SOFTLAYERUS United States 25->137 139 rebrand.ly 3.33.143.57, 443, 49703, 49705 AMAZONEXPANSIONGB United States 25->139 181 Suspicious powershell command line found 25->181 183 Obfuscated command line found 25->183 185 Uses cmd line tools excessively to alter registry or file data 25->185 191 4 other signatures 25->191 45 powershell.exe 35 25->45         started        50 conhost.exe 25->50         started        187 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->187 62 3 other processes 29->62 52 conhost.exe 31->52         started        54 cmd.exe 33->54         started        56 conhost.exe 33->56         started        189 Loading BitLocker PowerShell Module 35->189 58 conhost.exe 35->58         started        64 2 other processes 37->64 60 conhost.exe 39->60         started        signatures10 process11 dnsIp12 147 169.62.81.217, 443, 49712 SOFTLAYERUS United States 45->147 123 ServisAntivirus_Ov...2Zgfb4wExft.databas, PE32+ 45->123 dropped 219 Loading BitLocker PowerShell Module 45->219 66 cmd.exe 45->66         started        68 conhost.exe 45->68         started        70 ServisAntivirus_Ovtz5Ll222Zgfb4wExft.databas 54->70         started        73 conhost.exe 54->73         started        221 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 62->221 75 conhost.exe 64->75         started        file13 signatures14 process15 signatures16 77 ServisAntivirus_Ovtz5Ll222Zgfb4wExft.databas 66->77         started        169 Hides threads from debuggers 70->169 171 Found direct / indirect Syscall (likely to bypass EDR) 70->171 process17 file18 111 y0WZ2rJRTr5OBtYrKp...Tn1gqOEjS.venividiv, ASCII 77->111 dropped 197 Obfuscated command line found 77->197 199 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 77->199 201 Hides threads from debuggers 77->201 81 powershell.exe 77->81         started        signatures19 process20 dnsIp21 125 8.33.38.63, 443, 49713, 49715 ZOHO-STREAMING-CONTENT-NETWORKUS United States 81->125 127 15.197.137.111, 443, 49714, 49716 TANDEMUS United States 81->127 109 ServisAntivirus_Ov...Exft.databas (copy), PE32+ 81->109 dropped 167 Uses cmd line tools excessively to alter registry or file data 81->167 86 powershell.exe 81->86         started        89 powershell.exe 81->89         started        92 powershell.exe 81->92         started        94 4 other processes 81->94 file22 signatures23 process24 dnsIp25 173 Suspicious powershell command line found 86->173 175 Obfuscated command line found 86->175 177 PowerShell case anomaly found 86->177 96 powershell.exe 86->96         started        99 conhost.exe 86->99         started        141 google.com 142.250.72.142, 443, 49720, 49722 GOOGLEUS United States 89->141 179 Hides threads from debuggers 89->179 101 conhost.exe 89->101         started        103 conhost.exe 92->103         started        signatures26 process27 signatures28 149 Drops executables to the windows directory (C:\Windows) and starts them 96->149 151 Writes to foreign memory regions 96->151 153 Hides threads from debuggers 96->153 155 Injects a PE file into a foreign processes 96->155 105 System32NetworkNet.exe 96->105         started        process29 dnsIp30 143 001011000101100010110.duckdns.org 45.74.0.110, 49725, 49730, 7934 VOXILITYGB United States 105->143 145 ipwho.is 108.181.47.111, 443, 49729 ASN852CA Canada 105->145 193 Hides that the sample has been downloaded from the Internet (zone.identifier) 105->193 195 Installs a global keyboard hook 105->195 signatures31
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/61954e556932e266ed2aad4e9bd6ed40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-17 13:35:48 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dupeucc3zkcarruohnyx656lmz54yamskaxm2ieuvb7yncvlxe5a._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/250918-g74zgsxpt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks for VMWare drivers on disk
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1576da78-bc4b-4307-b925-7d3a97c309a1
Unpacked files
SH256 hash:
1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a
MD5 hash:
61954e556932e266ed2aad4e9bd6ed40
SHA1 hash:
187bd6d12d10e894cf7d9efbc301e3dd4b5ab013
Link:
https://www.unpac.me/results/42628d9f-eb2c-46d7-abd4-ef87ad869905/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d1e4a085bca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 1d1e4a085bca8408c68e3b717f77cb667bcc0192502ecd2094a87f868aabb93a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/28055/
  
URLhaus
https://urlhaus.abuse.ch/url/3625574/
  
Delivery method
Distributed via web download

Comments