MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07
SHA3-384 hash:	f7ed17f33377851b6e8d6d91c0a4c28214a491a9c9d94497f7af2e4a606e1c0a1a49fc8a5fd9c3f4405de69ef1331ff1
SHA1 hash:	a80b8e6b7347d054c60f31242d508cf2566a0f92
MD5 hash:	1e5213ff45ed739a5bcb10f4cc00c12c
humanhash:	river-glucose-solar-november
File name:	1e5213ff45ed739a5bcb10f4cc00c12c.exe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	11'411'968 bytes
First seen:	2026-01-07 13:02:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	78ff286781fb0c5440407c56a90813ad (1 x PureLogsStealer)
ssdeep	196608:1nPl57fHw3GZ7nwly8/xryZg/+QUibp3udtB+zyPu5+VEVNP4E8cB/+lkuMeGK:1nPl57fQarhE8S+ldGK
Threatray	2'543 similar samples on MalwareBazaar
TLSH	T113B6FA10BB05876BFD9664B5CC7692EA502AFDD18F9054E381DC1938A5E2EC32B33F19
TrID	54.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 18.3% (.EXE) Win64 Executable (generic) (10522/11/4) 8.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.8% (.EXE) Win32 Executable (generic) (4504/4/1) 3.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe PureLogsStealer

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

1e5213ff45ed739a5bcb10f4cc00c12c.exe

Verdict:

Malicious activity

Analysis date:

2026-01-07 13:04:03 UTC

Tags:

rat stealer purehvnc netreactor

Link:

https://app.any.run/tasks/fddcf953-85a5-46c5-a533-2e3bf3674888

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/48047/

Detection(s):

Win.Packer.HeartCrypt-10058576-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695e59679922425f92fe43ab

Tags:

shellcode remcos virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug base64 crypt crypto expand fingerprint greyware lolbin microsoft_visual_cc packed remcos

Link:

https://www.filescan.io/uploads/695e595dafe828bbd315ee03/reports/fcd637b9-0926-4a4c-b7b4-47fd7a63acca/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07

Verdict:

Clean

File Type:

exe x32

First seen:

2026-01-04T08:26:00Z UTC

Last seen:

2026-01-04T16:21:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2a3a024d-4983-42ec-98fe-f08373a47d38

Result

Threat name:

PureCrypter, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1846018

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Detected PureCrypter Trojan

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PE (Portable Executable) PE Memory-Mapped (Dump)

Link:

https://app.malva.re/file/1e5213ff45ed739a5bcb10f4cc00c12c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07/

Verdict:

Malicious

Threat:

Family.PUREHVNC

Link:

https://tip.neiki.dev/file/1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07

Threat name:

Win32.Backdoor.Remcos

Status:

Suspicious

First seen:

2026-01-04 13:14:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 36 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d5n2vvxs6zwotkewsncuk2bbwbjqo7nh66cmz7ycv4mdd3b2zidq._file

Verdict:

malicious

Label(s):

unc_loader_078

PureLogsStealer

5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54

PureLogsStealer

5f4a7d9028089b7be46f98d664878d01cf67238d25bdfd7daf17c2a4f5d0d726

PureLogsStealer

6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e

PureLogsStealer

781b6211fe7e291d52cf690e3bbb508714f4608aa879cedc2a61199312dff91a

PureLogsStealer

c7a8b476fa73a2e03f58af36912421189ddfa323a2f9e811254b52fcadf96709

PureLogsStealer

error

PureLogsStealer

+ 2'533 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/260107-p9zfsaey3d/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7ea32650-4751-453b-8b77-e260c3668e02

Unpacked files

SH256 hash:

1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07

MD5 hash:

1e5213ff45ed739a5bcb10f4cc00c12c

SHA1 hash:

a80b8e6b7347d054c60f31242d508cf2566a0f92

Link:

https://www.unpac.me/results/937135fc-67cb-441c-becd-777c1d815a4d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1f5baad6f2f6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/48047/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample