MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450
SHA3-384 hash: 0054012626ba5d9a5135fba72b6d754aa3ce3575765caabc6714cacbfb21fcb2822fb3742f933e9bab5331a6f81547cf
SHA1 hash: d46ee66b687d30f6f88662985d47a1551eaf968a
MD5 hash: caaae6009991d5aa0fa59520b0ac9a23
humanhash: batman-artist-september-arizona
File name:Qgwwal.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:586'752 bytes
First seen:2025-09-18 07:08:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:3YCCWJA8bJAob7OANMyLgZLJBunYW1kv5sAijt5IdvhnrS:26TAYyqXgfBOYW1rnAnr
TLSH T1E8C42317A046D174CBB6C776FDE3560146D189A04247FF1D79DEAB8B0C2638BC988ACA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter 0xb0mb3r
Tags:exe Loader PureLogs PureLogsStealer VMDetectloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Qgwwal.exe
Verdict:
Malicious activity
Analysis date:
2025-09-18 07:12:22 UTC
Tags:
purehvnc netreactor
Link:
https://app.any.run/tasks/d032c378-724c-4f15-9ff0-4dcc132be69c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28092/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cbb03488b954439247a83c
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated packed packed
Link:
https://www.filescan.io/uploads/68cbb035b29d966a312c97e0/reports/1451e295-3ef1-41b9-9e5f-71fdc0c9dec9/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-18T04:31:00Z UTC
Last seen:
2025-09-18T04:31:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan-PSW.PureLogs.TCP.C&C HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.PureLogs.sb VHO:Backdoor.MSIL.Convagent.gen VHO:Trojan-PSW.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/591d5508-7cdc-48ca-b39c-2e1ce28fc62a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.62 Win 32 Exe x86
Link:
https://app.malva.re/file/caaae6009991d5aa0fa59520b0ac9a23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 07:09:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbikkidnbbd5lt5bnz4zithdjdnwrauu4mi5wtl3mbc77prtoria._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/250918-hy44kastfz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1ff18314-7c7a-4214-8533-ddac0d456161
Unpacked files
SH256 hash:
3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450
MD5 hash:
caaae6009991d5aa0fa59520b0ac9a23
SHA1 hash:
d46ee66b687d30f6f88662985d47a1551eaf968a
Link:
https://www.unpac.me/results/cd602ebd-b206-4fc8-b6cb-0ccbb436114a/
SH256 hash:
30560052148ad014c0a312063a8cb4dd975703287e527ce0f1907334a553a104
MD5 hash:
0de9a4cf5ac75d6e52fef5446276539a
SHA1 hash:
310bc6f4db24f9e735463f2590cc053c0c609bde
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/cd602ebd-b206-4fc8-b6cb-0ccbb436114a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3050a5206d08/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Webshells_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

PureLogsStealer

Executable exe 3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450

(this sample)

DLL dll bb723217f9c2932116c9e1313d558a7baddb921886eaa3beca95f7b3c5b848b0

  
Dropping
SHA256 bb723217f9c2932116c9e1313d558a7baddb921886eaa3beca95f7b3c5b848b0
  
Dropping
PureLogs
Cape
Cape
https://www.capesandbox.com/analysis/28092/
  
Dropping
MD5 1de5029faf42841f563d79f72d27c3de

Comments