MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 9 File information Comments

SHA256 hash:	36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124
SHA3-384 hash:	33d636e00a1f95534c73a7958032caf0c5339c3ebd5d0b8af366486dcb91eb911e1ac93ca1995270de80b6acc4f167f3
SHA1 hash:	aa366bad0edeea2a48a30e2dbd8afa183e95b32b
MD5 hash:	d4579a8ec9e67f61dc38775f1b1e1991
humanhash:	golf-emma-eighteen-fix
File name:	z45FacturaTKSC2460757.vbe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	3'806'905 bytes
First seen:	2025-10-09 16:00:13 UTC
Last seen:	Never
File type:	vbe
MIME type:	text/plain
ssdeep	49152:rB8WB9vAPTdnATCfSDv4BEQWdxRplsvzOmLJ+EqL:L
Threatray	531 similar samples on MalwareBazaar
TLSH	T1DD06021189C82FB9CFAC5A1890FE161E93F05A8E541A758EFB37BD4AAFF784401071D9
Magika	vba
Reporter	FXOLabs
Tags:	PureLogsStealer vbe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.149.24.149:20110	https://threatfox.abuse.ch/ioc/1610177/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e7dc9823804d0975b637b4

Tags:

agenttesla vmdetect

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 evasive krypt obfuscated obfuscated powershell reconnaissance

Link:

https://www.filescan.io/uploads/68e7f8bef377ab2310555507/reports/423722c6-c3ce-4927-a680-0766b47a5beb/overview

Verdict:

Malicious

Labled as:

GT:VB.AgentTesla.4

Link:

https://www.hybrid-analysis.com/sample/36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124

Verdict:

Malware

YARA:

2 match(es)

Tags:

ADODB.Stream Batch Command MSXML2.DOMDocument MSXML2.DOMDocument.6.0 PowerShell PowerShell Call Scripting.FileSystemObject T1059.005 VBS Execute Sub-Script VBScript WScript.Network WScript.Shell

Link:

https://app.malva.re/file/d4579a8ec9e67f61dc38775f1b1e1991

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124/

Verdict:

Malicious

Threat:

Trojan-PSW.PureLogs.TCP

Link:

https://tip.neiki.dev/file/36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-10-09 17:11:28 UTC

File Type:

Text (VBS)

AV detection:

12 of 37 (32.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g3zkup4c3lpif2upsmtvff45w4l2y23jirokwnxoyw7kldja6esa._file

Verdict:

malicious

Label(s):

katzstealer

PureLogsStealer

33bc65e4f8bc25a0289128c3ee2b25f9811a50589d5de93e3c65a89401d20270

PureLogsStealer

5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2

PureLogsStealer

6d2944f334acc2722e643ad9742a081314ff2bd8c4b71ddf5561636dc3e83377

PureLogsStealer

error

PureLogsStealer

+ 521 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery execution

Link:

https://tria.ge/reports/251009-wewjzasps9/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36f2aa3f82da/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_tiny_vbs Create hunting rule
Author:	daniyyell
Description:	Detects tiny VBS delivery technique

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TH_Generic_MassHunt_Webshells_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025
Reference:	https://cyfare.net/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

vbe 36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124

(this sample)

Delivery method

Distributed via e-mail attachment

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample