MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 20


Intelligence 20 IOCs 2 YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2
SHA3-384 hash: abb95d958c7db9b5db334a47d0bd67b416eb8eef2330b053d7fce015193b40401d58db1d77fc5164387ab9cb164b74ba
SHA1 hash: 4d9ad9e371d9adbca2478ef38fe6a2525db5e8ee
MD5 hash: 09932b0c0a29627c764a41c599dd325f
humanhash: paris-alanine-diet-batman
File name:09932B0C0A29627C764A41C599DD325F.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:455'156 bytes
First seen:2025-11-20 22:10:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e7280afbf80c2800b272220ce0718da (37 x Amadey, 2 x RedLineStealer, 1 x CredentialFlusher)
ssdeep 6144:bzJ0deMWD/IEG1e4vhj4R0chpe7CBRpyVbvUw5KJJLPu9fet5svT7KfPAOxadqM5:bd0deMWD/IE34pc0ypyvUw5KJJxQqM5
Threatray 1'193 similar samples on MalwareBazaar
TLSH T171A46C227852C032D66111B12979BFF585AEFC259B7109DB7BC40F779A202E36E31E39
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
23.94.145.31:55509

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.94.145.31:55509 https://threatfox.abuse.ch/ioc/1647441/
http://91.92.243.129/0gjSy4hf3/index.php https://threatfox.abuse.ch/ioc/1647443/

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
09932B0C0A29627C764A41C599DD325F.exe
Verdict:
Malicious activity
Analysis date:
2025-11-20 22:11:18 UTC
Tags:
amadey botnet stealer loader auto-reg credentialflusher rdp stealc auto socks5systemz proxybot xor-url upx generic purecrypter autoit auto-startup lumma auto-sch vidar gcleaner
Link:
https://app.any.run/tasks/0d56b051-26de-43c2-9eeb-6a8f42e1c024

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38895/
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691f91de8cf6736ec0afdb21
Tags:
n/a
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey amadey anti-debug base64 fingerprint lolbin microsoft_visual_cc netsh stealer wmic
Link:
https://www.filescan.io/uploads/691f91dbeecb08e4aa425423/reports/d432c312-4927-4f1f-ae88-48f6bbd4dfcf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-18T12:50:00Z UTC
Last seen:
2025-11-21T02:01:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Lumma.HTTP.Download Trojan.Nymaim.HTTP.ServerRequest Trojan-Downloader.Win32.Deyma.sb HEUR:Trojan-Downloader.Win32.Deyma.gen
Link:
https://opentip.kaspersky.com/4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/094d556f-1177-46f1-add7-4c64032f4aba
Result
Threat name:
Amadey, DarkVision Rat, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1818198
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Early bird code injection technique detected
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected DarkVision Rat
Yara detected PureLog Stealer
Yara detected Stealc v2
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1818198 Sample: Y379onB8vh.exe Startdate: 20/11/2025 Architecture: WINDOWS Score: 100 118 gog.nigeriaafricatime.com 2->118 120 telegram.me 2->120 122 5 other IPs or domains 2->122 162 Suricata IDS alerts for network traffic 2->162 164 Found malware configuration 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 24 other signatures 2->168 12 Y379onB8vh.exe 1 62 2->12         started        17 svchost.exe 2->17         started        19 svchost.exe 5 2->19         started        21 8 other processes 2->21 signatures3 process4 dnsIp5 150 94.154.35.25, 49687, 49688, 49690 SELECTELRU Ukraine 12->150 152 45.94.47.92 LEASEWEB-NL-AMS-01NetherlandsNL Israel 12->152 154 2 other IPs or domains 12->154 110 C:\Users\user\AppData\Local\...\6vjeZ1o.exe, PE32+ 12->110 dropped 112 C:\Users\user\AppData\...\1ced4232d4.exe, PE32+ 12->112 dropped 114 C:\Users\user\AppData\Local\...\6vjeZ1o.exe, PE32+ 12->114 dropped 116 28 other malicious files 12->116 dropped 216 Contains functionality to start a terminal service 12->216 218 Creates multiple autostart registry keys 12->218 220 Contains functionality to inject code into remote processes 12->220 23 wkGtznL.exe 2 12->23         started        27 mmB1jyB.exe 12->27         started        29 lJ5IwxN.exe 16 12->29         started        36 8 other processes 12->36 222 Benign windows process drops PE files 17->222 224 Adds a directory exclusion to Windows Defender 17->224 226 Tries to detect virtualization through RDTSC time measurements 17->226 228 Unusual module load detection (module proxying) 17->228 230 Changes security center settings (notifications, updates, antivirus, firewall) 19->230 32 MpCmdRun.exe 19->32         started        232 Injects a PE file into a foreign processes 21->232 34 4Tf7zBj.exe 21->34         started        file6 signatures7 process8 dnsIp9 102 C:\Users\user\AppData\Local\...\wkGtznL.tmp, PE32 23->102 dropped 172 Multi AV Scanner detection for dropped file 23->172 38 wkGtznL.tmp 18 26 23->38         started        174 Early bird code injection technique detected 27->174 176 Maps a DLL or memory area into another process 27->176 178 Queues an APC in another process (thread injection) 27->178 180 Found direct / indirect Syscall (likely to bypass EDR) 27->180 41 svchost.exe 27->41         started        156 gog.nigeriaafricatime.com 46.62.240.127, 443, 49696, 49698 PARSONLINETehran-IRANIR Iran (ISLAMIC Republic Of) 29->156 158 telegram.me 149.154.167.99, 443, 49691 TELEGRAMRU United Kingdom 29->158 182 Found many strings related to Crypto-Wallets (likely being stolen) 29->182 184 Found API chain indicative of debugger detection 29->184 186 Contains functionality to inject threads in other processes 29->186 194 8 other signatures 29->194 45 chrome.exe 29->45         started        47 chrome.exe 29->47         started        49 conhost.exe 32->49         started        160 23.94.145.31, 49740, 55509 AS-COLOCROSSINGUS United States 36->160 188 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->188 190 Tries to steal Mail credentials (via file / registry access) 36->190 192 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->192 196 3 other signatures 36->196 51 4Tf7zBj.exe 36->51         started        53 chrome.exe 36->53         started        55 3ogammp.exe 36->55         started        57 chrome.exe 36->57 injected file10 signatures11 process12 dnsIp13 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 38->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->92 dropped 94 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 38->94 dropped 100 21 other malicious files 38->100 dropped 59 quickffmpeg.exe 1 19 38->59         started        124 23.95.245.178 AS-COLOCROSSINGUS United States 41->124 126 maper.info 172.67.155.114 CLOUDFLARENETUS United States 41->126 128 127.0.0.1 unknown unknown 41->128 198 Early bird code injection technique detected 41->198 200 Maps a DLL or memory area into another process 41->200 63 svchost.exe 41->63         started        65 svchost.exe 41->65         started        67 svchost.exe 41->67         started        130 192.168.2.6, 443, 49687, 49688 unknown unknown 45->130 202 Found many strings related to Crypto-Wallets (likely being stolen) 45->202 69 chrome.exe 45->69         started        71 chrome.exe 47->71         started        132 let.mebeyourfriend.digital 158.94.209.48 JANETJiscServicesLimitedGB United Kingdom 51->132 134 smtp.gmail.com 173.194.219.109 GOOGLEUS United States 51->134 96 C:\Users\user\AppData\Local\...\ssleay32.dll, PE32 51->96 dropped 98 C:\Users\user\AppData\Local\...\libeay32.dll, PE32 51->98 dropped 204 Creates multiple autostart registry keys 51->204 73 chrome.exe 53->73         started        file14 signatures15 process16 dnsIp17 142 2 other IPs or domains 59->142 106 C:\ProgramData\QuickFFmpeg\sqlite3.dll, PE32 59->106 dropped 108 C:\ProgramData\QuickFFmpeg\QuickFFmpeg.exe, PE32 59->108 dropped 75 svchost.exe 63->75         started        79 svchost.exe 65->79         started        81 svchost.exe 67->81         started        136 plus.l.google.com 142.250.12.138, 443, 49730 GOOGLEUS United States 69->136 144 4 other IPs or domains 69->144 138 142.251.16.100 GOOGLEUS United States 71->138 146 4 other IPs or domains 71->146 140 googlehosted.l.googleusercontent.com 108.177.122.132 GOOGLEUS United States 73->140 148 2 other IPs or domains 73->148 file18 process19 file20 104 C:\Windows\Temp\kq9i1_7528.sys, PE32+ 75->104 dropped 206 Suspicious execution chain found 75->206 208 Adds a directory exclusion to Windows Defender 75->208 210 Sample is not signed and drops a device driver 75->210 83 powershell.exe 75->83         started        212 Early bird code injection technique detected 79->212 214 Maps a DLL or memory area into another process 79->214 86 WerFault.exe 79->86         started        signatures21 process22 signatures23 170 Loading BitLocker PowerShell Module 83->170 88 conhost.exe 83->88         started        process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/09932b0c0a29627c764a41c599dd325f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-11-18 18:54:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifkkqezu7jw2cejykh3ojulh3yp36thkusnizb67l26z24dvotba._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
0018af95c941450eca558714becf830d2e71351f0a20814429b27ee594f5ae57
PureLogsStealer
1967625692921a306f4d8565b67e1edf9c1da2988d67a76c93659f5a91d546f5
PureLogsStealer
1b4a27465a2fc0ec65d36590d7a4c7b94dabb9152e2a8fa9e6aa83a9d7e340b0
PureLogsStealer
370d9f85a3cd1dfc33df7de053a269d9d3c62b84e0f939180e3fbb7e8e12b574
PureLogsStealer
dc3388d6a0531cceb395f18970b8c0923c33a2c70905ae98f776ccfb533b7c2e
PureLogsStealer
ddd506b5725b15b617836a6d62a1f0165c3a78998a75f84d633f55509f88f4b5
PureLogsStealer
e9c511a96c3a382a30e6f535807df26e90a672fc89167a826c2dae94f93d7da8
PureLogsStealer
error
PureLogsStealer
+ 1'183 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:vidar family:xworm botnet:094730baac20bf387d83655084aee333 botnet:effd85c44f25377e4313dc5ab8f34880 botnet:fbf543 collection discovery execution persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/251120-13naqabl2z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Amadey family
Detect Xworm Payload
Detects Vidar Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xworm
Xworm family
Amadey
Malware Config
C2 Extraction:
http://94.154.35.25
https://steamcommunity.com/profiles/76561198767911792
178.16.55.70:6000
https://steamcommunity.com/profiles/76561198770591383
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d43d47d5-ccda-4d98-9583-e2ede1fe239d
Unpacked files
SH256 hash:
4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2
MD5 hash:
09932b0c0a29627c764a41c599dd325f
SHA1 hash:
4d9ad9e371d9adbca2478ef38fe6a2525db5e8ee
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/00a360b8-128a-4e54-96bf-b5e251f99a1e/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4154a81334fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly, YungBinary
Description:Amadey Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MAL_Win_Amadey_Jun25
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34
Reference:https://0x0d4y.blog/amadey-targeted-analysis/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_amadey_062025
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34.
Reference:https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38895/

Comments