MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8
SHA3-384 hash: 8d5eea5cbd44d6ffa4e807eb142870f6343bd69c5f4761ea3636aae999cddf0ed8213d2031bc0d3a06f85e474d926c49
SHA1 hash: 0368f5868e786fb4f1622116165684e35d6c23b5
MD5 hash: eef01da8c18de3fc7869717f93721038
humanhash: grey-finch-washington-queen
File name:ORDER No 943005255.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'163'264 bytes
First seen:2025-09-26 11:17:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:aFaCcFPRxtAQJPZe62IWjppUHXDOWiLMg2nQhrB62pgJm4C6qjj9VW4NikEbw73c:HpLj3e62HjppUHXCWiogptjQojrNNi7
TLSH T1F335E09C3365B59FC467CE7189A4DE70AA606CA6971BC20351E71DAFB90C6C7CE102F2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter lowmal3
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER No 943005255.exe
Verdict:
No threats detected
Analysis date:
2025-09-26 11:17:51 UTC
Tags:
anti-evasion
Link:
https://app.any.run/tasks/bf494675-d47a-4e14-824f-e80eeada5661

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29151/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d67653d42217a4290be352
Tags:
micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/68d67657674d5fd6aa0d87eb/reports/6542a3e1-97f1-4f74-be68-c6a9f800673f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-26T07:28:00Z UTC
Last seen:
2025-09-26T07:28:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.MSIL.Taskun.gen PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/85a68cdb-e388-4e77-a20a-d65545dd165a
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1784701
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.80 Win 32 Exe x86
Link:
https://app.malva.re/file/eef01da8c18de3fc7869717f93721038
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8/
Verdict:
Malicious
Threat:
Trojan.MSIL.Taskun
Link:
https://tip.neiki.dev/file/46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-09-26 10:36:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3v7a4j3m47rqnqcalrjo2c6gayuk27x2rfe5sl3xxdbq7drnpea._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250926-ndz7rsgp9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e9ae096b-ff2a-4a51-8608-e13d27ecb88b
Unpacked files
SH256 hash:
46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8
MD5 hash:
eef01da8c18de3fc7869717f93721038
SHA1 hash:
0368f5868e786fb4f1622116165684e35d6c23b5
Link:
https://www.unpac.me/results/d8aae039-340e-44df-87dc-2c0a7cd3758c/
SH256 hash:
b0f56ff6de99a32f6219b602672a0a7702a638645bd61f1ce64e1f66e6e42440
MD5 hash:
76432ab5346735b467ea6bba132be511
SHA1 hash:
04dd3f574ffcc38ef808254597bc17842def8e7f
Link:
https://www.unpac.me/results/d8aae039-340e-44df-87dc-2c0a7cd3758c/
SH256 hash:
ba62e7e89557bb426f1813b06a062db822e8d0141e93936d132b58fd4382af44
MD5 hash:
9c25fef6456290916a73792f1e2f8e54
SHA1 hash:
3bc346d1f860801cf5aaed37014a2efca9170791
Link:
https://www.unpac.me/results/d8aae039-340e-44df-87dc-2c0a7cd3758c/
SH256 hash:
e470b088c75f5838f7e321482531845bebf7b02990ef46b61393d84889ed89a5
MD5 hash:
da184d2a952a2e2887163d322528c877
SHA1 hash:
5c81871663e5f26a3d70c02e6f12acbfe3c44917
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d8aae039-340e-44df-87dc-2c0a7cd3758c/
SH256 hash:
c47f990a7acff827def512217453c677982c8c99ebf46cab4a226df664b0a817
MD5 hash:
60206292fd5de4870099a2a20ea05dcb
SHA1 hash:
385f5ddc27f2f0b70e9cbe945f55aead10312531
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d8aae039-340e-44df-87dc-2c0a7cd3758c/
Parent samples :
46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8
6d23f8eb627db8dc8d0ee9aac9ae8e6b95d0ecd4c96e75ee4a91dfc4bca24958
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46ebf0713b67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

Executable exe 46ebf0713b673f18360202e297685e3031456bf7d44a4ec97bbdc6187c716bc8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29151/

Comments