MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9
SHA3-384 hash: e40defa28c675ae09e37ab6c8118603688f5ae4ad23080b2301e82c1b7144122ccd12b56378378bfc57bb3849aa0c74a
SHA1 hash: a8e1748d8584b14f4bda410f16058c4fe849f661
MD5 hash: 3478f272298653f407c99793cd23b6c9
humanhash: uncle-salami-cup-failed
File name:122.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'120'192 bytes
First seen:2025-11-03 11:56:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'669 x AgentTesla, 19'482 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:2lujECh86nPZW+quUgvKtdE42wtrN1lCVMmU8:zph86ni+u+3uN1gi58
TLSH T104A5CF066EE16F13E63EC37589E3899073B69699FF4B978BA940746218423E057430FF
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Main.exe poweroffkill.zip
Verdict:
Malicious activity
Analysis date:
2025-11-01 21:27:23 UTC
Tags:
auto generic arch-exec xworm rat processexplorer tool python phishing possible-phishing amadey botnet stealer clickfix github xenorat stealc metasploit backdoor meterpreter payload dcrat miner tinynuke asyncrat clipper diamotrix remcos xtinyloader loader rhadamanthys katzstealer agenttesla svc vidar coinminer salatstealer redline lumma httpdebugger aurotun njrat bladabindi quasar evasion masslogger gh0st purelogs purecrypter vipkeylogger keylogger nanocore rustystealer snake ghostsocks proxyware telegram darktortilla crypter lokibot cobaltstrike auto-sch-xml pyinstaller arch-doc ta558 apt stegocampaign reverseloader remote
Link:
https://app.any.run/tasks/58ff556a-2327-4d3b-8623-c9bcb396fa1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35126/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6906529b706befaf4ecaf95c
Tags:
obfuscate xtreme spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Connection attempt to an infection source
Creating a window
Creating a file in the %AppData% directory
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-01T15:37:00Z UTC
Last seen:
2025-11-04T13:57:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Agentb.sb HEUR:Trojan.Win32.Generic Trojan-PSW.MSIL.PureLogs.sb Trojan.MSIL.Inject.sb HEUR:Trojan-PSW.MSIL.PureLogs.gen VHO:Trojan-Downloader.MSIL.Convagent.gen
Link:
https://opentip.kaspersky.com/48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dd9e46f-cf93-4cdc-b118-b034cdb92fee
Result
Threat name:
ResolverRAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806876
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806876 Sample: 122.exe Startdate: 03/11/2025 Architecture: WINDOWS Score: 100 26 pat.microsoft-telemetry.at 2->26 28 bg.microsoft.map.fastly.net 2->28 38 Suricata IDS alerts for network traffic 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 6 other signatures 2->44 9 122.exe 2 2->9         started        12 edrcnder.exe 2->12         started        signatures3 process4 signatures5 48 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 9->48 50 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->50 52 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 9->52 58 5 other signatures 9->58 14 122.exe 1 3 9->14         started        54 Antivirus detection for dropped file 12->54 56 Multi AV Scanner detection for dropped file 12->56 process6 dnsIp7 30 pat.microsoft-telemetry.at 193.111.117.0, 49718, 49723, 56001 SUPERSERVERSDATACENTERRU Lithuania 14->30 24 C:\Users\user\AppData\Roaming\edrcnder.exe, PE32 14->24 dropped 32 Found many strings related to Crypto-Wallets (likely being stolen) 14->32 34 Encrypted powershell cmdline option found 14->34 36 Tries to harvest and steal Bitcoin Wallet information 14->36 19 powershell.exe 37 14->19         started        file8 signatures9 process10 signatures11 46 Loading BitLocker PowerShell Module 19->46 22 conhost.exe 19->22         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.44 Win 32 Exe x86
Link:
https://app.malva.re/file/3478f272298653f407c99793cd23b6c9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9/
Verdict:
Malicious
Threat:
Family.ZGRAT
Link:
https://tip.neiki.dev/file/48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2025-11-01 18:34:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jd3sdpmodxczb26bsxpzcjckebj74dljc5t7az4bjr7mmwhlj3eq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/251103-n4tsnsfk8s/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/36c80a84-4dc5-4c63-8a3f-604d9cd82cda
Unpacked files
SH256 hash:
48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9
MD5 hash:
3478f272298653f407c99793cd23b6c9
SHA1 hash:
a8e1748d8584b14f4bda410f16058c4fe849f661
Link:
https://www.unpac.me/results/fb0961ae-1690-4bf3-8ada-cbf5c68adc8a/
SH256 hash:
02cc49eee546c1b3e0b84038433b78278b47f2ab7b7065b543fbd28a39bb8e29
MD5 hash:
1c41ea7446edad22adccb2caa8aca0a3
SHA1 hash:
2b299de4da9d16c785210a450308028301bd6a62
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fb0961ae-1690-4bf3-8ada-cbf5c68adc8a/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/fb0961ae-1690-4bf3-8ada-cbf5c68adc8a/
SH256 hash:
3cf43b3d389ffd987e5acaa832798b8edd9e48f9f0687a368fde7e5c59fdd050
MD5 hash:
1b5b440df7ae37b8d9fefbb88d34d075
SHA1 hash:
55c1ea2ae66b1922960447734211773af57a574d
Link:
https://www.unpac.me/results/fb0961ae-1690-4bf3-8ada-cbf5c68adc8a/
SH256 hash:
5fb7292b229b791282b3ab6dd748b463ae1cd849adca1e654554b0ce387e3469
MD5 hash:
b20e31be3070ee852ebef2f7d2703702
SHA1 hash:
84f58d201a7f5a38bd36624bb7f7e40690f0218a
Link:
https://www.unpac.me/results/fb0961ae-1690-4bf3-8ada-cbf5c68adc8a/
SH256 hash:
1e13a9fb06b8cec985d59a6aa7456908a1d8011d65d775e6c474db02efa5ebcc
MD5 hash:
770ad7d05dadf82a52b81f02b9959319
SHA1 hash:
4c4915bd9c6b0a7acc0281ccf22362f67cb60df2
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fb0961ae-1690-4bf3-8ada-cbf5c68adc8a/
SH256 hash:
23b55e005cc8a2e8effcd3b73ffe95f4dcd932486afebdd0f7dbc6e8109dd789
MD5 hash:
56bdc3497d2d641f94018099a7b91229
SHA1 hash:
6dac46e6f012c60b1dca963d450bcf32558a98f7
Link:
https://www.unpac.me/results/fb0961ae-1690-4bf3-8ada-cbf5c68adc8a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48f721bd8e1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 48f721bd8e1dc590ebc195df91244a2053fe0d691767f067814c7ec658eb4ec9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3693198/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/35126/

Comments