MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49308faf55de67a28ee60208b10eeedc12fd05064d266ed425a77285120158ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 5 File information Comments

SHA256 hash:	49308faf55de67a28ee60208b10eeedc12fd05064d266ed425a77285120158ec
SHA3-384 hash:	87460e7180e00ddb4f608e3550ddb7104fb302bacdf78652ff88b8404e94820a2073c45c1f15da218dc10b7cd3428be1
SHA1 hash:	8bfc622189d921de9a94cdd49cdc383d3f29a1f5
MD5 hash:	1c09c97e19c8f3f36d09f4923fd100c8
humanhash:	blossom-violet-eleven-spring
File name:	3rdpe.bin
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	566'784 bytes
First seen:	2025-08-11 09:21:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:0fMwN9DY0E2KM3IKASfEIUbhNXBkpTWFSz5oluLihQvqGmHRFEa:SvN1OgIkaBCWFSLiWiGmHHE
TLSH	T1F5C423DA229EC208E5B2EDF8C3D3EBD887D4DE44097357879C7F60A22441B9E65B08D5
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	marsomx
Tags:	172-96-172-173 dropped exe PureLogsStealer Spam-ITA

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.214.54.172:7609	https://threatfox.abuse.ch/ioc/1567260/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3rdpe.bin

Verdict:

Malicious activity

Analysis date:

2025-08-11 09:22:36 UTC

Tags:

stealer purecrypter meduza netreactor purehvnc

Link:

https://app.any.run/tasks/1e7318cf-0000-46ce-ae9d-875324b10753

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20097/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6899b627c633abe3908dc463

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 masquerade net_reactor obfuscated packed packed

Link:

https://www.filescan.io/uploads/6899b6262fbe0788fb1d6133/reports/2298d357-d631-4f5e-8a9b-8c8ef9916f66/overview

Verdict:

Malicious

Labled as:

Trojan.Mardom.MN.Generic

Link:

https://www.hybrid-analysis.com/sample/49308faf55de67a28ee60208b10eeedc12fd05064d266ed425a77285120158ec

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7dc643e6-7ae2-46a5-9a91-b2280793bb2c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/49308faf55de67a28ee60208b10eeedc12fd05064d266ed425a77285120158ec

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.86 Win 32 Exe x86

Link:

https://app.malva.re/file/1c09c97e19c8f3f36d09f4923fd100c8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49308faf55de67a28ee60208b10eeedc12fd05064d266ed425a77285120158ec/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Stealer

Link:

https://tip.neiki.dev/file/49308faf55de67a28ee60208b10eeedc12fd05064d266ed425a77285120158ec

Threat name:

Win32.Infostealer.Browsstl

Status:

Malicious

First seen:

2025-08-05 06:40:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jeyi7l2v3zt2fdxgaielcdxo3qjp2bigjutg5vbfu5zikeqbldwa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/250811-lbm4bahr4v/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Accesses Microsoft Outlook profiles

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/479cef31-f9f2-4051-9363-f68528a44a39

Unpacked files

SH256 hash:

143644d330447d91d4c1991f41279fd654c4b087e917d99ba88e61327a21dae5

MD5 hash:

681094b335783c25851fea9e705a8c19

SHA1 hash:

48fe685ff91ce7913cb1ac5149188da379bf7be7

Link:

https://www.unpac.me/results/91f0ba44-78b5-4334-9a15-ded372a8a914/

SH256 hash:

49308faf55de67a28ee60208b10eeedc12fd05064d266ed425a77285120158ec

MD5 hash:

1c09c97e19c8f3f36d09f4923fd100c8

SHA1 hash:

8bfc622189d921de9a94cdd49cdc383d3f29a1f5

Link:

https://www.unpac.me/results/91f0ba44-78b5-4334-9a15-ded372a8a914/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/49308faf55de/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/49308faf55de67a28ee60208b10eeedc12fd05064d266ed425a77285120158ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20097/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample