MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a
SHA3-384 hash: a9de230d8edbc16d2e26cd02f5e1faf40105da2f7007fde8092bbd930f110dc68b89497f5e0526c574ffc23bc6386896
SHA1 hash: aa3c315da743384a77ceaa4519cfb8ad76c08653
MD5 hash: 6da86fe3927604e619611626e33fb366
humanhash: kilo-tennis-winter-magnesium
File name:4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'746'944 bytes
First seen:2025-11-06 11:19:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:En/uLts2Tzg70BxGPGZD52Am2RhSHIp7bGt4w5aYETUiZhxAYMWr/b5HxiqFMEOl:Nzg0BxGPGZD52Agy1w5NCaW7ES2
Threatray 547 similar samples on MalwareBazaar
TLSH T1CC85F791F4A528B18146A6BDD0AE054F8F2972D7E983901FF19C6BC41F1FE81B9C7A43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a
Verdict:
Malicious activity
Analysis date:
2025-11-05 14:44:00 UTC
Tags:
payload purecrypter netreactor purehvnc
Link:
https://app.any.run/tasks/a27979ac-e497-447c-80b3-beb56a266562

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36131/
Detection(s):
SecuriteInfo.com.Spam-128401.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Spam-128402.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690c846d5a5ed7864e237cb2
Tags:
trojan virus hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
IL:Trojan.MSILMamut
Link:
https://www.hybrid-analysis.com/sample/4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-24T06:35:00Z UTC
Last seen:
2025-11-07T13:04:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/928daf68-f4cc-49bf-b983-2760d8807a6c
Score:
32%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.40 Win 32 Exe x86
Link:
https://app.malva.re/file/6da86fe3927604e619611626e33fb366
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a/
Threat name:
ByteCode-MSIL.Trojan.Mamut
Create hunting rule
Status:
Malicious
First seen:
2025-10-24 09:16:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
62
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jf4gqdvfldpalihuvl6zod76xejd3w7djtnegnis7l3i5afgxsfa._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
katzstealer
Create hunting rule
unc_loader_078
Create hunting rule
Similar samples:
3aece1e84c3a29c503ae917c6b300c5198e7ca982a6f8694d09970d47ccc18b3
PureLogsStealer
4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a
PureLogsStealer
5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db
PureLogsStealer
54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c
PureLogsStealer
5866086aabad6058bc0f6fda58ea98a3bccad73cfc1c2a992851a8e97e2e9181
PureLogsStealer
58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b
PureLogsStealer
error
PureLogsStealer
+ 537 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/251106-nfmpfswmak/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/28cac749-64a7-4bea-b82c-35702395ee82
Unpacked files
SH256 hash:
4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a
MD5 hash:
6da86fe3927604e619611626e33fb366
SHA1 hash:
aa3c315da743384a77ceaa4519cfb8ad76c08653
Link:
https://www.unpac.me/results/79e4cc20-8654-48bf-8317-7f5597120504/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4978680ea558/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36131/

Comments