MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21
SHA3-384 hash: d6abdc2036823e1b69921e6eda9e2aca0708cf133d980e4c1702451e26ffbe760745d813570f4a8b2bdd56c8b60923ed
SHA1 hash: 1fe482456ef6cfbc965d52e112f7a3a9361f6b85
MD5 hash: 8722c9f030549c142bf4e9f0f5162f2f
humanhash: romeo-oxygen-alpha-fifteen
File name:CUE9SwiftXK28939Z29001NF738403920MXLO3930XN89.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:647'907 bytes
First seen:2025-12-05 02:45:19 UTC
Last seen:2025-12-05 14:48:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (65 x GuLoader, 23 x RemcosRAT, 18 x AgentTesla)
ssdeep 12288:p5l1D8+64O3PaVuux9iZyJr4Zq5vV20PfK7BAdnrYzP00Zg:p5w+64O3iV3Eq6Sv4AKAdnsz1g
TLSH T15DD4E0E1FDA3D026C8C205FACE6D85618A391C5D53925C49F787AB2EA0DB10DEDCC1E8
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon d8b86690b270c884 (1 x PureLogsStealer)
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
23.132.164.55:5763

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.132.164.55:5763 https://threatfox.abuse.ch/ioc/1667872/

Intelligence

File Origin
# of uploads :
4
# of downloads :
139
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
an XOR decryption key and an extracted component
GuLoader
a c2 URL, a useragent string, and a string XOR key
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/d2f5a027-138f-4001-a176-c9077b67bdeb/
Malware family:
n/a
ID:
1
File name:
CUE9SwiftXK28939Z29001NF738403920MXLO3930XN89.exe
Verdict:
No threats detected
Analysis date:
2025-12-05 02:46:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4575759c-bbd7-426b-8a6c-8dc57dd2ae1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42594/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69324749221589dfd96c3be8
Tags:
injection virus nsis blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay unsafe
Link:
https://www.filescan.io/uploads/69324744bc15eab491f4e867/reports/d9be3feb-edf5-49f6-8a01-b2a05a70b270/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1381104
Link:
https://www.hybrid-analysis.com/sample/4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-04T23:37:00Z UTC
Last seen:
2025-12-06T20:24:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Dropper.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7e8195d6-588d-4806-a8cc-5a36d08f2a79
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1826953
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1826953 Sample: CUE9SwiftXK28939Z29001NF738... Startdate: 05/12/2025 Architecture: WINDOWS Score: 100 27 euronova-eu.com 2->27 33 Suricata IDS alerts for network traffic 2->33 35 Antivirus detection for dropped file 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 5 other signatures 2->39 8 CUE9SwiftXK28939Z29001NF738403920MXLO3930XN89.exe 9 71 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\...\System.dll, PE32 8->21 dropped 41 Tries to detect virtualization through RDTSC time measurements 8->41 43 Unusual module load detection (module proxying) 8->43 45 Switches to a custom stack to bypass stack traces 8->45 47 Found direct / indirect Syscall (likely to bypass EDR) 8->47 12 CUE9SwiftXK28939Z29001NF738403920MXLO3930XN89.exe 11 8->12         started        17 CUE9SwiftXK28939Z29001NF738403920MXLO3930XN89.exe 8->17         started        signatures6 process7 dnsIp8 29 23.132.164.55, 49767, 49768, 49769 WE-PE01CA Reserved 12->29 31 euronova-eu.com 72.62.53.232, 49766, 80 SPCSUS United States 12->31 23 C:\Users\user\AppData\...\Coeducationally.exe, PE32 12->23 dropped 25 CUE9SwiftXK28939Z2...XLO3930XN89.exe.log, ASCII 12->25 dropped 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->49 51 Tries to steal Mail credentials (via file / registry access) 12->51 53 Tries to harvest and steal browser information (history, passwords, etc) 12->53 55 2 other signatures 12->55 19 CUE9SwiftXK28939Z29001NF738403920MXLO3930XN89.exe 12->19         started        file9 signatures10 process11
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8722c9f030549c142bf4e9f0f5162f2f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21/
Verdict:
Malicious
Threat:
Win32.Malware.Heuristic
Link:
https://tip.neiki.dev/file/4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-05 02:45:28 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ju5yx7hcvgsvhuak6foeraezrtfuy4dco5vevrssfwjlenph54qq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251205-c8yfwahp9t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dda6a503-d2db-4568-a431-580f0140a4a8
Unpacked files
SH256 hash:
84658cfdf1f6bf6616d0c88910b982242a10d37288a8f48044402d5eac93abd4
MD5 hash:
83bb008061b2ea01570a1945c2bd8264
SHA1 hash:
776da27900b61863bef130d447b1a322d34e2a6b
Link:
https://www.unpac.me/results/360c9a97-1e62-46d7-99bb-5593e6f6cfa4/
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/360c9a97-1e62-46d7-99bb-5593e6f6cfa4/
SH256 hash:
4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21
MD5 hash:
8722c9f030549c142bf4e9f0f5162f2f
SHA1 hash:
1fe482456ef6cfbc965d52e112f7a3a9361f6b85
Link:
https://www.unpac.me/results/360c9a97-1e62-46d7-99bb-5593e6f6cfa4/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d3b8bfce2a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

rar d20d68a0f4827677ae52f3f03f80b61e3ab99c1879abc3327fc679790e3fc186

PureLogsStealer

Executable exe 4d3b8bfce2a9a553d00af15c4880998ccb4c7062776a4ac6522d92b235e7ef21

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/42594/
  
Dropped by
SHA256 d20d68a0f4827677ae52f3f03f80b61e3ab99c1879abc3327fc679790e3fc186
  
Dropped by
MD5 824566ee9c453c92635f14b263fbd242

Comments