MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
SHA3-384 hash: 8fe8f6efd75167b39ed8f6baf1d3df1c70dea9875793b8086eb70a1a262cdad3d3ac0db6017b8f1f1f406be57200a4ec
SHA1 hash: 7e91b66544d9c37add39d2816106c993b859c953
MD5 hash: 8d39a88f69ad6f0aa1002ff4c7f30f0d
humanhash: sierra-muppet-nevada-eight
File name:chứng từ vận chuyển_8009377622.gz.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'110'528 bytes
First seen:2025-12-05 14:45:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:IfLQQmY3mGF2EhI4sAVsAeNRi4jxc9kFJi0bydffmsnHTs7aG:xQZmGMEhIBLJNRPCKwffmsnh
TLSH T1663501893250E5AFC953C9328968ED74E7146D6B971BC20790DB0EAFB50DA92CF181F3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe PureLogsStealer Shipping

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/b97da80c-abaa-426f-b688-72d106d490a0/
Malware family:
n/a
ID:
1
File name:
chứng từ vận chuyển_8009377622.gz.exe
Verdict:
No threats detected
Analysis date:
2025-12-05 14:46:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/001cce73-8d54-4853-a314-71a695521c37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42662/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6932f0072b2823e41e749282
Tags:
malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt masquerade obfuscated obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/6932f0036019bc7a8f817967/reports/d240f5a6-53cb-4ef8-8557-f6d9d1b90b21/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-04T23:11:00Z UTC
Last seen:
2025-12-07T12:40:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.PureLogs.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb
Link:
https://opentip.kaspersky.com/549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54a5d398-7e88-4cec-8ab4-03c6fcabad62
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1827301
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1827301 Sample: ch#U1ee9ng t#U1eeb v#U1eadn... Startdate: 05/12/2025 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 8 ch#U1ee9ng t#U1eeb v#U1eadn chuy#U1ec3n_8009377622.gz.exe 3 2->8         started        process3 file4 31 ch#U1ee9ng t#U1eeb...09377622.gz.exe.log, ASCII 8->31 dropped 11 ch#U1ee9ng t#U1eeb v#U1eadn chuy#U1ec3n_8009377622.gz.exe 3 8->11         started        15 ch#U1ee9ng t#U1eeb v#U1eadn chuy#U1ec3n_8009377622.gz.exe 8->15         started        17 ch#U1ee9ng t#U1eeb v#U1eadn chuy#U1ec3n_8009377622.gz.exe 8->17         started        process5 dnsIp6 35 196.251.100.233, 11200, 49690, 49729 ANGANI-ASKE Seychelles 11->35 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 55 Writes to foreign memory regions 11->55 57 2 other signatures 11->57 19 chrome.exe 1 11->19         started        22 chrome.exe 11->22 injected 24 chrome.exe 11->24 injected 26 5 other processes 11->26 signatures7 process8 dnsIp9 33 192.168.2.5, 11200, 138, 443 unknown unknown 19->33 28 chrome.exe 19->28         started        process10 dnsIp11 37 googlehosted.l.googleusercontent.com 173.194.219.132, 443, 49703, 49704 GOOGLEUS United States 28->37 39 plus.l.google.com 64.233.185.138, 443, 49712 GOOGLEUS United States 28->39 41 5 other IPs or domains 28->41
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-12-05 02:10:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ksnc54t6mdobkuadeyrm4pefww23h7oovpp4ggbuf4ocjzkwcs7q._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/251205-r4wh2stkgt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4fa4730b-4356-4142-bc4d-85b3ce4b660d
Unpacked files
SH256 hash:
549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
MD5 hash:
8d39a88f69ad6f0aa1002ff4c7f30f0d
SHA1 hash:
7e91b66544d9c37add39d2816106c993b859c953
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
SH256 hash:
82555b40d6989afe8e094efb235b59782e2557ac2fa65ad9cb7416392ef594e1
MD5 hash:
b27ccc4d0ed2921a6722f5746e300293
SHA1 hash:
4479b486a439276dedc8fa980ba3f198b3ac7590
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
SH256 hash:
7f5a82d79a620f831d6cbb8fd167543df09684c09dd079f4b5b5acbb2898382c
MD5 hash:
12d934a5b17854518b611089fdb376fa
SHA1 hash:
a631cdf970b5d169342eec2aa398f0c30afdf065
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
SH256 hash:
1dc973ad7bf18f882f2957f192d01cc9185628cfd3b30c1b208e0548a62b64fb
MD5 hash:
2e9ef2eb480a18de91ae4322af53754a
SHA1 hash:
5112fb4134e598660c32114876b15bc04155de00
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
SH256 hash:
5bfd9c054e6becff6f549a9fdc838e7f183643d491e3584d11d8a0b129513f09
MD5 hash:
783ef368302e1cd819c3a78ad29cfeb4
SHA1 hash:
53669d936ae78f36a1dbd55c24612536261b0f9e
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
SH256 hash:
65ff3c159e0d6207aca43001079c062646d480ff9558454ac5666d5c0921ff70
MD5 hash:
2cc742abf147d316fb4243482b739fa7
SHA1 hash:
768f08baf401a952f2eb27cb0e9476d34a48f05b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
Parent samples :
6e2b1a9ba0fb924774b35d3fe97e5ee232de78f7292fd7a79c678d6de974751a
d4ac4a98170b7b5606fc03e625be2973bd0f4ad38c653ba4db1558fead88dc0a
f50d4bf5151fc2f9f89ff48f4ead9ea615bc85a951b88a6d83d0dd53bd17a942
e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819
ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
de0892e8c62f21f2fb6669f8b4bf28a7bd9c014cc5820735491c44ce93fe0f09
549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
SH256 hash:
17712a9c2465a6aef4be32fc9912462ed499013d489c9b7ed6c0572b72e0cd31
MD5 hash:
babb23b1ed8f01210c270f1e5fad2147
SHA1 hash:
77aa477d801db946a1ccd5afce9e735df23f6a4c
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
SH256 hash:
9202d49ec794b605ea550b476759ec6b66eb17be9ed88e7fd34f3f7c98a00f37
MD5 hash:
08548bbe34f880d15e78da814b4977f4
SHA1 hash:
b889af1290215559dae977eab574121f44e673c4
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
SH256 hash:
2633e59a91221132e2a5cc2660b3f1e5e3df76b9baa1cd13f61d5d574e803052
MD5 hash:
92ce593d953909c66168d456a3bd2052
SHA1 hash:
9586e4adfc00c5f47b2a0d57a9295f93e7d4ffd1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/115adc7a-e67e-4ad1-ba46-a27ad3dd32ce/
Parent samples :
dec24a14f83ed2a0c6fdb82fc2e3e08ee48fc0b3c2d2ddef2cdb4450c9930202
6419d74ea82b7c45bac56aba550a556791e76110e1af3c07794773daa8900032
549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
7a020ca579b3ef573ceaaf0ab51c6c38e27f15dde073053e2772b0656de370f3
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/549a2ef27e60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
zgRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

gz 6b07ab113fff683bf9ee68a55861ccccbb90ed42b0dd6e25976a01db96cc1953

PureLogsStealer

Executable exe 549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6b07ab113fff683bf9ee68a55861ccccbb90ed42b0dd6e25976a01db96cc1953
Cape
Cape
https://www.capesandbox.com/analysis/42662/
  
Dropped by
MD5 8b8fe44737c5a7d5e52b038aab4f4891

Comments