MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c
SHA3-384 hash: 832274c4c6bbdc8d98f197a66184bdfd75430165bfbc8d4641a04c57ec067b9a0cd5a5b0b2a42f6bbcad14d21284eb84
SHA1 hash: be56283eb946cbf81c7fac7543e2d12590be5760
MD5 hash: 12bfbe5fe642a549541282b4c6e06f8e
humanhash: steak-arkansas-idaho-delta
File name:October Payment1.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'757'120 bytes
First seen:2025-10-28 01:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:2EC3O1moX2nfWZGJB46V2E/T5ZWBTpHLHaQg:23K36LlZWz6Q
Threatray 441 similar samples on MalwareBazaar
TLSH T1BAD54A0FFA864BB2C1344736C5DB452CA3B4DA817B23CB3A7549235605CA7F97A4229F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
92.246.87.36:5888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.246.87.36:5888 https://threatfox.abuse.ch/ioc/1627372/

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
October Payment1.exe
Verdict:
Malicious activity
Analysis date:
2025-10-28 01:10:51 UTC
Tags:
stealer purecrypter purehvnc meduza netreactor
Link:
https://app.any.run/tasks/f26cd9fe-b6f6-4286-88f1-4e1f6eb6525c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34367/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690018445de5ca2707531bc0
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 masquerade net_reactor obfuscated packed
Link:
https://www.filescan.io/uploads/69001830c85c5c5697381da3/reports/8d3eb230-d87a-4064-a59e-f04532502906/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-27T22:43:00Z UTC
Last seen:
2025-10-28T07:26:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.MSIL.PureLogs.sb Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Inject.sb Trojan-PSW.PureLogs.TCP.C&C HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Agentb.sb HEUR:Trojan-PSW.MSIL.PureLogs.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealer.sb
Link:
https://opentip.kaspersky.com/54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e33d9ca2-dffc-4f43-a331-4c014933111e
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802835
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c
Verdict:
Malware
YARA:
8 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.31 Win 32 Exe x86
Link:
https://app.malva.re/file/12bfbe5fe642a549541282b4c6e06f8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-28 01:11:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kte2pmwqcgfrntajh77ffphcaghbl7ponat4w3plveunohlhze6a._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
katzstealer
Create hunting rule
Similar samples:
4ee809eeaa7552ae3549743ebd1019518a3e079ee0eac51900fc5554a66fe1f3
PureLogsStealer
54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c
PureLogsStealer
85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc
PureLogsStealer
b54ff52b3729fd79f32b7ea4644a8d85380658ce987ac1eea45ca6f76cc6f8ab
PureLogsStealer
e97e90848a6fff416447d5b88885bd7a917c0e3c6019893486fa608f93089d82
PureLogsStealer
error
PureLogsStealer
+ 431 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/251028-bj2xbstlfs/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4d831e30-f53f-4ecd-8d80-3da92ec6f25a
Unpacked files
SH256 hash:
54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c
MD5 hash:
12bfbe5fe642a549541282b4c6e06f8e
SHA1 hash:
be56283eb946cbf81c7fac7543e2d12590be5760
Link:
https://www.unpac.me/results/53151666-ceb6-4b99-82f0-8efc0a536101/
SH256 hash:
94c2bfa602bc8c1ef62700781c205843c9dbb245982f6565962ebc212814e014
MD5 hash:
f3469a6304450cc1acb8b994ffed22b5
SHA1 hash:
dafab1b966a74a837abaefce7a6441f390ff2fd4
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/53151666-ceb6-4b99-82f0-8efc0a536101/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/53151666-ceb6-4b99-82f0-8efc0a536101/
SH256 hash:
ead925e92ebe30b9e65e4bf8718729b1562aed020f2adeb035750698830b4489
MD5 hash:
99bb493df3b397b03062c9f283745a8e
SHA1 hash:
57ef58f73f8bf8b05a5301825dd04b8f5c3278e1
Link:
https://www.unpac.me/results/53151666-ceb6-4b99-82f0-8efc0a536101/
SH256 hash:
11a5907a402438bb439ddf9b9466bbcb90d8b52a3c84c905b5b3e27a0b114a6b
MD5 hash:
919da55a99fd95019cd93d3e2e08e3c4
SHA1 hash:
bceb6e247548111519091a136c6252573286e38b
Link:
https://www.unpac.me/results/53151666-ceb6-4b99-82f0-8efc0a536101/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/54c9a7b2d011/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
zgRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54c9a7b2d0118b16cc093ffe52bce2018e15fdee6827cb6deba928d71d67c93c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34367/

Comments