MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2
SHA3-384 hash: 8ef526d2fc67a06eb153e1a25fe4e9bbb51e04b2882b763e778606476f1a2526b6900a58161429a31ece9cc5477162cb
SHA1 hash: 0c2eeb43b20247a06912925ef5458be48ca40e00
MD5 hash: bc57325a8cc7872007130139cc3b4092
humanhash: ink-artist-summer-football
File name:MDL 710,500.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'478'144 bytes
First seen:2025-10-07 13:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91d07a5e22681e70764519ae943a5883 (90 x Formbook, 14 x RemcosRAT, 10 x AgentTesla)
ssdeep 24576:Ptb20pkaCqT5TBWgNQ7aR5520ieLetFxKCNfsT44i6A:MVg5tQ7aR37LkvLfh5
Threatray 439 similar samples on MalwareBazaar
TLSH T10B65E01363DD8361C7B25273BA26BB417E7F782506A4F46B2FD4093DF920222525EA73
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
198.46.178.137:8103

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
198.46.178.137:8103 https://threatfox.abuse.ch/ioc/1608790/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MDL 710,500.exe
Verdict:
Malicious activity
Analysis date:
2025-10-07 13:11:46 UTC
Tags:
stealer purecrypter netreactor purehvnc
Link:
https://app.any.run/tasks/9e5e9f1f-ce17-43f1-b49a-54b0dd965040

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30957/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e5116a277c2bd8bc5d6999
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc obfuscated packed packed packer_detected threat
Link:
https://www.filescan.io/uploads/68e5115e5a3bccf09ebb75db/reports/1f78bf00-5984-4c6f-a1c9-346c3ec6a64c/overview
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria
Link:
https://www.hybrid-analysis.com/sample/5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-07T09:02:00Z UTC
Last seen:
2025-10-08T06:57:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2efc407d-e3c4-4fb7-b3e2-4109f13f6471
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1790611
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1790611 Sample: MDL 710,500.exe Startdate: 07/10/2025 Architecture: WINDOWS Score: 100 40 Suricata IDS alerts for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected PureLog Stealer 2->44 46 3 other signatures 2->46 8 MDL 710,500.exe 4 2->8         started        process3 signatures4 48 Binary is likely a compiled AutoIt script file 8->48 50 Writes to foreign memory regions 8->50 52 Maps a DLL or memory area into another process 8->52 11 RegSvcs.exe 4 8->11         started        process5 dnsIp6 34 198.46.178.137, 49690, 49716, 49717 AS-COLOCROSSINGUS United States 11->34 54 Tries to steal Mail credentials (via file / registry access) 11->54 56 Tries to harvest and steal browser information (history, passwords, etc) 11->56 58 Writes to foreign memory regions 11->58 60 4 other signatures 11->60 15 chrome.exe 1 11->15         started        19 chrome.exe 11->19 injected 21 chrome.exe 11->21 injected 23 5 other processes 11->23 signatures7 process8 dnsIp9 36 192.168.2.5, 138, 443, 49675 unknown unknown 15->36 38 Found many strings related to Crypto-Wallets (likely being stolen) 15->38 25 chrome.exe 15->25         started        signatures10 process11 dnsIp12 28 googlehosted.l.googleusercontent.com 172.217.15.193, 443, 49705, 49706 GOOGLEUS United States 25->28 30 www.google.com 192.178.50.36, 443, 49691, 49696 GOOGLEUS United States 25->30 32 clients2.googleusercontent.com 25->32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/bc57325a8cc7872007130139cc3b4092
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2/
Verdict:
Malicious
Threat:
Win32.Trojan.AutoitInject
Link:
https://tip.neiki.dev/file/5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-07 13:11:36 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=loeoryxjlv5xh75gxta7fpfu2r4rgqezh3jqzbdghsihvvik43ba._file
Verdict:
malicious
Label(s):
autoit
Create hunting rule
katzstealer
Create hunting rule
Similar samples:
17827b50808e9db7bfa7e43f7d1ce10b7a5b0920c78bd21824615980b23c2f65
PureLogsStealer
1dc087db7565468696063450bfce27fd9933ff26bce275f8bb0872f7fe1173f8
PureLogsStealer
5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2
PureLogsStealer
6d2944f334acc2722e643ad9742a081314ff2bd8c4b71ddf5561636dc3e83377
PureLogsStealer
bb723217f9c2932116c9e1313d558a7baddb921886eaa3beca95f7b3c5b848b0
PureLogsStealer
error
PureLogsStealer
+ 429 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/251007-qetgqadj9v/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8d62a564-a18d-44be-929f-bb890d401563
Unpacked files
SH256 hash:
5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2
MD5 hash:
bc57325a8cc7872007130139cc3b4092
SHA1 hash:
0c2eeb43b20247a06912925ef5458be48ca40e00
Link:
https://www.unpac.me/results/c9bcfd5d-7185-4f3f-a76a-5ff4d005eaa1/
SH256 hash:
8828909940f170f652c031617f04a0cdaa3cad1d0b5e1b825eb087c51e653e4a
MD5 hash:
a932df0d11b0ffc482e2848b26ca63be
SHA1 hash:
8cc3bd8457fb6761acf8663b6890b945b9ac2656
Link:
https://www.unpac.me/results/c9bcfd5d-7185-4f3f-a76a-5ff4d005eaa1/
SH256 hash:
2bcdf09430101fd98f42ccb8c19a7d9aa2f6180eb92eaaf89809782c93eb5520
MD5 hash:
6435796c8b54f0e93feb089ea8408a26
SHA1 hash:
21d784e9ccc8936dd9312443e87d4b0ac3b1c059
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c9bcfd5d-7185-4f3f-a76a-5ff4d005eaa1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b88e8e2e95d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
zgRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b88e8e2e95d7b73ffa6bcc1f2bcb4d4791340993ed30c84663c907ad50ae6c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Webshells_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025
Reference:https://cyfare.net/
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/30957/

Comments