MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd
SHA3-384 hash:	f6fe12db7e989e5ad246e5ba87940fa6cebedb59a509522d9748b38094df74832f8f3a820bf234add164281f593b89ac
SHA1 hash:	ae8bcd96082b7afddf54516357653e3af0ca7ce7
MD5 hash:	e36ae29791d3b4fd2ffe442b4bbddfe2
humanhash:	blue-river-blossom-iowa
File name:	file
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	586'240 bytes
First seen:	2025-09-29 04:02:16 UTC
Last seen:	2025-10-02 04:05:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:vO7XKiVUmRI506SXGACgZwZpzYb5/uS+uMqjx7:GBBKK1MgCTziX+PqjJ
Threatray	494 similar samples on MalwareBazaar
TLSH	T111C42308A15FD926EBD8CD7BAD96CC051F1BF5959A02DB6F90AD43020EC73368739235
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe PureLogsStealer

Bitsight

url: http://178.16.55.189/files/8434554557/yfUrA3L.exe

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-09-29 04:02:36 UTC

Tags:

stealer purecrypter meduza purehvnc netreactor

Link:

https://app.any.run/tasks/1d108a52-ae65-4739-9307-e07409073f7e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29346/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68da04d4126eb71997e0ea49

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 net_reactor obfuscated packed packed

Link:

https://www.filescan.io/uploads/68da0509c564c8e81d099cd6/reports/fe23e964-328b-44c6-b4ba-8e9e6abf7e7c/overview

Verdict:

Malicious

Labled as:

MSIL.Androm.Generic

Link:

https://www.hybrid-analysis.com/sample/602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-24T19:48:00Z UTC

Last seen:

2025-09-24T19:48:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.PureLogs.sb Trojan-PSW.PureLogs.TCP.C&C Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan-PSW.Win32.Agent.sb HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.Win32.Stealer.sb

Link:

https://opentip.kaspersky.com/602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/23d8f87a-3056-4c09-b999-7cf81ce0a1c3

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.69 Win 32 Exe x86

Link:

https://app.malva.re/file/e36ae29791d3b4fd2ffe442b4bbddfe2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Stealer

Link:

https://tip.neiki.dev/file/602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2025-09-29 03:14:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mawvyobsbmbau5qi3vv3wzznqaue2ozu4g3ztmue35xmwkg6sp6q._file

Verdict:

malicious

Label(s):

katzstealer

PureLogsStealer

6d2944f334acc2722e643ad9742a081314ff2bd8c4b71ddf5561636dc3e83377

PureLogsStealer

a2baa23bbe548f06cf0ae0f0487cf55bbec120d7d36d7d4eeaafe3ba3397faee

PureLogsStealer

d86c1f589136c80aaf1162651481efd79e01f3fe6ce1108faf90a8787f63d39a

PureLogsStealer

error

PureLogsStealer

+ 484 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/250929-el4qgsvvd1/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Drops file in Windows directory

Accesses Microsoft Outlook profiles

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d96cab10-391b-4b22-aff7-925132b00bc5

Unpacked files

SH256 hash:

602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd

MD5 hash:

e36ae29791d3b4fd2ffe442b4bbddfe2

SHA1 hash:

ae8bcd96082b7afddf54516357653e3af0ca7ce7

Link:

https://www.unpac.me/results/fd6a6608-bce1-4784-8f4d-f3bea2efc3b9/

SH256 hash:

98121faa4b69d656dc276326fbb889dfcc00e286a51866ee1b0e9e4081d75212

MD5 hash:

64edf8459595ad20a777d754eefcdda7

SHA1 hash:

71269f37bf70d53dc752dfc79572608ced187504

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/fd6a6608-bce1-4784-8f4d-f3bea2efc3b9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/602d5c38320b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/602d5c38320b020a7608dd6bbb672d80284d3b34e1b799b284df6ecb28de93fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TH_Generic_MassHunt_Webshells_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025
Reference:	https://cyfare.net/