MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b
SHA3-384 hash: d5c626ecdd7af03a406ddd016485279049c708446af460843e7d9a1a6c1aecd34f504c1cd2be224fb186a5f1c5f33ea4
SHA1 hash: 94f3dc4d281b934422aefde4581dac33f2f71fcd
MD5 hash: ce199bb0088394a0fc2445f2a912e4e0
humanhash: venus-magnesium-ack-echo
File name:Swift Message_2009327756.gz.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:998'400 bytes
First seen:2025-12-15 09:21:17 UTC
Last seen:2026-05-20 17:46:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'011 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:LCew64l5tzwEqDUXxjbqfpsnU1bruI/wGX/kcT7L:LCeFetM0jefGnUtoGPR/
TLSH T1AB2512D03F367B11CE355675DA28DCB542652E7CB021BADB2EC9AB9B37E92504D08F02
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe payment PureLogsStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
138
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/7caa61fc-e4ff-414f-b387-73de70bc9291/
Malware family:
n/a
ID:
1
File name:
Swift Message_2009327756.gz.exe
Verdict:
Malicious activity
Analysis date:
2025-12-15 09:35:57 UTC
Tags:
stealer purecrypter netreactor purehvnc
Link:
https://app.any.run/tasks/76ebd01d-18ff-4db4-ac30-f72b787678e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44701/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693fd311838ad7e485397c51
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-15T03:42:00Z UTC
Last seen:
2025-12-17T05:14:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.MSIL.Crypt.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-PSW.PureLogs.TCP.C&C PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b/results?tab=lookup
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96d83aa8-e7a6-4b99-a3de-1875e76b5a39
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832838
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.38 Win 32 Exe x86
Link:
https://app.malva.re/file/ce199bb0088394a0fc2445f2a912e4e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-12-15 06:26:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m3gho7sssask5r5cx476lsohry2iugduutoblp5twpaz65avtwnq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/251215-lbg73aes4a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec65f391-ae41-438d-add5-43eacc8a7192
Unpacked files
SH256 hash:
66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b
MD5 hash:
ce199bb0088394a0fc2445f2a912e4e0
SHA1 hash:
94f3dc4d281b934422aefde4581dac33f2f71fcd
Link:
https://www.unpac.me/results/240e8164-d41a-4eb1-a9b2-193f59227c60/
SH256 hash:
19524f54fd627a6a66091864f8261ed33c8f8cd92ecb0f09d7c1e441a90b3a4d
MD5 hash:
9056883a2170deb994f78436aa525b2e
SHA1 hash:
01a3f89308088d947ad7b5bc14ed920e3dccf099
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/240e8164-d41a-4eb1-a9b2-193f59227c60/
SH256 hash:
6bdccfdbecdc314f45d42233140962b087813c86073968ac9066d148eb8f290a
MD5 hash:
2305fdf35ac039df7aff1420d17c0783
SHA1 hash:
3d763a810fba8b00f553b1efd1cf7f7888d88a52
Link:
https://www.unpac.me/results/240e8164-d41a-4eb1-a9b2-193f59227c60/
SH256 hash:
b9050e3f2321fd9408ee882e5780ddbea3a47a914809a624e26ba51b1fa62c30
MD5 hash:
5a7adfb4a21a5b051956448fa9b9d43b
SHA1 hash:
f636f2644dcf93665b2376dce4557bc37cee6020
Link:
https://www.unpac.me/results/240e8164-d41a-4eb1-a9b2-193f59227c60/
SH256 hash:
e8306a12459881d41f2bfdc879aea2587efced699929e3188aa7f4e6fa92f947
MD5 hash:
b252dbdfd09cff131c4370a0381e99fd
SHA1 hash:
a9ec764ed8f5c64e73c5797ed7a5d2cfa40ea4a9
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/240e8164-d41a-4eb1-a9b2-193f59227c60/
Parent samples :
66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b
59b9ff739510ae6d1741c1835e79281a9394213e431627b11286a5691da49961
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66cc777e5290/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
zgRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

gz e5f6fd0c891f8165c769bec4d5aa10a2426c074c4a324d1c8b96b06bc7807054

PureLogsStealer

Executable exe 66cc777e529024aec7a2bf3fe5c9c78e348a1874a4dc15bfb3b3c19f74159d9b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e5f6fd0c891f8165c769bec4d5aa10a2426c074c4a324d1c8b96b06bc7807054
Cape
Cape
https://www.capesandbox.com/analysis/44701/
  
Dropped by
MD5 ed9dacaacdc57b16a6e65c4aac33baab

Comments