MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78f623acdbf8541288cfc969fe4c39ca194939bfb30e921dc2d6d9bc4012b4ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PureLogsStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash: 78f623acdbf8541288cfc969fe4c39ca194939bfb30e921dc2d6d9bc4012b4ff
SHA3-384 hash: 6a7ac676976d062768ea3ddfb270d619219a5e853ca9e5a3f1baa2b1e3ad5a046e2ac8e7c53e44ed07b62eb4921c265d
SHA1 hash: 5d31db1e638af76a103e288f08f39d67728d92db
MD5 hash: c5bee4bbdab0a5b20748f266772d4189
humanhash: indigo-oranges-two-item
File name:SecuriteInfo.com.Trojan.Mardom.IN.10.59186461
Download: download sample
Signature PureLogsStealer
File size:827'904 bytes
First seen:2026-07-14 23:43:59 UTC
Last seen:2026-07-15 00:26:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'116 x AgentTesla, 20'118 x Formbook, 12'357 x SnakeKeylogger)
ssdeep 12288:EVYGxhn+LlyotBhEUd2rGNWCjJgbjekdJxXthWwZribw:E6inaBJXJgff75iw
Threatray 56 similar samples on MalwareBazaar
TLSH T14305AE2A32958F21C28A5372C1D7890097A6D647B6ABEB0B31C413D61D473FEDA4B3D7
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe PureLogsStealer

Intelligence


File Origin
# of uploads :
2
# of downloads :
160
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
phorpiex
ID:
1
File name:
bomb.exe.zip
Verdict:
Malicious activity
Analysis date:
2026-07-15 17:01:39 UTC
Tags:
arch-exec ip-check auto remusstealer solaris loader rat xworm phishing apt blindeagle backdoor webshell inj3ctor3 jomangy botnet phorpiex ta558 payload stegocampaign generic reverseloader possible-phishing stego stealer agenttesla fakesite stealc discord asyncrat opendir telegram github maskgram screenconnect rmm-tool rdp evasion adware remcos tool remote purerat uac-bypass redosdru python websocket njrat bladabindi qatarrat kimsuky pastebin susp-powershell sliver framework nemucod glamour clickfix autoit miner netreactor xmrig purehvnc venomrat vidar uac remus autohk upx coinminer lumma maskgramstealer rustystealer connectwise winring0-sys vuln-driver acr purelogs exploit-kit apex2bot tinynuke

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated obfuscated packed packed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-14T13:07:00Z UTC
Last seen:
2026-07-15T18:32:00Z UTC
Hits:
~100
Verdict:
Malware
YARA:
13 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.90 Win 32 Exe x86
Threat name:
Win32.Trojan.PureLogStealer
Status:
Malicious
First seen:
2026-07-14 18:17:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
System Time Discovery
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
78f623acdbf8541288cfc969fe4c39ca194939bfb30e921dc2d6d9bc4012b4ff
MD5 hash:
c5bee4bbdab0a5b20748f266772d4189
SHA1 hash:
5d31db1e638af76a103e288f08f39d67728d92db
SH256 hash:
e7dab8649613c5c38ecb46f8333bbe0a4e7da6fce2636abb68fa8f758f524171
MD5 hash:
38a0595e5c7d64069c013ce9b9ed93e3
SHA1 hash:
6f3c61400678b4b9bfcfd9ddc69d6352f0c17d56
SH256 hash:
b2a66e9864f81c2800a5afef4bfd1faf7c910e5a43ea2eb9dbb15c8ab6ffc633
MD5 hash:
f0a13fb422cdb1f3ce667df897b5045b
SHA1 hash:
9b6566603e3a292482788924a83a1d94a9cd4627
SH256 hash:
740f84ae30929ef6574d5418c2bb5ffd908257cd2549b2af22a05cf6bda3275c
MD5 hash:
c4c10d26397b8592c96b5d6f0f30a589
SHA1 hash:
d0b8ae04574553146bf4532a72854f8fe83a8d04
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lumma_Stealer_Detection
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments