MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79
SHA3-384 hash: 73f07dd108b1677fd8f81d223c0dc5ede954ce067e782e0859dfb71a3b2ea88604e30913d56b92e5812cef897e0c9996
SHA1 hash: 01e2c19a0d2138e66c979979c1a67e4d46e4e245
MD5 hash: 00036fbe5dceab7b0ca486e3f589a496
humanhash: social-fourteen-mars-blossom
File name:file
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:290'816 bytes
First seen:2025-12-25 12:48:43 UTC
Last seen:2025-12-25 21:57:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:eqmoVtQQci0UCVCWaPAGDuklvcu8FEKKITfshzbFq1N:LVGbi/YaP5qW84IzIz5q
TLSH T135541246626C9707C6CAC6B6E097E0897B95FA6B1C83C3BE384D3375291778F4E12701
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 PureLogsStealer


Avatar
Bitsight
url: http://178.16.55.189/files/8434554557/BieVLQp.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
119
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79.exe
Verdict:
Malicious activity
Analysis date:
2025-12-25 12:55:07 UTC
Tags:
netreactor purehvnc
Link:
https://app.any.run/tasks/e2a27e2a-3ab1-4cb8-af46-62e4e37ae89c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46058/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694d32cb038f10550b558f6e
Tags:
androm virus msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated obfuscated packed packed
Link:
https://www.filescan.io/uploads/694d32c83f8fdbf8e951e386/reports/f098bb25-7be3-4a9d-8573-aef3077ca074/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-25T09:57:00Z UTC
Last seen:
2025-12-25T17:46:00Z UTC
Hits:
~100
Detections:
VHO:Trojan.MSIL.Cryptos.gen Trojan-PSW.PureLogs.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.PureLogs.sb Trojan-PSW.MSIL.Agent.sb HEUR:Trojan.MSIL.InjectorNetT.gen PDM:Trojan.Win32.Generic Backdoor.NanoBot.TCP.C&C Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb
Link:
https://opentip.kaspersky.com/810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f92286a4-b05c-412f-a738-3a4166be9044
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.98 Win 32 Exe x86
Link:
https://app.malva.re/file/00036fbe5dceab7b0ca486e3f589a496
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79/
Verdict:
Malicious
Threat:
Family.PURELOGSSTEALER
Link:
https://tip.neiki.dev/file/810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 12:49:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qefhsouzpvrifhkf7sgcrruarojqgjlmfzfggwxttz7bik2obr4q._file
Verdict:
malicious
Label(s):
deerstealer
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
deerstealer
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer collection discovery spyware stealer
Link:
https://tria.ge/reports/251225-rah1vsvqfl/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
DeerStealer
Deerstealer family
Detects DeerStealer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5f6a8aec-6fd1-49a2-9e86-e3c7abe42feb
Unpacked files
SH256 hash:
810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79
MD5 hash:
00036fbe5dceab7b0ca486e3f589a496
SHA1 hash:
01e2c19a0d2138e66c979979c1a67e4d46e4e245
Link:
https://www.unpac.me/results/8e622120-12af-445e-bdb2-33ce5ce3cb38/
SH256 hash:
dda70fdb75aa23c11adcc616da1e3fedc9f2b4b56094d48eace89c269e247cb9
MD5 hash:
e57bf7ed4dfdeea20167584c90888fc9
SHA1 hash:
d374f2636e23592cb03e849c13aa25417251ba01
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8e622120-12af-445e-bdb2-33ce5ce3cb38/
Malware family:
DeerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/810a793a997d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 810a793a997d62829d45fc8c28c6808b9303256c2e4a635af39e7e142b4e0c79

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3743333/
Cape
Cape
https://www.capesandbox.com/analysis/46058/
  
URLhaus
https://urlhaus.abuse.ch/url/3743588/

Comments