MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc
SHA3-384 hash: 4c2349d4af22ec8e92090032097845f29a39ee001f7ecc185692345545796276fc15ba26c3c2da60a5f0f0105dd5d4f3
SHA1 hash: bfe9711709c97e0efa23e272606e6608b4bdefc3
MD5 hash: 8be2c13f6c3363bc4d1dd5d189ae7c64
humanhash: social-alanine-missouri-four
File name:October payment.ipdf.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:4'372'480 bytes
First seen:2025-10-27 06:20:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:BeBs0dNJktFY/Ad1euEfBc6lDulKZlOlEPTZVsM31w7FpRA4vXjzS0QROl4hLHSi:YB2mD5Jw5NCR7wVS
TLSH T174163AE0E0B70092F1479E94546CB99E4A7531A3EDCA043D736E7B84CFAFC447686B4A
TrID 45.5% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.ICL) Windows Icons Library (generic) (2059/9)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
92.246.87.36:5888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.246.87.36:5888 https://threatfox.abuse.ch/ioc/1627372/

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
October payment.ipdf.exe
Verdict:
Malicious activity
Analysis date:
2025-10-27 06:21:31 UTC
Tags:
stealer purecrypter netreactor purehvnc
Link:
https://app.any.run/tasks/ab0ace6d-a835-4633-9d1e-00c2d07c6908

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34245/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ff0f553bdc93eb0564d24e
Tags:
vmdetect virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-27T02:29:00Z UTC
Last seen:
2025-10-28T06:12:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.Win32.Generic Trojan-PSW.MSIL.PureLogs.sb Trojan.MSIL.Inject.sb HEUR:Trojan-PSW.MSIL.PureLogs.gen Trojan-PSW.PureLogs.TCP.C&C
Link:
https://opentip.kaspersky.com/85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1389eae7-7737-4860-bd09-cef81f213ea5
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802208
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1802208 Sample: October payment.ipdf.exe Startdate: 27/10/2025 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected PureLog Stealer 2->47 49 6 other signatures 2->49 8 October payment.ipdf.exe 2 2->8         started        process3 signatures4 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->51 53 Writes to foreign memory regions 8->53 55 Modifies the context of a thread in another process (thread injection) 8->55 57 Injects a PE file into a foreign processes 8->57 11 InstallUtil.exe 4 8->11         started        15 InstallUtil.exe 8->15         started        17 InstallUtil.exe 8->17         started        19 5 other processes 8->19 process5 dnsIp6 35 92.246.87.36, 49692, 49726, 49727 OSNL Germany 11->35 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->59 61 Tries to steal Mail credentials (via file / registry access) 11->61 63 Tries to harvest and steal browser information (history, passwords, etc) 11->63 65 4 other signatures 11->65 21 chrome.exe 1 11->21         started        24 chrome.exe 11->24 injected 26 chrome.exe 11->26 injected 28 5 other processes 11->28 signatures7 process8 dnsIp9 33 192.168.2.5, 138, 443, 49675 unknown unknown 21->33 30 chrome.exe 21->30         started        process10 dnsIp11 37 www.google.com 142.250.73.100, 443, 49697, 49698 GOOGLEUS United States 30->37 39 googlehosted.l.googleusercontent.com 142.250.73.65, 443, 49708, 49709 GOOGLEUS United States 30->39 41 5 other IPs or domains 30->41
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.38 Win 64 Exe x64
Link:
https://app.malva.re/file/8be2c13f6c3363bc4d1dd5d189ae7c64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc/
Verdict:
Malicious
Threat:
Trojan-PSW.MSIL.PureLogs
Link:
https://tip.neiki.dev/file/85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc
Threat name:
ByteCode-MSIL.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-10-27 06:20:59 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
64
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxcv6q5u2qnouhpt4wwilewnp6byvspgk7zqoc3lqp5vh5r2dtoa._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/251027-g39zyawqgs/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6f670406-db88-4b87-89eb-dbddada63531
Unpacked files
SH256 hash:
589442d55c5fec624acaf423c4c538c000417870c55759a591b0f3baacb3b19d
MD5 hash:
fa5dd6fb6b27d30a8a9e84115fc421cc
SHA1 hash:
890f06f91b07ce4b8bd9ccec380b3a7039503a9d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3eb486b3-c61d-4159-b6f1-15f49874527c/
SH256 hash:
85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc
MD5 hash:
8be2c13f6c3363bc4d1dd5d189ae7c64
SHA1 hash:
bfe9711709c97e0efa23e272606e6608b4bdefc3
Link:
https://www.unpac.me/results/3eb486b3-c61d-4159-b6f1-15f49874527c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85c55f43b4d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85c55f43b4d41aea1df3e5ac8592cd7f838ac9e657f3070b6b83fb53f63a1cdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34245/

Comments