MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91316da75bc067c66fd42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91316da75bc067c66fd42
SHA3-384 hash: c39476352c5652b6975f0b934ed0af5dc3b9c04092eb74b0ad373aba2c4b0bfb16472c77b194568f621d30b63a30bc3b
SHA1 hash: dcb820b18308fbac5cf22d31c3281127857280e7
MD5 hash: 7e4482794753ece2c7555148db60813d
humanhash: romeo-london-river-pizza
File name:85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:276'992 bytes
First seen:2025-07-06 16:06:19 UTC
Last seen:2025-07-08 15:21:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:6hELyY169yoILiUMiOWqGNrNaxSNqqO89PX1xJo/J8bkvXCK6wj:hRAyoILwvolNZ19v78bKPwj
TLSH T12A442280BDD4DBB2C21B24BAAE9B530483E5A2B24854E72C75B5BAC45C1D3B34C1B977
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
144.172.91.41:8805

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
144.172.91.41:8805 https://threatfox.abuse.ch/ioc/1552731/

Intelligence

File Origin
# of uploads :
3
# of downloads :
31
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://files.catbox.moe/2to1ep.bin
Verdict:
Malicious activity
Analysis date:
2025-07-06 15:38:58 UTC
Tags:
fileshare loader python github miner amadey remcos rat shellcode cobaltstrike backdoor modiloader botnet lumma xmrig stealer purelogs purecrypter evasion aurotun auto metasploit asyncrat generic dbatloader aurotunstealer snake keylogger njrat networm amus telegram havoc phorpiex redline metastealer wannacry ransomware azorult bladabindi bazaloader irc formbook pyinstaller agenttesla vidar coinminer blankgrabber quasar neshta stealc sage screenconnect rmm-tool rdp masslogger pythonstealer loki dcrat lokibot phishing sality xred remote gh0st m0yv auto-sch-xml trojan ftp exfiltration clickfix possible-phishing delphi ims-api wmi-base64 discord netreactor purehvnc
Link:
https://app.any.run/tasks/78d547ca-ea97-47d7-ab2b-4a0ccd5d581d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12548/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686a9f36c9eb974737671a56
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated packed packed
Link:
https://www.filescan.io/uploads/686a9f3a6b0fcfc5e2e10aad/reports/f6c97d6e-9758-4c3e-bde2-24b98efb0c21/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91316da75bc067c66fd42
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72ee33d2-360e-4c16-9a08-16ead900cc26
Result
Threat name:
ScreenConnect Tool, Amadey, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1729556
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Detected Stratum mining protocol
Enables network access during safeboot for specific services
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies security policies related information
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Possible COM Object hijacking
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM5
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected SilentXMRMiner
Yara detected Stealerium
Yara detected Telegram Recon
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1729556 Sample: 85f04d9bf7440fa3611f62f2322... Startdate: 06/07/2025 Architecture: WINDOWS Score: 100 158 api.telegram.org 2->158 160 omega.fechrise.fun 2->160 162 7 other IPs or domains 2->162 192 Sigma detected: Xmrig 2->192 194 Suricata IDS alerts for network traffic 2->194 196 Found malware configuration 2->196 200 28 other signatures 2->200 13 suker.exe 2->13         started        18 msiexec.exe 2->18         started        20 85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91.exe 2 2->20         started        22 11 other processes 2->22 signatures3 198 Uses the Telegram API (likely for C&C communication) 158->198 process4 dnsIp5 180 176.46.157.50, 49721, 49722, 49724 ESTPAKEE Iran (ISLAMIC Republic Of) 13->180 182 176.46.157.32, 49723, 49725, 49728 ESTPAKEE Iran (ISLAMIC Republic Of) 13->182 184 66.63.187.164 ASN-QUADRANET-GLOBALUS United States 13->184 138 C:\Users\user\AppData\Roaming\...\random1.exe, PE32 13->138 dropped 140 C:\Users\user\AppData\Local\...\UXN3LKe.exe, PE32+ 13->140 dropped 152 15 other malicious files 13->152 dropped 284 Contains functionality to start a terminal service 13->284 24 UXN3LKe.exe 13->24         started        27 QvG0bbo.exe 13->27         started        30 random1.exe 13->30         started        39 3 other processes 13->39 142 C:\Windows\Installer\MSIFF42.tmp, PE32 18->142 dropped 144 C:\Windows\Installer\MSIEE96.tmp, PE32 18->144 dropped 146 C:\Windows\Installer\MSI713.tmp, PE32 18->146 dropped 154 11 other malicious files 18->154 dropped 286 Enables network access during safeboot for specific services 18->286 288 Modifies security policies related information 18->288 33 msiexec.exe 18->33         started        35 msiexec.exe 18->35         started        148 C:\Users\user\Desktop\oNLXarJaOuQV.duma, PE32 20->148 dropped 150 85f04d9bf7440fa361...c625fd46c91.exe.log, CSV 20->150 dropped 290 Suspicious powershell command line found 20->290 292 Bypasses PowerShell execution policy 20->292 37 cmd.exe 1 20->37         started        41 2 other processes 20->41 186 draw.treetrauma.com 107.150.0.218 ASN-QUADRANET-GLOBALUS United States 22->186 188 127.0.0.1 unknown unknown 22->188 294 Multi AV Scanner detection for dropped file 22->294 296 Changes security center settings (notifications, updates, antivirus, firewall) 22->296 298 Writes to foreign memory regions 22->298 300 5 other signatures 22->300 43 6 other processes 22->43 file6 signatures7 process8 dnsIp9 228 Antivirus detection for dropped file 24->228 230 Multi AV Scanner detection for dropped file 24->230 248 3 other signatures 24->248 45 conhost.exe 24->45         started        166 144.172.91.41, 49729, 8805 HOSTFLYTE-NETWORKSCA United States 27->166 232 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->232 250 3 other signatures 27->250 57 4 other processes 27->57 156 C:\Users\user\Desktop\yTotnKwevp4w.duma, PE32 30->156 dropped 234 Suspicious powershell command line found 30->234 60 3 other processes 30->60 49 rundll32.exe 33->49         started        236 Uses schtasks.exe or at.exe to add and modify task schedules 37->236 51 oNLXarJaOuQV.duma 4 37->51         started        53 conhost.exe 37->53         started        168 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 39->168 170 196.251.86.10, 4782, 49731 SONIC-WirelessZA Seychelles 39->170 172 2 other IPs or domains 39->172 238 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->238 252 2 other signatures 39->252 55 cmd.exe 39->55         started        240 Loading BitLocker PowerShell Module 41->240 62 3 other processes 41->62 242 Creates files in the system32 config directory 43->242 244 Contains functionality to start a terminal service 43->244 246 Adds a directory exclusion to Windows Defender 43->246 64 3 other processes 43->64 file10 signatures11 process12 dnsIp13 126 C:\Users\user\AppData\...\services64.exe, PE32+ 45->126 dropped 270 Adds a directory exclusion to Windows Defender 45->270 66 cmd.exe 45->66         started        68 cmd.exe 45->68         started        71 cmd.exe 45->71         started        128 C:\Windows\...\ScreenConnect.Windows.dll, PE32 49->128 dropped 130 C:\...\ScreenConnect.InstallerActions.dll, PE32 49->130 dropped 132 C:\Windows\...\ScreenConnect.Core.dll, PE32 49->132 dropped 136 4 other malicious files 49->136 dropped 134 C:\Users\user\AppData\Local\...\suker.exe, PE32 51->134 dropped 272 Multi AV Scanner detection for dropped file 51->272 274 Contains functionality to start a terminal service 51->274 276 Contains functionality to inject code into remote processes 51->276 73 suker.exe 51->73         started        82 4 other processes 55->82 164 192.168.2.4, 3333, 443, 4782 unknown unknown 57->164 278 Installs a global keyboard hook 57->278 75 chrome.exe 57->75         started        280 Loading BitLocker PowerShell Module 60->280 84 5 other processes 60->84 78 powershell.exe 64->78         started        80 conhost.exe 64->80         started        file14 282 Detected Stratum mining protocol 164->282 signatures15 process16 dnsIp17 86 services64.exe 66->86         started        89 conhost.exe 66->89         started        204 Adds a directory exclusion to Windows Defender 68->204 91 powershell.exe 68->91         started        93 powershell.exe 68->93         started        95 conhost.exe 68->95         started        97 conhost.exe 71->97         started        99 schtasks.exe 71->99         started        206 Multi AV Scanner detection for dropped file 73->206 208 Contains functionality to start a terminal service 73->208 174 clients2.googleusercontent.com 75->174 176 apis.google.com 75->176 178 5 other IPs or domains 75->178 210 Loading BitLocker PowerShell Module 78->210 signatures18 process19 signatures20 212 Writes to foreign memory regions 86->212 214 Allocates memory in foreign processes 86->214 216 Creates a thread in another existing process (thread injection) 86->216 101 conhost.exe 86->101         started        218 Loading BitLocker PowerShell Module 91->218 process21 file22 122 C:\Users\user\AppData\...\sihost64.exe, PE32+ 101->122 dropped 124 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 101->124 dropped 220 Found strings related to Crypto-Mining 101->220 222 Injects code into the Windows Explorer (explorer.exe) 101->222 224 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 101->224 226 5 other signatures 101->226 105 sihost64.exe 101->105         started        108 cmd.exe 101->108         started        110 explorer.exe 101->110         started        signatures23 process24 dnsIp25 254 Multi AV Scanner detection for dropped file 105->254 256 Writes to foreign memory regions 105->256 258 Allocates memory in foreign processes 105->258 268 2 other signatures 105->268 113 conhost.exe 105->113         started        260 Adds a directory exclusion to Windows Defender 108->260 115 powershell.exe 108->115         started        118 powershell.exe 108->118         started        120 conhost.exe 108->120         started        190 omega.fechrise.fun 89.23.112.83, 3333, 49733 MAXITEL-ASRU Russian Federation 110->190 262 System process connects to network (likely due to code injection or exploit) 110->262 264 Query firmware table information (likely to detect VMs) 110->264 signatures26 266 Detected Stratum mining protocol 190->266 process27 signatures28 202 Loading BitLocker PowerShell Module 115->202
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91316da75bc067c66fd42
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.02 Win 32 Exe x86
Link:
https://app.malva.re/file/7e4482794753ece2c7555148db60813d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91316da75bc067c66fd42/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-06 16:07:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxye3g7xiqh2gyi7mlzdelxdnuw4mjp5i3ergfw2ow6am7dg7vba._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:donutloader family:gcleaner family:gurcu family:lumma family:quasar family:stealerium family:vidar family:xmrig botnet:6ba07e05801c4c8c8f765cb08db1a3b2 botnet:9fa1e2 collection credential_access defense_evasion discovery execution loader miner persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/250706-tkrf4aak91/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
AutoIT Executable
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
XMRig Miner payload
Amadey
Amadey family
Detect Vidar Stealer
Detects DonutLoader
DonutLoader
Donutloader family
GCleaner
Gcleaner family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
Stealerium
Stealerium family
Vidar
Vidar family
Xmrig family
xmrig
Malware Config
C2 Extraction:
http://176.46.157.50
https://api.telegram.org/bot7752834125:AAGPH6QjjPzlEZfKnQiq_KUoE4sQVU5i15o/sendMessage?chat_id=
https://t.me/romalabs1
https://wesajkh.top/pxza
https://ycvduc.xyz/trie
https://nbcsfar.xyz/tpxz
https://cbakk.xyz/ajng
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
https://t.me/g0e7qx
https://steamcommunity.com/profiles/76561199874190020
185.156.73.98
45.91.200.135
https://api.telegram.org/bot7752834125:AAGPH6QjjPzlEZfKnQiq_KUoE4sQVU5i15o/getM
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/75169ce6-a359-4c2e-b7fe-e60e61694d6f
Unpacked files
SH256 hash:
85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91316da75bc067c66fd42
MD5 hash:
7e4482794753ece2c7555148db60813d
SHA1 hash:
dcb820b18308fbac5cf22d31c3281127857280e7
Link:
https://www.unpac.me/results/570baf45-266c-40fa-b9d2-9bc1490ef245/
SH256 hash:
93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999
MD5 hash:
a5e6484eef2b273591ad13582eb657de
SHA1 hash:
d9c52dfb831c575dca98eef953da8816da73db8e
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/570baf45-266c-40fa-b9d2-9bc1490ef245/
Parent samples :
93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999
85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91316da75bc067c66fd42
4326cdbae0a4b8d8fc9a8c6fd24557dbc0d6407299eb8e6600ed4075e5b29ddd
SH256 hash:
55a66492cb596e9e363f554c51be150f9258a9af8f809d3af868dec8ab85a6a5
MD5 hash:
9990941f05e37764191fb6bb13836268
SHA1 hash:
dbd309c1870e4a5357bf0f6cb7835c2203985ce3
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/570baf45-266c-40fa-b9d2-9bc1490ef245/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85f04d9bf7440fa3611f62f2322ee36d2dc625fd46c91316da75bc067c66fd42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12548/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments