MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91136aef6d58268a60dbfba702338fada14dddb4d3523acf4dfad671c58780d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91136aef6d58268a60dbfba702338fada14dddb4d3523acf4dfad671c58780d9
SHA3-384 hash: 7982dc310467a2464335744d80afe2e4ade63678c2e395848a10f3b7ce9c48f779b49f80fbbaef983c5380eb485d34ab
SHA1 hash: 4c95be6f262088291db1d7663b96f2a45b24e6c2
MD5 hash: 6192be2667a1b6cae0702ca9310346aa
humanhash: north-white-washington-asparagus
File name:6192be2667a1b6cae0702ca9310346aa.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:6'103'525 bytes
First seen:2025-08-24 17:39:00 UTC
Last seen:2025-08-25 11:57:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 49152:wwREDP+gttBf4EQqfUtqUI9Mx42fPSdkc/e/dvEA82ArC+sT++ggJ0:wwRELDv8wUImbWkcG/nGWBG
TLSH T10056CF2B738F9D3AF199AB3A65E2941444F36E1168E36D3252ECD458CE318501EFEE07
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
60
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6b65b8cb8867d879d482344c74dbf4b2051d283f66b95881fda2f576cd13c34a.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-24 13:20:46 UTC
Tags:
gcleaner loader auto-startup lumma stealer auto autoit ims-api generic redline amadey botnet arch-exec evasion themida stealc telegram rdp n-w0rm worm
Link:
https://app.any.run/tasks/4d2ea5ce-9ebb-4dc6-a0c6-22d2a532f720

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23277/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ab4ec5e9d9dbcfd96daac2
Tags:
injection dropper extens
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Moving a recently created file
Launching a process
Loading a suspicious library
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypt embarcadero_delphi expand fingerprint installer lolbin masquerade obfuscated overlay overlay packed zero
Link:
https://www.filescan.io/uploads/68ab4ffb28a89d9dd4f2fee7/reports/1d993b46-8d7d-4671-a6ba-80ab6c5da374/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/91136aef6d58268a60dbfba702338fada14dddb4d3523acf4dfad671c58780d9
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-22T20:53:00Z UTC
Last seen:
2025-08-22T20:53:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/91136aef6d58268a60dbfba702338fada14dddb4d3523acf4dfad671c58780d9/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1522c23d-799f-45f6-93f4-06772f4ac2be
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.rans
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1764019
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1764019 Sample: wKcoIxCJDa.exe Startdate: 24/08/2025 Architecture: WINDOWS Score: 100 95 Suricata IDS alerts for network traffic 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 5 other signatures 2->101 12 wKcoIxCJDa.exe 2 2->12         started        15 regsvr32.exe 2->15         started        18 svchost.exe 2->18         started        process3 dnsIp4 73 C:\Users\user\AppData\...\wKcoIxCJDa.tmp, PE32 12->73 dropped 21 wKcoIxCJDa.tmp 3 5 12->21         started        117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->117 75 127.0.0.1 unknown unknown 18->75 file5 signatures6 process7 file8 59 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->59 dropped 61 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 21->61 dropped 24 wKcoIxCJDa.exe 2 21->24         started        process9 file10 63 C:\Users\user\AppData\...\wKcoIxCJDa.tmp, PE32 24->63 dropped 27 wKcoIxCJDa.tmp 3 5 24->27         started        process11 file12 65 C:\Users\user\is-1CAIH.tmp, PE32 27->65 dropped 67 C:\Users\user\LightPink2.dat (copy), PE32 27->67 dropped 69 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->69 dropped 71 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 27->71 dropped 115 Drops PE files to the user root directory 27->115 31 regsvr32.exe 2 2 27->31         started        signatures13 process14 dnsIp15 85 213.209.150.74, 49685, 49693, 49694 KEMINETAL Germany 31->85 87 System process connects to network (likely due to code injection or exploit) 31->87 89 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 31->89 91 Suspicious powershell command line found 31->91 93 7 other signatures 31->93 35 RegAsm.exe 31->35         started        38 powershell.exe 37 31->38         started        40 powershell.exe 37 31->40         started        signatures16 process17 signatures18 103 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->103 105 Tries to steal Mail credentials (via file / registry access) 35->105 107 Tries to harvest and steal browser information (history, passwords, etc) 35->107 111 6 other signatures 35->111 42 chrome.exe 35->42         started        46 chrome.exe 35->46 injected 48 chrome.exe 35->48 injected 54 4 other processes 35->54 109 Loading BitLocker PowerShell Module 38->109 50 conhost.exe 38->50         started        52 conhost.exe 40->52         started        process19 dnsIp20 83 192.168.2.7, 138, 443, 49672 unknown unknown 42->83 113 Installs a global keyboard hook 42->113 56 chrome.exe 42->56         started        signatures21 process22 dnsIp23 77 www.google.com 142.250.65.196, 443, 49699, 49704 GOOGLEUS United States 56->77 79 142.251.40.129, 443, 49706 GOOGLEUS United States 56->79 81 6 other IPs or domains 56->81
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/91136aef6d58268a60dbfba702338fada14dddb4d3523acf4dfad671c58780d9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/6192be2667a1b6cae0702ca9310346aa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91136aef6d58268a60dbfba702338fada14dddb4d3523acf4dfad671c58780d9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-24 17:48:38 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sejwv33nlatiuyg37otqem4pvwqu3xnu2njdvt2n7llhdrmhqdmq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250824-wdtzraxsay/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/361a6326-5aaa-47fb-839a-5ea63b3d19dd
Unpacked files
SH256 hash:
91136aef6d58268a60dbfba702338fada14dddb4d3523acf4dfad671c58780d9
MD5 hash:
6192be2667a1b6cae0702ca9310346aa
SHA1 hash:
4c95be6f262088291db1d7663b96f2a45b24e6c2
Link:
https://www.unpac.me/results/87c0c99c-ca31-43f9-8ff9-5c3e9419fcd6/
SH256 hash:
cb9a109bcb9f34113721226c09e0167779aeb728b4481ab7f4ab8483dbc114c1
MD5 hash:
839af1ad666dacc31cc832bc80901073
SHA1 hash:
873a31d789af55c2805bcf3825bc2c6d49348213
Link:
https://www.unpac.me/results/87c0c99c-ca31-43f9-8ff9-5c3e9419fcd6/
SH256 hash:
425b2d6b14e1fe369686f603df636acbf035aea1a8cba032617029ef8a928758
MD5 hash:
487c9833ed32b019a5e4de073f717f8a
SHA1 hash:
520e924446ab2bd9bb6b3f0dc99d71fc4b818605
Link:
https://www.unpac.me/results/87c0c99c-ca31-43f9-8ff9-5c3e9419fcd6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91136aef6d58/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91136aef6d58268a60dbfba702338fada14dddb4d3523acf4dfad671c58780d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23277/

Comments