MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b
SHA3-384 hash: 9f67b6c7778076de738596746c9974bb10dcc8c129904b2c41b92e4df4d07b76af4f550b11b7ef279c754befbd63c5bb
SHA1 hash: ec352b64a6c6e148fcbe6a03df0c63bd9c419aba
MD5 hash: 8c81e6f86fcb841998914616724a7127
humanhash: ohio-sweet-ohio-foxtrot
File name:628850391.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'164'224 bytes
First seen:2025-10-20 10:50:40 UTC
Last seen:2025-11-06 10:30:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:boOxvaIICasQh8l6fwR1OWVCxv3koTUiXmMzfJ:boOxiIIgQhEHVCxLI4rJ
Threatray 16 similar samples on MalwareBazaar
TLSH T15BA5F1D0EEACA95EE47AAF7AD0F7162007F49452DB32EE49081050DA0653713BDE26F7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
128
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
628850391.exe
Verdict:
Malicious activity
Analysis date:
2025-10-20 10:53:00 UTC
Tags:
stealer purecrypter netreactor auto-startup anti-evasion purehvnc
Link:
https://app.any.run/tasks/c6c8ea53-6cf4-413a-a8a5-ae4c7ead2cf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33419/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f614306dc4a08515e36f6e
Tags:
autorun virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated packed reconnaissance
Link:
https://www.filescan.io/uploads/68f61433c85c5c56972ee851/reports/161b8c61-791a-40a9-8435-9770fd3d77ae/overview
Verdict:
Malicious
Labled as:
Trojan_MSIL_PurelogStealer_MG_MTB
Link:
https://www.hybrid-analysis.com/sample/929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-13T21:02:00Z UTC
Last seen:
2025-10-20T11:33:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Dnoper.sb Trojan.MSIL.Agent.sb VHO:Backdoor.Win32.Androm.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.MSIL.PureLogs.sb Trojan-PSW.MSIL.PureLogs.nl
Link:
https://opentip.kaspersky.com/929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d5c1fac8-a8eb-4cea-ba17-c0e147967755
Result
Threat name:
PureLog Stealer, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798233
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.23 Win 32 Exe x86
Link:
https://app.malva.re/file/8c81e6f86fcb841998914616724a7127
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b/
Verdict:
Malicious
Threat:
VHO:Backdoor.Win32.Androm
Link:
https://tip.neiki.dev/file/929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b
Threat name:
Win32.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 02:35:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=skpx5c4t25rhydn6lr7uppwvnortiypjcxdohdoeeeexluj2o5fq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
298dd30cdc48be22445637c6858b7cf007daecf9683a8338aa64d5178c9222a4
PureLogsStealer
5a2a8a4a03bac4f9e786d71b4ab69a4b49553a29d1ce2a121545c0513957047f
PureLogsStealer
d0fdf8d7394d40debb1147cde780dd3ff5eded6f118e97d21d11f5bf6309a33c
PureLogsStealer
ecdc4285745f04d5d3141f3668e48d5633849cf2594c0092e943d1e7ac5384d0
PureLogsStealer
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/251020-mxzjxavkds/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Unpacked files
SH256 hash:
929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b
MD5 hash:
8c81e6f86fcb841998914616724a7127
SHA1 hash:
ec352b64a6c6e148fcbe6a03df0c63bd9c419aba
Link:
https://www.unpac.me/results/ac629801-1035-4d12-8f4a-98820d9adb61/
SH256 hash:
108877545a9e8a093bb2d40af42d50eb6c70976e7e6d1339bb7351f3e717128b
MD5 hash:
cc3baf016d3a4770600c0bea05a52615
SHA1 hash:
be6d1f588cfd368cc32a2e164d844d276bb4478c
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ac629801-1035-4d12-8f4a-98820d9adb61/
SH256 hash:
b857cd23af8563655e03e3791e9ece092a3adb844826b049f67b365e9b2b4d54
MD5 hash:
07c0eaeffc7d3f6200932082a8a6f1b2
SHA1 hash:
5bef9f38001c77b0085ad7e43e644ed70634f217
Link:
https://www.unpac.me/results/ac629801-1035-4d12-8f4a-98820d9adb61/
SH256 hash:
a7ad0676293ac058e80724d4ecb7e5458d1e66d0469ae308b5211bb2b01cfebb
MD5 hash:
64b302b59e7f7e3416adaaaa0a75080b
SHA1 hash:
b26dc166ec6469947f60cd1fa6d1c613950d430b
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ac629801-1035-4d12-8f4a-98820d9adb61/
Parent samples :
b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36
054e3c0da63e2eed91ab3e0dc24350df990263e90095503f89bd3f79033d3052
bc19c068f80c921461efa45e340b9afecc620222e3fb6fd505785f213fc2a5fd
929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/929f7e8b93d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

Executable exe 929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33419/

Comments