MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305
SHA3-384 hash: c9b5ce3aeef9c35d1af7be0934d894fd07ebe503a92cbe05c9cd71825775464c43a93bed8a5030d4f64e1f7bc97f13a6
SHA1 hash: dca730305aff7b7799e4da672381ac81d73c9b52
MD5 hash: 0dd590078af5393c5da370c3935d9612
humanhash: artist-eighteen-victor-fanta
File name:Lets_Install.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:28'353'253 bytes
First seen:2025-11-19 13:49:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e48fbae3520a62c95e412b293e1759c (2 x ValleyRAT, 1 x PureLogsStealer)
ssdeep 393216:hLNpwgeMhLDnjylVxBqAYYpfSguwQf675H1ulVc70tx+cR3WpN7HGzVWAsdtR5uO:BNph/nj+oyL8lVj+cR3MJHmWhtLo98uY
Threatray 6 similar samples on MalwareBazaar
TLSH T1E4573389A314C838D8D8D07B2B7F83EE74FEDCEA1D11C449CB971AF8D5952E210B6586
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter smica83
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305.exe
Verdict:
Malicious activity
Analysis date:
2025-11-19 13:50:23 UTC
Tags:
zgrat netreactor purehvnc
Link:
https://app.any.run/tasks/05a38604-05dc-478d-92a6-46412aae0db9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38659/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691dcaed27c5936d7d0db6f5
Tags:
micro shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Moving a file to the %temp% subdirectory
Launching a process
Loading a suspicious library
Creating a file
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay packed
Link:
https://www.filescan.io/uploads/691dcae66707890e552c21ba/reports/c6534cc0-6ffa-4913-9da3-e9df050cf063/overview
Verdict:
Suspicious
Labled as:
Malware_60.1
Link:
https://www.hybrid-analysis.com/sample/99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-19T00:24:00Z UTC
Last seen:
2025-11-20T00:49:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Cryptos.gen PDM:Trojan.Win32.Generic Backdoor.MSIL.AsyncRat.il Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.iet Trojan.MSIL.Donut.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305/results?tab=lookup
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1816895
Signature
Accesses sensitive object manager directories (likely to detect virtual machines)
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Unusual module load detection (module proxying)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1816895 Sample: Lets_Install.exe Startdate: 19/11/2025 Architecture: WINDOWS Score: 76 133 yandex.com 2->133 135 www.yandex.com 2->135 137 8 other IPs or domains 2->137 153 Suricata IDS alerts for network traffic 2->153 155 Multi AV Scanner detection for submitted file 2->155 157 Yara detected PureLog Stealer 2->157 159 7 other signatures 2->159 11 Lets_Install.exe 15 2->11         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        19 11 other processes 2->19 signatures3 process4 dnsIp5 113 C:\Users\user\AppData\Roaming\sWbO .exe, PE32 11->113 dropped 115 C:\Users\user\AppData\...\pczHYMPc3z.dll, PE32 11->115 dropped 117 C:\Users\user\AppData\...\mbsXVknFG0.dll, PE32 11->117 dropped 119 5 other files (none is malicious) 11->119 dropped 22 sWbO .exe 10 304 11->22         started        26 idCd  .exe 2 11->26         started        28 drvinst.exe 14->28         started        30 drvinst.exe 14->30         started        149 Changes security center settings (notifications, updates, antivirus, firewall) 16->149 32 MpCmdRun.exe 16->32         started        139 127.0.0.1 unknown unknown 19->139 151 Modifies the DNS server 19->151 34 regsvr32.exe 19->34         started        36 LetsPRO.exe 19->36         started        file6 signatures7 process8 file9 95 C:\Program Files (x86)\...\tap0901.sys, PE32+ 22->95 dropped 97 C:\Program Files (x86)\...\LetsPRO.exe, PE32 22->97 dropped 99 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 22->99 dropped 111 223 other files (1 malicious) 22->111 dropped 171 Sample is not signed and drops a device driver 22->171 38 LetsPRO.exe 22->38         started        40 cmd.exe 22->40         started        43 powershell.exe 22->43         started        50 8 other processes 22->50 101 C:\Users\user\AppData\Local\...\idCd  .tmp, PE32 26->101 dropped 45 idCd  .tmp 5 7 26->45         started        103 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 28->103 dropped 105 C:\Windows\System32\drivers\SET8E9F.tmp, PE32+ 28->105 dropped 173 Accesses sensitive object manager directories (likely to detect virtual machines) 28->173 107 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 30->107 dropped 109 C:\Windows\System32\...\SET8663.tmp, PE32+ 30->109 dropped 48 conhost.exe 32->48         started        signatures10 process11 file12 52 LetsPRO.exe 38->52         started        175 Uses netsh to modify the Windows network and firewall settings 40->175 177 Uses ipconfig to lookup or modify the Windows network settings 40->177 179 Performs a network lookup / discovery via ARP 40->179 56 conhost.exe 40->56         started        58 netsh.exe 40->58         started        181 Loading BitLocker PowerShell Module 43->181 60 conhost.exe 43->60         started        121 C:\Users\user\AppData\...\is-ARRT6.tmp, PE32 45->121 dropped 123 172f763e_de4f_4eea...8ee699d8.dll (copy), PE32 45->123 dropped 125 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->125 dropped 127 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 45->127 dropped 62 regsvr32.exe 1 5 45->62         started        129 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 50->129 dropped 131 C:\Users\user\AppData\Local\...\SET851B.tmp, PE32+ 50->131 dropped 64 conhost.exe 50->64         started        66 conhost.exe 50->66         started        68 conhost.exe 50->68         started        70 9 other processes 50->70 signatures13 process14 dnsIp15 141 119.29.29.29, 49725, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 52->141 143 23.98.101.63, 443, 49728, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->143 147 11 other IPs or domains 52->147 161 Loading BitLocker PowerShell Module 52->161 72 cmd.exe 52->72         started        75 WMIC.exe 52->75         started        77 cmd.exe 52->77         started        79 cmd.exe 52->79         started        145 8.210.98.219, 13601, 49720 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 62->145 163 System process connects to network (likely due to code injection or exploit) 62->163 165 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 62->165 167 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 62->167 169 5 other signatures 62->169 signatures16 process17 signatures18 183 Performs a network lookup / discovery via ARP 72->183 81 conhost.exe 72->81         started        83 ARP.EXE 72->83         started        185 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 75->185 85 conhost.exe 75->85         started        87 conhost.exe 77->87         started        89 ipconfig.exe 77->89         started        91 conhost.exe 79->91         started        93 ROUTE.EXE 79->93         started        process19
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0dd590078af5393c5da370c3935d9612
Gathering data
Verdict:
Malicious
Threat:
Family.ZGRAT
Link:
https://tip.neiki.dev/file/99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tglyxojdkxz3gq3lryupifwxq65p2ur55lr7apex4dm62kjoamcq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
0896adf3b2f0cdd9d7b9dead68d558b639414f11f8342073844bba682597cfba
PureLogsStealer
a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145
PureLogsStealer
e8caac829b55f23bf9ee8880342a529ae2af9f446f820fec1828645d6d15d9f6
PureLogsStealer
error
PureLogsStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation spyware trojan
Link:
https://tria.ge/reports/251119-q4wy5sck4v/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ba1d00ac-ef74-429a-8043-37df68fdece4
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99978bb92355/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_c9003b7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38659/

Comments