MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d12aae7dab13f17a28e4d123c9383fdee217d023ed9bd47668a771de7ff6987. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	9d12aae7dab13f17a28e4d123c9383fdee217d023ed9bd47668a771de7ff6987
SHA3-384 hash:	1f15561ff49737aa3065fb03ad3513478010a66fa0aa03bc0868290e9fa4f466f7c936242fb6b870c49c7e261171f831
SHA1 hash:	5d0da4324b4186a57c8d13c15bb6ff76de27c148
MD5 hash:	a2c400100ece6ca0323dbdc00314e1f2
humanhash:	maine-ohio-pasta-kentucky
File name:	payload_1.ps1
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	1'344 bytes
First seen:	2025-12-11 10:14:38 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	24:nk9g8Ou75hDjOCins0vHX2mR9keOQ/UEQwHGrVhfkwQNylULJHc4eG:km8Ou75hDjOJX7UEQHj7QszG
Threatray	9 similar samples on MalwareBazaar
TLSH	T160215463E6CB7181D1E516E9B05A91894F74AAFFA09D72C056A7F77CF0118CC00EE066
Magika	powershell
Reporter	smica83
Tags:	ps1 PureLogsStealer

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693a99babde6a3e597103489

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 obfuscated obfuscated overlay

Link:

https://www.filescan.io/uploads/693a99b807486fde6751d8f6/reports/9c75c6c3-2562-4162-9796-18779197a744/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/9d12aae7dab13f17a28e4d123c9383fdee217d023ed9bd47668a771de7ff6987

Verdict:

Adware

File Type:

ps1

First seen:

2025-12-11T07:54:00Z UTC

Last seen:

2025-12-11T14:18:00Z UTC

Hits:

~10

Detections:

HackTool.PowerShell.InvokeObfuscation.sb HackTool.PowerShell.AmsiBypass.sb HEUR:HackTool.PowerShell.InvokeObfuscation.gen

Link:

https://opentip.kaspersky.com/9d12aae7dab13f17a28e4d123c9383fdee217d023ed9bd47668a771de7ff6987/results?tab=lookup

Result

Threat name:

PureCrypter, Caminho Loader, PureLog Ste

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1830854

Signature

.NET source code contains potential unpacker

AI detected malicious Powershell script

Detected PureCrypter Trojan

Found Tor onion address

Installs new ROOT certificates

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Yara detected Caminho Loader

Yara detected Powershell decode and execute

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

35%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/9d12aae7dab13f17a28e4d123c9383fdee217d023ed9bd47668a771de7ff6987

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d12aae7dab13f17a28e4d123c9383fdee217d023ed9bd47668a771de7ff6987/

Verdict:

Malicious

Threat:

Family.ZGRAT

Link:

https://tip.neiki.dev/file/9d12aae7dab13f17a28e4d123c9383fdee217d023ed9bd47668a771de7ff6987

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tujkvz62we7rpiuojujdze4d7xxcc7ich3m32r3grj3r3z77ngdq._file

Verdict:

malicious

Label(s):

unc_loader_078

caminholoader

PureLogsStealer

69e530a00f9ef558449c302404e11a8e05f1c4c4cb83c2659b71ad0c3f5bb466

PureLogsStealer

7fdc44119bec563c6d469b273b27e3af8c84665f17e2f776ea34a71a33bd53a1

PureLogsStealer

811b90d73b7ed15674ea27dd059d8c29f9000a713103947d43d36557b3b5446f

PureLogsStealer

a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528

PureLogsStealer

b6426ad74f110c618f386180fda830a366607fac16789a2055ab8b28481c286e

PureLogsStealer

dd148325d606b9df924a264e7b57e2b0871796fc5f94bdcff9ceb729b8a2d022

PureLogsStealer

error

PureLogsStealer

Result

Malware family:

n/a

Score:

10/10

Tags:

execution

Link:

https://tria.ge/reports/251211-maeafsbs6f/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Command and Scripting Interpreter: PowerShell

Badlisted process makes network request

Malware Config

Dropper Extraction:

http://archive.org/download/optimized_msi_20251117/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/9d12aae7dab13f17a28e4d123c9383fdee217d023ed9bd47668a771de7ff6987

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample