MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3
SHA3-384 hash: ff031d67f486e970a7282f9339af33a8d92a3a8749668aada2034f113cc5e30d244b13fe5b6230d03d537dabc4a396d0
SHA1 hash: 1e99c3264e9ded8df32c01291f1136389c0a7a80
MD5 hash: b51bc005857ea07172afabc9be91baa0
humanhash: stream-nuts-colorado-ceiling
File name:Bill of Lading_ 514863409.gz
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'013'160 bytes
First seen:2025-12-05 16:26:15 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 24576:dGb0h8vLqjG7sF/M1Rb0zI9N7FsoaRgJHmWmJ5pbdnJrgHl9xK:dzG7sCD0k5daRTWmBbcpK
TLSH T1522533EC2859F7A8CE4E9316D8077ADADA20D0E7308F8E0C4F4F734465F56AB105676A
Magika gzip
Reporter cocaman
Tags:gz


Avatar
cocaman
Malicious email (T1566.001)
From: "Dong Hai <export@wj-yongdajh.com>" (likely spoofed)
Received: "from mail.wj-yongdajh.com (mail.wj-yongdajh.com [192.227.207.132]) "
Date: "Thu, 04 Dec 2025 04:47:49 +0100"
Subject: "=?UTF-8?Q?=E7=AD=94=E5=A4=8D=3A_DRAFT_PACKING_LIST_514863409?="
Attachment: "Bill of Lading_ 514863409.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Bill of Lading_ 514863409.exe
File size:1'071'104 bytes
SHA256 hash: 7a020ca579b3ef573ceaaf0ab51c6c38e27f15dde073053e2772b0656de370f3
MD5 hash: 0254a7e0582b2be5443eadcc8bdf6806
MIME type:application/x-dosexec
Signature PureLogsStealer
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693307b031688d480ab31338
Tags:
backdoor nanobot virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt packed vbnet
Link:
https://www.filescan.io/uploads/693307b0bba50eaf042345cd/reports/4247a7a1-901e-4906-930c-75e3612bd62b/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3
Verdict:
Malicious
File Type:
gz
First seen:
2025-12-03T22:16:00Z UTC
Last seen:
2025-12-07T04:18:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
.Net Executable GZip Archive Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.27
Link:
https://app.malva.re/file/b51bc005857ea07172afabc9be91baa0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3/
Verdict:
Malicious
Threat:
Trojan.MSIL.Agent
Link:
https://tip.neiki.dev/file/a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-12-04 01:10:46 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2wub7vyvcbpexulswq6qvclw32yydfsebcp25aprtfixwdi6wrq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/251205-t8cylshv7d/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

gz a6ad40feb8a882f25e8b95a1e8544bb6f58c0cb22044fd740f8cca8bd868f5a3

(this sample)

PureLogsStealer

Executable exe 7a020ca579b3ef573ceaaf0ab51c6c38e27f15dde073053e2772b0656de370f3

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7a020ca579b3ef573ceaaf0ab51c6c38e27f15dde073053e2772b0656de370f3
  
Dropping
MD5 0254a7e0582b2be5443eadcc8bdf6806

Comments