MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0
SHA3-384 hash: edbe0a0127b1feee40ba678183de5cfe6c8ebb3846ee4efe9d17f2f6122cc859f8c60b86dbe82d4cf13d64994a61292b
SHA1 hash: 1418b5a7fe7eb9d43f8c3aaaf8bd800778c4a0f3
MD5 hash: b13f04125bcf47f121c8618cc6384504
humanhash: oklahoma-nebraska-stairway-september
File name:aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:9'907'568 bytes
First seen:2026-01-05 22:20:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b41ac626c7b6ae6ac604f7789254aa7d (1 x PureLogsStealer, 1 x njrat)
ssdeep 98304:xLoBG2x0j6035YeeldVFR6Av3NouhhZCENknHrZGmW600wpDDAdj1N:lo3gTefNou4akLMmpYDIjz
TLSH T1F9A65921F254AA77C0EE0779409BCA701338426A4B138BC746D4D9FDFD5AAC22F75A4B
TrID 64.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.9% (.EXE) Win32 Executable (generic) (4504/4/1)
3.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter johnk3r
Tags:exe minacu-go-gov-br PureLogsStealer signed supphouse-minhacasa-tv xworm

Code Signing Certificate

Organisation:AURORA SOLUCOES & TURISMO LTDA
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-13T21:51:43Z
Valid to:2026-10-13T21:51:43Z
Serial number: 18c1f0e7cac9039caff80eaddf948ee1
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: f2426bbb42ceb181d31d743936d9dce89bc9cdf307ce9f80358634d95b197afb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0
Verdict:
Malicious activity
Analysis date:
2026-01-05 22:23:07 UTC
Tags:
rat auto-startup stealer netreactor purehvnc
Link:
https://app.any.run/tasks/aca787a6-3d55-4995-bd0c-c899e370839e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47782/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695c395ed2357cccc3dfc33f
Tags:
shellcode injection autorun blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 crypto embarcadero_delphi fingerprint obfuscated overlay packed signed
Link:
https://www.filescan.io/uploads/695c395a6c350eb0b6f539df/reports/64eb909a-a93e-4eee-bd5b-d3dcacd439c2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-05T17:32:00Z UTC
Last seen:
2026-01-07T18:23:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Coins.sb HEUR:Backdoor.Win32.XWorm.gen
Link:
https://opentip.kaspersky.com/aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/512fea73-3bfc-4971-8b95-32ad80d51ccd
Result
Threat name:
ResolverRAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1845183
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious PE digital signature
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1845183 Sample: U7RuiHozwE.exe Startdate: 05/01/2026 Architecture: WINDOWS Score: 96 34 supphouse.minhacasa.tv 2->34 38 Suricata IDS alerts for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 8 other signatures 2->44 7 U7RuiHozwE.exe 5 2->7         started        10 vlc.exe 6 2->10         started        signatures3 process4 file5 18 C:\Users\Public\Documents\vlc.exe, PE32 7->18 dropped 20 C:\Users\Public\Documents\libvlc.dll, PE32 7->20 dropped 22 C:\Users\Public\Documents\d3dxof.dll, PE32 7->22 dropped 24 C:\Users\Public\Documents\Direct3D.dll, PE32 7->24 dropped 13 vlc.exe 1 13 7->13         started        46 Found many strings related to Crypto-Wallets (likely being stolen) 10->46 signatures6 process7 dnsIp8 36 supphouse.minhacasa.tv 86.109.75.35, 49768, 49769, 56001 RLAN-ASHU Hungary 13->36 26 C:\Users\Public\Downloads\DirectX9\vlc.exe, PE32 13->26 dropped 28 C:\Users\Public\Downloads\...\libvlc.dll, PE32 13->28 dropped 30 C:\Users\Public\Downloads\...\d3dxof.dll, PE32 13->30 dropped 32 C:\Users\Public\Downloads\...\Direct3D.dll, PE32 13->32 dropped 48 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 13->48 50 Found many strings related to Crypto-Wallets (likely being stolen) 13->50 52 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->52 54 3 other signatures 13->54 file9 signatures10
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.83 Win 32 Exe x86
Link:
https://app.malva.re/file/b13f04125bcf47f121c8618cc6384504
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0/
Verdict:
Malicious
Threat:
Family.PUREHVNC
Link:
https://tip.neiki.dev/file/aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-05 21:38:12 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjaszm4vjyqs2462ophlh62grv2lflf332yj747lafojcs7n4cqa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/260105-19jk4ssqfv/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f5786815-15bc-43a2-88a0-774bae34f3fa
Unpacked files
SH256 hash:
aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0
MD5 hash:
b13f04125bcf47f121c8618cc6384504
SHA1 hash:
1418b5a7fe7eb9d43f8c3aaaf8bd800778c4a0f3
Link:
https://www.unpac.me/results/0f15103c-9a19-4a78-82d9-1138760580d4/
SH256 hash:
d6e2b85e484efa778fb324a39f04688ec7c025f82f70c77fb866e0579a333340
MD5 hash:
6060528c23c3123afef7edde3738bc56
SHA1 hash:
300e419c2179ea2f9fa29bbfd700e951dc6064f6
Link:
https://www.unpac.me/results/0f15103c-9a19-4a78-82d9-1138760580d4/
SH256 hash:
57847c825f6c4bd258b8ceaf291dc8675a543dd7b617cc7bd1abb5971bab5e09
MD5 hash:
83801276b539f95edba01c0db0848f1f
SHA1 hash:
31d9e2f053d024bb91484bf6b1d0ff7d598c6384
Link:
https://www.unpac.me/results/0f15103c-9a19-4a78-82d9-1138760580d4/
SH256 hash:
08cd939aa3bd1aa550ce7cf6b2a63f280f5f8262d4e2517739903fc693812625
MD5 hash:
0882ecdb826c8dff9a5fec908196f077
SHA1 hash:
2f9b6d6a5a6bb9ea2e9335d203ca8d3d633a728c
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0f15103c-9a19-4a78-82d9-1138760580d4/
Malware family:
DnlibLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa412cb3954e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

PureLogsStealer

Executable exe aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0

(this sample)

XWorm

DLL dll 4f1d0c4d58f6a5fd0e30ed394d618ef93e528fd5d630497e47228989588c1c78

Cape
Cape
https://www.capesandbox.com/analysis/47782/
  
Dropping
SHA256 4f1d0c4d58f6a5fd0e30ed394d618ef93e528fd5d630497e47228989588c1c78
  
Dropping
MD5 f74b226d0424f423f4c3ed912a82bfaf
  
Dropping
SHA256 953f5b65b578528a9ca5349d0d27fadde2c84adf7cb26bb5e53780f18442caf2
  
Dropping
MD5 aec02f70fad73bffc3a1bf62cef3d82c
  
Dropping
SHA256 a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb
  
Dropping
MD5 6c8b17644497de08842ebb8508c8cbb1

Comments