MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795
SHA3-384 hash: c408de2b7913e7f7a1a3ebefba1d5c6540c71a4f8121c50211368933f5ff33ef21e4710aa81377ebb522bf6f3d1535bc
SHA1 hash: 0b45827acea44804b8efc37a5bf2b5ac144318d0
MD5 hash: 7a74ea3b623eb375b7f8277c290f1a1b
humanhash: twelve-rugby-carolina-three
File name:7a74ea3b623eb375b7f8277c290f1a1b.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:15'862'272 bytes
First seen:2025-08-28 06:44:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:OiH5TMOUYEGZI3VsqigSZ1SaeQstKuj3U8o/rpOs:OyTMzYxosqiG5tKurU8mFOs
TLSH T178F6E52021D9AB03FD7EDFBD99DC76410F79B1923763EA384B5209E90ED1B18C8435A6
TrID 34.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
23.4% (.EXE) Win32 Executable (generic) (4504/4/1)
10.7% (.ICL) Windows Icons Library (generic) (2059/9)
10.5% (.EXE) OS/2 Executable (generic) (2029/13)
10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7a74ea3b623eb375b7f8277c290f1a1b.exe
Verdict:
Malicious activity
Analysis date:
2025-08-28 06:57:19 UTC
Tags:
stealer zgrat purehvnc netreactor
Link:
https://app.any.run/tasks/8c170cec-256b-494a-91ba-32dd34d0a2c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23987/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68affb2f3e988eb6ab82e01c
Tags:
virus msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-25T12:51:00Z UTC
Last seen:
2025-08-25T12:51:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/eb7f3da7-51e5-4a61-ab07-a9fbae7dd25e
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1766809
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-08-25 18:41:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xb45a7amdxvxlgajsfbx4bhyprikhjsbaye7lt6uvjuaox5du6kq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250828-hjaw6scp6v/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Modifies trusted root certificate store through registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c035bd2-6578-4d17-a197-ea9f2efca751
Unpacked files
SH256 hash:
c4ddbb1d77cdc01403c546eaf85bfb49816f31f251c63e0ee6a1e48b48b2afb6
MD5 hash:
c0fbb3ac36cea2370a9d6c433968702b
SHA1 hash:
307cf60ec5df90208d2969cf8dc9fa20a3a7705c
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/200ed3f6-bda0-49b5-b1ab-593826f4ce1b/
SH256 hash:
695715a2fbdfa7ebf93c51705bbae81ebec7610395e8678a8c8639af8eb91acd
MD5 hash:
2e3b500568ca3a0e88b1f914476095b5
SHA1 hash:
a19b17b3b50866651fbf7cf859b6db84c23a3713
Link:
https://www.unpac.me/results/200ed3f6-bda0-49b5-b1ab-593826f4ce1b/
SH256 hash:
84edf34634fe7e45a9e8b5a0ebabed0b0efbd454b08d2bc894a1c3316969e9e0
MD5 hash:
994b1026a170c31c3c247894eb73c57a
SHA1 hash:
4a6043c00d15e3c532e2881b88e85662d469d02d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/200ed3f6-bda0-49b5-b1ab-593826f4ce1b/
Parent samples :
e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6
b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795
5d8df26f099aacb1a96263d727316b05fd2a218a35d4853e7a17cca5fc348420
SH256 hash:
b9f1a4aef36f58ab10512a50bd1113ebd1e96aae16d918c808b0feb45d017d0e
MD5 hash:
c4c8a156440c9895877607f26779e930
SHA1 hash:
866a072e3d23bd46ae6c1e93d902152c99ed0eb6
Link:
https://www.unpac.me/results/200ed3f6-bda0-49b5-b1ab-593826f4ce1b/
SH256 hash:
b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795
MD5 hash:
7a74ea3b623eb375b7f8277c290f1a1b
SHA1 hash:
0b45827acea44804b8efc37a5bf2b5ac144318d0
Link:
https://www.unpac.me/results/200ed3f6-bda0-49b5-b1ab-593826f4ce1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23987/

Comments