MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36
SHA3-384 hash: 75d8ca52487ffe5b2be38bca5057057afdea0aa9e9c5e8f73407ea4683b59bcf8656ee2a7eac73c26581fcdad7b819d2
SHA1 hash: f82346ed9fbf4a98f5316bd5c0934915dbb2ffd5
MD5 hash: 59d88175c6b62642c3c0456ecaef1868
humanhash: video-west-delaware-lithium
File name:ORDER No - 14100058.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:990'208 bytes
First seen:2025-10-08 16:40:52 UTC
Last seen:2025-10-09 10:10:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:FHAu4w2wH5HAFMEn/Fnr9Pasg5s+FQtU/aXk8M++:FHAu4w2kH+MEnNrpar5hqKaXkPZ
TLSH T18C2523451A8EC816D2A26F71CDA9C3F01778BF5D2711C6868BF71EEF7DBA241029170A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter James_inthe_box
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
131
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER No - 14100058.exe
Verdict:
Malicious activity
Analysis date:
2025-10-08 16:49:26 UTC
Tags:
anti-evasion stealer purecrypter
Link:
https://app.any.run/tasks/ac6a7f5d-acdc-46eb-a78e-8d7754ae2147

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31159/
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e6943c277c2bd8bc5df0ba
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer lolbin masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68e6943dd4a0085473c44fa1/reports/92b27ef6-d160-4c38-a455-b3ea92a678e5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-08T04:15:00Z UTC
Last seen:
2025-10-09T13:42:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb VHO:Trojan-Spy.Win32.Convagent.gen PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.gen HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/73c44932-1351-474f-bbc5-e7b2e493b4c7
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/59d88175c6b62642c3c0456ecaef1868
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36/
Verdict:
Malicious
Threat:
Trojan.MSIL.Inject
Link:
https://tip.neiki.dev/file/b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-10-08 08:47:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfhhgga7pxfnvjm72jmovtvy3za7ifq6roxq7j3p5vmnsv7e7u3a._file
Verdict:
malicious
Label(s):
katzstealer
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/251008-t7cw8ay1ez/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b4c82b8e-e91b-4ec8-94db-e05021205653
Unpacked files
SH256 hash:
b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36
MD5 hash:
59d88175c6b62642c3c0456ecaef1868
SHA1 hash:
f82346ed9fbf4a98f5316bd5c0934915dbb2ffd5
Link:
https://www.unpac.me/results/e78ff645-9fac-45f6-874a-0e398d416da8/
SH256 hash:
cc2b98223c9dcaf35c31d2eb743780aa3ea50177043e82633dda11aa7b7ff66b
MD5 hash:
014ace331af3642ddb3d3aa754e94950
SHA1 hash:
2ee54a101d1817ffdf1154d6bc19a7fa6db81c97
Link:
https://www.unpac.me/results/e78ff645-9fac-45f6-874a-0e398d416da8/
SH256 hash:
47bb24748cae35dda9b05d605bab62c8595eb87a8903b6de3bca10fc9801f800
MD5 hash:
62bd905bbeb7f321b1d78e4a95797a06
SHA1 hash:
4f387d58b04cf0b5840b9f702a1c2eecff10f38f
Link:
https://www.unpac.me/results/e78ff645-9fac-45f6-874a-0e398d416da8/
SH256 hash:
776a95223350fd100a25f1680a8728dcc8f9703d4c3e13172104ecc42dee5b90
MD5 hash:
4d4fb3b9b08e1f35443345eb7a48f8dc
SHA1 hash:
c944cdf45d66daec119255296ab579da48e6db31
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e78ff645-9fac-45f6-874a-0e398d416da8/
SH256 hash:
a7ad0676293ac058e80724d4ecb7e5458d1e66d0469ae308b5211bb2b01cfebb
MD5 hash:
64b302b59e7f7e3416adaaaa0a75080b
SHA1 hash:
b26dc166ec6469947f60cd1fa6d1c613950d430b
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e78ff645-9fac-45f6-874a-0e398d416da8/
Parent samples :
b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36
054e3c0da63e2eed91ab3e0dc24350df990263e90095503f89bd3f79033d3052
bc19c068f80c921461efa45e340b9afecc620222e3fb6fd505785f213fc2a5fd
929f7e8b93d7627c0dbe5c7f47bed56ba33461e915c6e38dc4210975d13a774b
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b94e73181f7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

7z 19c87def5789bc0e09d764edf03ba85837db29a331795126068b7153a93e274a

PureLogsStealer

Executable exe b94e73181f7dcadaa59fd258eaceb8de41f4161e8baf0fa76fed58d957e4fd36

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/31159/
  
Dropped by
SHA256 19c87def5789bc0e09d764edf03ba85837db29a331795126068b7153a93e274a
  
Dropped by
MD5 022f5d222cf51bf89d205fbf948ea719

Comments