MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bae2b47193c08a9f98f390845d8a2d25040bc2b2cee6c36f10cfff5d245b24ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bae2b47193c08a9f98f390845d8a2d25040bc2b2cee6c36f10cfff5d245b24ea
SHA3-384 hash: aa3332fe2d175f0d670746eebbbec08b4377c0c8725f4571ff5203c385a193bc87ccf2e5f66595f0156d2a70e46a3a22
SHA1 hash: 036d7322a3ca1cf24fabfb17e0676a3c8364f5cb
MD5 hash: 999190bdbf9716143f68977747ec0824
humanhash: tennessee-nuts-xray-social
File name:FYSWIFT09-MR7Y280-UR8993-93-KSLI0002-RD0003-D.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:628'888 bytes
First seen:2025-12-09 02:10:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (60 x GuLoader, 21 x RemcosRAT, 18 x AgentTesla)
ssdeep 12288:J6L45thap5UwTk26UjwTbcl6IyyBx/13MRkHZ:J6cthapq6k3owTbOyyD13MR6Z
Threatray 2'883 similar samples on MalwareBazaar
TLSH T19DD4CFE0FEEAE515D88586F7D81ECA1188203C0C27965C9273852B3D95F35CDEAE81F5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
146.70.245.66:5437

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
146.70.245.66:5437 https://threatfox.abuse.ch/ioc/1671875/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/c8228491-27b5-4d20-8af7-f4bf90f796f9/
Malware family:
n/a
ID:
1
File name:
FYSWIFT09-MR7Y280-UR8993-93-KSLI0002-RD0003-D.exe
Verdict:
Malicious activity
Analysis date:
2025-12-09 08:50:16 UTC
Tags:
auto-reg stealer purecrypter purehvnc netreactor
Link:
https://app.any.run/tasks/76e3d8a0-e178-4895-9e82-b46e1e116017

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43937/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69378519881313558a2ba8c4
Tags:
injection virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/69378516bba50eaf042852b5/reports/40cfd285-0822-482d-87c0-4471b0fa4eb8/overview
Verdict:
Malicious
Labled as:
Trojan.Downloader.oa
Link:
https://www.hybrid-analysis.com/sample/bae2b47193c08a9f98f390845d8a2d25040bc2b2cee6c36f10cfff5d245b24ea
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-08T22:57:00Z UTC
Last seen:
2025-12-09T22:58:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/bae2b47193c08a9f98f390845d8a2d25040bc2b2cee6c36f10cfff5d245b24ea/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b6942c03-9c15-43f0-9bb2-50010ab2548f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1829224
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bae2b47193c08a9f98f390845d8a2d25040bc2b2cee6c36f10cfff5d245b24ea
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/999190bdbf9716143f68977747ec0824
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bae2b47193c08a9f98f390845d8a2d25040bc2b2cee6c36f10cfff5d245b24ea/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-12-09 02:07:31 UTC
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlrli4mtycfj7ghtsccf3crneucaxqvsz3tmg3yqz77v2jc3etva._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
525ac0be035eb5b99e8de21ae809abcea86590bd9f122dbf6454274134708f81
PureLogsStealer
73a06f7dec45a77e620fbd3357165fa49733f5abdac2472270de144aded79017
PureLogsStealer
84972e3d631e88d1d7b07d4607f7254fe3a241e661ba36f05076d89fba259fb9
PureLogsStealer
912219e3933db2e01a3d6d0f98a1bc00fa5073c715a84fe17e06ba6fa9d8ad2b
PureLogsStealer
9397d4f47a1bef3d2720ff562c737c128521397827accf917fccd987e4d03948
PureLogsStealer
error
PureLogsStealer
fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453
PureLogsStealer
+ 2'873 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251209-clys5abx2e/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5b4f6fe7-bea7-4677-9250-216180ff4b0e
Unpacked files
SH256 hash:
bae2b47193c08a9f98f390845d8a2d25040bc2b2cee6c36f10cfff5d245b24ea
MD5 hash:
999190bdbf9716143f68977747ec0824
SHA1 hash:
036d7322a3ca1cf24fabfb17e0676a3c8364f5cb
Link:
https://www.unpac.me/results/91d9866d-2e36-44ca-8fb8-42c6df5e3596/
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/91d9866d-2e36-44ca-8fb8-42c6df5e3596/
SH256 hash:
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188
MD5 hash:
ec9640b70e07141febbe2cd4cc42510f
SHA1 hash:
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306
Link:
https://www.unpac.me/results/91d9866d-2e36-44ca-8fb8-42c6df5e3596/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bae2b47193c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
StrelaStealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bae2b47193c08a9f98f390845d8a2d25040bc2b2cee6c36f10cfff5d245b24ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43937/

Comments