MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72
SHA3-384 hash: 3063ca2952e6e44b9233db002331d94da7438a42d5e089a6c68fceb41ffd8705cf91a85f92c6abf5ceed916f3c7b0b53
SHA1 hash: f90bcfb3a8254b3a2f46301f4a2f43d5d8242170
MD5 hash: f7aa4fc3a6c964522752102e9818f0cc
humanhash: jig-black-football-skylark
File name:a.hta
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:76'664 bytes
First seen:2025-11-16 14:37:57 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 1536:g1q13b+yVab9kNU7UfuxkVJckvAWKhPeFYyxLLfl:g1q19Vab9k8uVJckvyCLfl
TLSH T123736B5E3959BBB028931EF5ED9F103F19B7542528BEA682570087D8BC740ADEBD3C18
TrID 66.6% (.HTML) HyperText Markup Language (UTF-8) (6000/1/1)
33.3% (.TXT) Text - UTF-8 encoded (3000/1)
Magika vba
Reporter smica83
Tags:hta PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6919e1df434cd67b17c214bc
Tags:
autorun virus shell overt
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6919e1db53bda2a5d9f6c95f/reports/2fad291b-c6db-4583-953e-19f1c9eeefad/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72
Verdict:
Malicious
File Type:
hta
First seen:
2025-11-16T12:28:00Z UTC
Last seen:
2025-11-17T10:20:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.Generic PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic Trojan-Downloader.VBS.SLoad.sb Trojan-Downloader.JS.SLoad.sb Trojan.Win32.Agent.sb Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72/results?tab=lookup
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1814889
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Drops PE files with benign system names
Drops script or batch files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814889 Sample: a.hta Startdate: 16/11/2025 Architecture: WINDOWS Score: 100 54 harry-site.nl 2->54 56 bg.microsoft.map.fastly.net 2->56 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 11 other signatures 2->68 9 mshta.exe 1 2->9         started        12 cmd.exe 1 2->12         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 92 Suspicious powershell command line found 9->92 94 Bypasses PowerShell execution policy 9->94 17 powershell.exe 15 50 9->17         started        22 svchost.exe 12->22         started        24 conhost.exe 12->24         started        60 127.0.0.1 unknown unknown 14->60 signatures6 process7 dnsIp8 52 harry-site.nl 46.30.215.110, 443, 49713 ONECOMDK Denmark 17->52 42 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 17->42 dropped 44 C:\Users\user\AppData\...\VCRUNTIME140_1.dll, PE32+ 17->44 dropped 46 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 17->46 dropped 48 C:\Users\user\AppData\Local\...\MSVCP140.dll, PE32+ 17->48 dropped 70 Installs new ROOT certificates 17->70 72 Found many strings related to Crypto-Wallets (likely being stolen) 17->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 17->74 82 3 other signatures 17->82 26 svchost.exe 1 17->26         started        30 conhost.exe 17->30         started        76 Writes to foreign memory regions 22->76 78 Allocates memory in foreign processes 22->78 80 Injects a PE file into a foreign processes 22->80 32 InstallUtil.exe 22->32         started        34 WerFault.exe 22->34         started        file9 signatures10 process11 file12 50 C:\Users\user\AppData\Roaming\...\svchost.bat, DOS 26->50 dropped 96 Drops script or batch files to the startup folder 26->96 98 Writes to foreign memory regions 26->98 100 Allocates memory in foreign processes 26->100 102 Injects a PE file into a foreign processes 26->102 36 InstallUtil.exe 2 26->36         started        40 WerFault.exe 19 16 26->40         started        signatures13 process14 dnsIp15 58 158.220.88.136, 49722, 56001 LEVANTISCH Switzerland 36->58 84 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 36->84 86 Found many strings related to Crypto-Wallets (likely being stolen) 36->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->88 90 3 other signatures 36->90 signatures16
Score:
87%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Html
Link:
https://app.malva.re/file/f7aa4fc3a6c964522752102e9818f0cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72/
Verdict:
Malicious
Threat:
Trojan-Downloader.VBS.SLoad
Link:
https://tip.neiki.dev/file/c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-16 13:47:31 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvxk3il5nqo4cgxpom43ff3l476xj66fghi77y3a5ykegftid5za._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/251116-rzvqystmfx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://harry-site.nl/uitvaart/tf.txt
Malware family:
QuirkyLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c56eada17d6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

PureLogsStealer

Shortcut (lnk) lnk e17f553220905c179fb636a60e8cac9b29f2fb67d41cf86d8cef8a7c24e5d936

PureLogsStealer

HTML Application (hta) hta c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72

(this sample)

  
Dropped by
SHA256 e17f553220905c179fb636a60e8cac9b29f2fb67d41cf86d8cef8a7c24e5d936
  
Dropped by
MD5 cfb48c2cab273fcebb11028b7ce449fa

Comments