MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a
SHA3-384 hash: afdf5bdf2bf21cc3d6374a9d498346bd8b7c97b0614772807e0ca792c34cbf687f6d7dc8ecd4f4e57a00f93550e1a3f7
SHA1 hash: 62b36fc44dd3692a334b878b3676c8d852aefd8b
MD5 hash: f91553c20e35c71e431f306f670423a2
humanhash: comet-florida-illinois-cold
File name:arajanlatkeres.jpeg.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'448'968 bytes
First seen:2026-02-23 16:10:54 UTC
Last seen:2026-02-23 16:36:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'820 x AgentTesla, 19'743 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 24576:EkKMF1LQUoFDSK0CbG+/16Il7Z40yaUEdyGh29JT0cTJ3Y/sSjb:EfMF1s9oKJG+9TNHFdyq2gcVajb
TLSH T1D36522A82644C803E9A517710B72F6B6177D5DEEE800D30B5EECFDFBB8A6B155C04292
TrID 25.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
25.3% (.EXE) Win64 Executable (generic) (6522/11/2)
17.5% (.EXE) Win32 Executable (generic) (4504/4/1)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/dd6a1499-172f-402e-89f3-b4be2a7c4186/
Malware family:
n/a
ID:
1
File name:
arajanlatkeres.jpeg.exe
Verdict:
Malicious activity
Analysis date:
2026-02-23 16:14:50 UTC
Tags:
netreactor purehvnc
Link:
https://app.any.run/tasks/2018145e-c064-41b8-bd3f-4005547ab134

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54314/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.26549.16514.28564.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699c7c2d8fffa866e3b1337a
Tags:
underscore injection shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Connection attempt
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bitmap expired-cert invalid-signature krypt masquerade obfuscated packed packed signed stego strictor
Link:
https://www.filescan.io/uploads/699c7c2897feb4afd6543053/reports/c5daf17e-e3af-4aca-8535-037fd8520431/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a
Verdict:
Malicious
File Type:
exe x32
Detections:
PDM:Trojan.Win32.Generic PDM:Trojan.Win32.Badex.d HEUR:Trojan.MSIL.PowerShell.gen
Link:
https://opentip.kaspersky.com/c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c07f388b-23ea-470d-8a65-a1b6fad83ded
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1873599
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a/
Verdict:
Malicious
Threat:
Family.PUREHVNC
Link:
https://tip.neiki.dev/file/c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a
Threat name:
ByteCode-MSIL.Trojan.PhantomStealer
Create hunting rule
Status:
Malicious
First seen:
2026-02-23 12:30:20 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4upatpqcomae6ugzuatztolicijjhfri6fi4chnryan47fw2sfa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260223-tm3xxaay9g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a
MD5 hash:
f91553c20e35c71e431f306f670423a2
SHA1 hash:
62b36fc44dd3692a334b878b3676c8d852aefd8b
Link:
https://www.unpac.me/results/f6e020b2-62f8-46fa-84ab-8daaab46a0e0/
SH256 hash:
bf80785fbffa8da34840fe8c162be61563954da73b2554b03929cb31a08944df
MD5 hash:
8755a5586aa76ef4492558b27844f51a
SHA1 hash:
07c2b7a32395e0b6725b274be0d207b6b93c7d0d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f6e020b2-62f8-46fa-84ab-8daaab46a0e0/
SH256 hash:
563ba0b5ee2e6421fa20a78a6a469226a318b0aa281d1fc907b1f55e4b1006e1
MD5 hash:
76d50549b0d702fecbd7b9ec74337a57
SHA1 hash:
b89bf667cc8948b6c53750d820015ba093157f79
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f6e020b2-62f8-46fa-84ab-8daaab46a0e0/
SH256 hash:
7e1ad413becb342eab79a517ed8a986d01ef6234248f837b5cce16df255cfcd5
MD5 hash:
fe6918a61784ffe8063e996735293a1e
SHA1 hash:
d4c22969c56656ac95227680eb1fe8d7d7d55bd8
Link:
https://www.unpac.me/results/f6e020b2-62f8-46fa-84ab-8daaab46a0e0/
SH256 hash:
43b26d948dea8ad45c04dab676dbfa0ab447de34f8d4e3e7e852320e0010731c
MD5 hash:
7c5053f92895cb2f78c11e09e0b8541e
SHA1 hash:
3c489b9c471be83faf09ad377ad23d2764444530
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f6e020b2-62f8-46fa-84ab-8daaab46a0e0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c728f04df013/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54314/

Comments