MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a
SHA3-384 hash: cf0916d671e8f12f8968530804e2c5471f2d84726a663b1e31cd1c1258791cc714ce34a3f5be3da79c3c68ddb3cbc377
SHA1 hash: 3bf89951b05d75685b20bbf2dc8f663c9b1ffc36
MD5 hash: 2969a2350e3e2e95d5466db514115216
humanhash: shade-one-mike-idaho
File name:vllc.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'036'288 bytes
First seen:2025-11-12 10:13:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:HTshNEVkj8amP5jLyFlEzz/Pv4jJWNqs5oNqa0gr65:zg4jaEJLy3Ef/Pv4jk+r6
Threatray 4'177 similar samples on MalwareBazaar
TLSH T195251266629DDF26C02B6FF419A1C17113796FA9A012C30B4EE62DDF7476F408A42BD3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter skocherhan
Tags:107-172-135-8 exe kutt-chatforma-com PureLogsStealer


Avatar
skocherhan
https://107.172.135.8/170/vllc.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vllc.exe
Verdict:
Malicious activity
Analysis date:
2025-11-12 10:16:12 UTC
Tags:
stealer purecrypter purehvnc netreactor
Link:
https://app.any.run/tasks/cf6bae96-d389-420a-8c99-bdd0cae09e8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37567/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69145dfc28ddbbca4d8d5113
Tags:
backdoor nanobot micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/69145dfaf0f11f085d6852b1/reports/00ec5219-34c0-4664-af61-46dd2607b6d4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-12T06:36:00Z UTC
Last seen:
2025-11-13T07:09:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.PureLogs.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.gen HEUR:Trojan.MSIL.Agent.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cd3237c2-f128-49ca-90c2-c55c1c099584
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1812605
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.29 Win 32 Exe x86
Link:
https://app.malva.re/file/2969a2350e3e2e95d5466db514115216
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a/
Verdict:
Malicious
Threat:
Trojan.MSIL.TCP
Link:
https://tip.neiki.dev/file/d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-11-12 10:14:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fzhdsea2wxsi3pthu7q6o62233dk3nydam3wjt7c6yrlljvh4fa._file
Verdict:
malicious
Label(s):
katzstealer
Create hunting rule
purecrypter
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
4978680ea558de05a0f4aafd970ffeb9123ddbe34cda433512faf68e80a6bc8a
PureLogsStealer
5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db
PureLogsStealer
5866086aabad6058bc0f6fda58ea98a3bccad73cfc1c2a992851a8e97e2e9181
PureLogsStealer
58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b
PureLogsStealer
d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a
PureLogsStealer
e052254bf3dff4bf2c660afd72a517520b410bb3ede43bc1d4e8ee2224b39e9e
PureLogsStealer
e32106acd96a999a03b99006e21555b4829b2067fec0d00cd17e4235e631b621
PureLogsStealer
error
PureLogsStealer
+ 4'167 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/251112-l9s28ahz5d/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e373db31-41ea-464b-8323-57c016106535
Unpacked files
SH256 hash:
d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a
MD5 hash:
2969a2350e3e2e95d5466db514115216
SHA1 hash:
3bf89951b05d75685b20bbf2dc8f663c9b1ffc36
Link:
https://www.unpac.me/results/279460e4-e036-4be0-bf48-961d5b6c9a1f/
SH256 hash:
8024df281df8cb89bc217fe5931d4504f04a45b0fe5d44f5ad72505d5f88d3a7
MD5 hash:
09d3d6c3465804b8b58d96b27ba9a968
SHA1 hash:
5d46d7a6363db4735bf404868507a95da3e63935
Link:
https://www.unpac.me/results/279460e4-e036-4be0-bf48-961d5b6c9a1f/
SH256 hash:
f44a97ba959a2f1b2154d69c4d118fd16bc5608f7f1dcf4f36bd44c6543b3b9a
MD5 hash:
64a9dd1563f828735d8bb70617bd4d5a
SHA1 hash:
85cfa4ff543dc85b7c8247876c9a8bee99cd9091
Link:
https://www.unpac.me/results/279460e4-e036-4be0-bf48-961d5b6c9a1f/
SH256 hash:
e4aa46f7c24450d44eadc7dd38fb29657fd943c57deab64a7a6c8605934a232a
MD5 hash:
468506027afd923e281a565adc3b3240
SHA1 hash:
c7c216d53c21fb2b747a0a4153332ef8af031038
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/279460e4-e036-4be0-bf48-961d5b6c9a1f/
SH256 hash:
0b1ddae764cab61f60f28ca77f80fe990ee7dba9673925cc2fb611fb2c4aaf04
MD5 hash:
39d95be802aeb74d9c9a1d5a733640a5
SHA1 hash:
02f73c1dd5a6187a80ec896cad29e5c6179ba095
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/279460e4-e036-4be0-bf48-961d5b6c9a1f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d17271c880d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

PureLogsStealer

Word file doc 70239684f01e37692087c05f6f355daae3bdcdbc4bfa2fcb786dbf8ddf1d2966

PureLogsStealer

Executable exe d17271c880d5af246df33d3f0f3bdad6f6356db81819bb267f17b115ad353f0a

(this sample)

  
Dropped by
SHA256 70239684f01e37692087c05f6f355daae3bdcdbc4bfa2fcb786dbf8ddf1d2966
Cape
Cape
https://www.capesandbox.com/analysis/37567/
  
Dropped by
MD5 d6e7a65a344935376eb8aadc3a294deb

Comments