MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be
SHA3-384 hash: ec807738a2d3e17c28d849291a377a3a5cec1d65dd7379a5d8f0b84553b8e2ef963117f69432671bae04378a18a686dc
SHA1 hash: c907c09e8c50139d27011cf320b82d2c49c9521c
MD5 hash: 12e25a923917143e722fee54ae405b25
humanhash: earth-alanine-cola-black
File name:12e25a923917143e722fee54ae405b25.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'479'744 bytes
First seen:2025-11-29 23:55:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (373 x Vidar, 94 x Stealc, 92 x Rhadamanthys)
ssdeep 24576:TiymPk3BBj/YeMsBBxUMUIUKCAgByR2j6z9rK1sURqGWWanqRTtK/lj:TiJk3ceOHNoMyR2jSsRwp1
TLSH T19CB58D0B7CD846AEC05A9339AAB252A27674BC470B3233D33ED0AA7D2F363D45535794
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon ecccc89ce6d8e8f0 (2 x DarkTortilla, 1 x PureLogsStealer)
Reporter abuse_ch
Tags:exe PureLogsStealer signed

Code Signing Certificate

Organisation:dark.shopping
Issuer:WE1
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-26T22:53:13Z
Valid to:2026-01-24T23:53:10Z
Serial number: 235c57cc24d84cb60d1555e1a5c59908
Intelligence: 13 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 27be9de337edf46cd91902da3c55e412c3084b75b2a6c0384b24d190eb972232
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
PureLogsStealer C2:
64.56.76.151:2025

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
64.56.76.151:2025 https://threatfox.abuse.ch/ioc/1663318/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Going
Details
Going
a sub-decoded component
Link:
https://research.acce.ciphertechsolutions.com/results/feefe4b9-5e9c-4620-8879-0d42196844f7/
Malware family:
n/a
ID:
1
File name:
12e25a923917143e722fee54ae405b25.exe
Verdict:
Malicious activity
Analysis date:
2025-11-29 23:56:16 UTC
Tags:
stealer purecrypter purehvnc netreactor
Link:
https://app.any.run/tasks/61226a51-344a-4440-b9c9-98dff20e8995

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41872/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692b87f0f9fd2d5f941f0bb8
Tags:
injection emotet obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypt golang signed
Link:
https://www.filescan.io/uploads/692b87ebd0d5e7288b50d241/reports/2d0612d1-6087-4447-81af-581db7b20a3c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-26T03:08:00Z UTC
Last seen:
2025-12-01T11:08:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Agent.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Cryptos.gen Backdoor.NanoBot.TCP.C&C HEUR:Trojan.Win64.Generic Trojan-PSW.PureLogs.TCP.C&C Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0e313b66-fcd1-4ea6-9b78-d75db2e033ff
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1822924
Signature
.NET source code contains potential unpacker
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates a thread in another existing process (thread injection)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1822924 Sample: EBMRMz70fx.exe Startdate: 30/11/2025 Architecture: WINDOWS Score: 100 30 play.google.com 2->30 32 clients2.googleusercontent.com 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 9 EBMRMz70fx.exe 2->9         started        signatures3 process4 signatures5 50 Writes to foreign memory regions 9->50 52 Allocates memory in foreign processes 9->52 54 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 9->54 56 2 other signatures 9->56 12 AppLaunch.exe 4 9->12         started        process6 dnsIp7 40 64.56.76.151, 2025, 49713, 49743 PERFECT-INTERNATIONALUS United States 12->40 58 Tries to steal Mail credentials (via file / registry access) 12->58 60 Tries to harvest and steal browser information (history, passwords, etc) 12->60 62 Writes to foreign memory regions 12->62 64 5 other signatures 12->64 16 chrome.exe 1 12->16         started        19 chrome.exe 12->19 injected 21 chrome.exe 12->21 injected 23 4 other processes 12->23 signatures8 process9 dnsIp10 28 192.168.2.4, 138, 2025, 443 unknown unknown 16->28 25 chrome.exe 16->25         started        process11 dnsIp12 34 142.250.105.147, 443, 49722, 49723 GOOGLEUS United States 25->34 36 ogads-pa.clients6.google.com 142.250.12.95, 443, 49733, 49734 GOOGLEUS United States 25->36 38 6 other IPs or domains 25->38
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/12e25a923917143e722fee54ae405b25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be/
Verdict:
Malicious
Threat:
Trojan.Win32.TCP
Link:
https://tip.neiki.dev/file/d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-26 20:56:09 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gq5qs3gbjh7o4ftixqwssdofjylodyuhbdp45cg3sxy32i34k7a._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/251129-3ymjqscq3w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1101364f-d107-46a6-8dce-0243e6627fe1
Unpacked files
SH256 hash:
d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be
MD5 hash:
12e25a923917143e722fee54ae405b25
SHA1 hash:
c907c09e8c50139d27011cf320b82d2c49c9521c
Link:
https://www.unpac.me/results/ea9007e3-3a33-4976-9f1d-40897ea98f1e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1a1d84b660a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d1a1d84b660a4ff770b345e169486e2a70b70f143846fe7446dcaf8de91be2be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41872/

Comments