MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c
SHA3-384 hash: c5318d78892f627ec380c99c4ab3119fcf0d47900a8e465f52b6cd087af435bc78aed85b482046f3c307ec90ce642051
SHA1 hash: 7967eea0fe63d7cb495496758e311387eaa7fe22
MD5 hash: c589a80535af5c1c95afafca84b6e295
humanhash: edward-snake-sink-crazy
File name:COSU66824763814 TLX HBL 00LU896879.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'183'744 bytes
First seen:2026-01-19 08:15:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 24576:1u2mCk8WLF3/ZVciuFhEPcE9xLNeCCUC7rEciPrses/YodGMU/:1Hm180/gVkHLGUC7IcAges/Yn
TLSH T148450207B68DCB0EEA5147B43571E2715268AF9BE821C246B9ECFDBF3435A0C5A442C6
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
38.49.213.155:9980

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
38.49.213.155:9980 https://threatfox.abuse.ch/ioc/1734308/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/7c15edf4-4b79-4f22-8547-c0682c4be248/
Malware family:
n/a
ID:
1
File name:
COSU66824763814 TLX HBL 00LU896879.exe
Verdict:
Malicious activity
Analysis date:
2026-01-19 08:16:30 UTC
Tags:
stealer purecrypter purehvnc netreactor
Link:
https://app.any.run/tasks/84f8fae3-ab4e-4936-a9a0-cbdeaec54af6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49301/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696de829bcad3327ec064b8c
Tags:
backdoor nanobot shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt obfuscated packed
Link:
https://www.filescan.io/uploads/696de8282ea17ed89952b9d1/reports/f57caff1-7c72-458a-bd2c-7cf29406c65a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-19T05:21:00Z UTC
Last seen:
2026-01-19T17:11:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.PureLogs.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.gen Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3857b832-c35a-4f1b-9992-ce9d667e089f
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1853223
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1853223 Sample: COSU66824763814 TLX HBL 00L... Startdate: 19/01/2026 Architecture: WINDOWS Score: 100 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 8 COSU66824763814 TLX HBL 00LU896879.exe 4 2->8         started        process3 file4 32 COSU66824763814 TL... 00LU896879.exe.log, ASCII 8->32 dropped 52 Adds a directory exclusion to Windows Defender 8->52 54 Injects a PE file into a foreign processes 8->54 12 COSU66824763814 TLX HBL 00LU896879.exe 3 8->12         started        16 powershell.exe 23 8->16         started        signatures5 process6 dnsIp7 36 38.49.213.155, 49687, 49718, 49719 COGENT-174US United States 12->36 56 Tries to steal Mail credentials (via file / registry access) 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 60 Writes to foreign memory regions 12->60 64 4 other signatures 12->64 18 chrome.exe 1 12->18         started        21 chrome.exe 12->21 injected 23 chrome.exe 12->23 injected 27 4 other processes 12->27 62 Loading BitLocker PowerShell Module 16->62 25 conhost.exe 16->25         started        signatures8 process9 dnsIp10 34 192.168.2.6, 138, 443, 49687 unknown unknown 18->34 29 chrome.exe 18->29         started        process11 dnsIp12 38 www.google.com 142.251.40.100, 443, 49693, 49694 GOOGLEUS United States 29->38 40 googlehosted.l.googleusercontent.com 172.217.12.129, 443, 49707 GOOGLEUS United States 29->40 42 clients2.googleusercontent.com 29->42
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.45 Win 32 Exe x86
Link:
https://app.malva.re/file/c589a80535af5c1c95afafca84b6e295
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c/
Verdict:
Malicious
Threat:
Family.PUREHVNC
Link:
https://tip.neiki.dev/file/d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2026-01-19 08:14:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2k5e74xawkhte7bzsc6mnmquyikpremx3vpkyatecqy6nqoyr4oa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution spyware stealer
Link:
https://tria.ge/reports/260119-j5tf3sdz9f/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/289c833a-4863-42ef-a776-4bca2b4e28e8
Unpacked files
SH256 hash:
d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c
MD5 hash:
c589a80535af5c1c95afafca84b6e295
SHA1 hash:
7967eea0fe63d7cb495496758e311387eaa7fe22
Link:
https://www.unpac.me/results/ac0f2f6c-59ad-4f48-aa45-681ed296fc44/
SH256 hash:
772995c62f07a08715f25a3e438afbb7fba7fae149a72ad89b9fa17dd70db1a5
MD5 hash:
6079e231338bfe8c7a5e56ed1275a193
SHA1 hash:
00ee9517a62fcc9b5c52bc415bc540c8e1a3f081
Link:
https://www.unpac.me/results/ac0f2f6c-59ad-4f48-aa45-681ed296fc44/
SH256 hash:
5dd7f41c2da3727b5a57bdd459fa97b434f117393e78c37b4a027105ee65d8be
MD5 hash:
4d407d9302593919153a4da8d90a8e11
SHA1 hash:
68d1db5660666b363038cf380caab328f0b7525f
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/ac0f2f6c-59ad-4f48-aa45-681ed296fc44/
Parent samples :
d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c
be2142e2818d4df10efca8b223a823dae8dbcc0679e8e19a94fa9ae729c34273
1e0bbcaa4d9b3f4c144e10dad6fb9ecbde607e3c48c2d3194195f56852ef8ffb
3e4a68bdf48f606bad0af48e31d1776d5f5b82574d39cc320445f862d463a063
SH256 hash:
fba6d1bc32c1f9ccef22787a832075241dbf85ad2f04c8fd7fec615bf45f2039
MD5 hash:
d033e083150c553952dab5b68dc6ce25
SHA1 hash:
e3d0b96cef045ff037b41eb0869f4ac5ef36c11f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ac0f2f6c-59ad-4f48-aa45-681ed296fc44/
SH256 hash:
11059218c0402e4fce82cecc1b5fd078ca8040785f2988cf01f01920daa06dea
MD5 hash:
44ca48a6882e3122c80f27b40287f7b3
SHA1 hash:
137050dfb604754315761af75311a08602d8d1fd
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ac0f2f6c-59ad-4f48-aa45-681ed296fc44/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d2ba4ff2e0b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2ba4ff2e0b28f327c3990bcc6b214c214f89197dd5eac02641431e6c1d88f1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49301/

Comments