MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da8f90cdf55dac9dc49c588d9bca732abf392fcf1d8e8b0c56d1742b66f18ddd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da8f90cdf55dac9dc49c588d9bca732abf392fcf1d8e8b0c56d1742b66f18ddd
SHA3-384 hash: 8727ad1298e8ff44025c3c5d1104ce293467accc213f1f1477ce89c6e2a34d6aa036f7b992e18f7b4862476ada74539f
SHA1 hash: d3b0f0ec8b71f2a203209954b560c036d82a4187
MD5 hash: 0b0352fbdcfdd76a601e417b063dff97
humanhash: monkey-maryland-king-carbon
File name:eko7.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'619'456 bytes
First seen:2025-07-26 00:32:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:Xej+Z6yZNpeEqe4FmWXFLhKYgq4M7r66Qld1q2/omv6d49HA7doB0h+kfvh7SCWs:XO+Z6yZNymsKYgq4Ur+GmyiaiBX47S/
TLSH T106753319D0B8CA4BFDBEA9324E78BAF4E3CF778879325075D8C1C694C856560BE13825
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
196.251.114.93:7705

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.114.93:7705 https://threatfox.abuse.ch/ioc/1560779/

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eko7.exe
Verdict:
Malicious activity
Analysis date:
2025-07-25 22:41:08 UTC
Tags:
auto-reg auto-startup netreactor ims-api generic crypto-regex xworm purehvnc stealer
Link:
https://app.any.run/tasks/42cf2d51-cd90-419f-a96a-66c7ea148e1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16900/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688408030b4775fb21312ce6
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/da8f90cdf55dac9dc49c588d9bca732abf392fcf1d8e8b0c56d1742b66f18ddd
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8457eb0-3035-4c1f-a4a4-a3e102576fce
Result
Threat name:
MicroClip, PureLog Stealer, ResolverRAT,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1744449
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MicroClip
Yara detected PureLog Stealer
Yara detected ResolverRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1744449 Sample: eko7.exe Startdate: 26/07/2025 Architecture: WINDOWS Score: 100 68 sixx.hopto.org 2->68 70 bg.microsoft.map.fastly.net 2->70 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 23 other signatures 2->86 9 eko7.exe 3 6 2->9         started        13 dgcd.exe 2->13         started        15 ShellHost.exe 2->15         started        17 12 other processes 2->17 signatures3 process4 file5 58 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\Roaming\svc.exe, PE32 9->60 dropped 62 C:\Users\...\Windows Security Health Host.exe, PE32 9->62 dropped 64 2 other malicious files 9->64 dropped 104 Creates multiple autostart registry keys 9->104 106 Bypasses PowerShell execution policy 9->106 108 Adds a directory exclusion to Windows Defender 9->108 110 Drops PE files with benign system names 9->110 19 svc.exe 9->19         started        22 Runtime userer.exe 2 16 9->22         started        26 svchost.exe 1 4 9->26         started        30 5 other processes 9->30 112 Antivirus detection for dropped file 13->112 114 Found many strings related to Crypto-Wallets (likely being stolen) 17->114 28 WerFault.exe 17->28         started        signatures6 process7 dnsIp8 88 Antivirus detection for dropped file 19->88 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->90 92 Tries to steal Mail credentials (via file / registry access) 19->92 102 4 other signatures 19->102 32 chrome.exe 19->32         started        35 chrome.exe 19->35 injected 37 chrome.exe 19->37 injected 49 2 other processes 19->49 78 sixx.hopto.org 196.251.114.93, 1602, 49690, 49691 xneeloZA Seychelles 22->78 54 C:\Users\user\AppData\Roaming\ShellHost.exe, PE32 22->54 dropped 94 Creates multiple autostart registry keys 22->94 96 Loading BitLocker PowerShell Module 22->96 39 WerFault.exe 22->39         started        56 C:\Users\user\AppData\Roaming\...\dgcd.exe, PE32 26->56 dropped 98 Found many strings related to Crypto-Wallets (likely being stolen) 30->98 100 Tries to harvest and steal Bitcoin Wallet information 30->100 41 conhost.exe 30->41         started        43 conhost.exe 30->43         started        45 conhost.exe 30->45         started        47 conhost.exe 30->47         started        file9 signatures10 process11 dnsIp12 66 192.168.2.10, 1602, 443, 49674 unknown unknown 32->66 51 chrome.exe 32->51         started        process13 dnsIp14 72 googlehosted.l.googleusercontent.com 142.250.64.97, 443, 49707, 49708 GOOGLEUS United States 51->72 74 www.google.com 142.250.65.228, 443, 49700, 49703 GOOGLEUS United States 51->74 76 clients2.googleusercontent.com 51->76
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/da8f90cdf55dac9dc49c588d9bca732abf392fcf1d8e8b0c56d1742b66f18ddd
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.20 Win 32 Exe x86
Link:
https://app.malva.re/file/0b0352fbdcfdd76a601e417b063dff97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da8f90cdf55dac9dc49c588d9bca732abf392fcf1d8e8b0c56d1742b66f18ddd/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Trojan.Generic
Link:
https://tip.neiki.dev/file/da8f90cdf55dac9dc49c588d9bca732abf392fcf1d8e8b0c56d1742b66f18ddd
Threat name:
Win32.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 22:41:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3khzbtpvlwwj3re4lcgzxsttfk7tsl6pdwhiwdcw2f2cwzxrrxoq._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250726-awcyasbp8s/
Behaviour
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Contains code to disable Windows Defender
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
sixx.hopto.org:1602
Verdict:
Malicious
Tags:
Win.Packed.Packy-10033570-0
YARA:
n/a
Link:
https://app.threat.zone/submission/21401948-cbec-404f-ab62-b9f62385803b
Unpacked files
SH256 hash:
da8f90cdf55dac9dc49c588d9bca732abf392fcf1d8e8b0c56d1742b66f18ddd
MD5 hash:
0b0352fbdcfdd76a601e417b063dff97
SHA1 hash:
d3b0f0ec8b71f2a203209954b560c036d82a4187
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
4fa71c17f2cf2465afbadb44569c9509e8ed32137d15a491e1e65b6799b469e5
MD5 hash:
125dafb6e2154c52a7fb28da90c05df2
SHA1 hash:
3ba0ff73cdf6b85d04644eadc539fb7ed0470f40
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
9828476d7803e0435608890525ab6a6da0e2a038d20913eb938923884f38851f
MD5 hash:
485042aa241a5fcdae27e3f2ff64b4cf
SHA1 hash:
af4a677f73a4ea8075b85a7ab58c05aa3486ed42
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
2192f0e767f0a357fd92e4c6cfd475e1c891bfe49a402fcedfb11c615e8b80cb
MD5 hash:
f537497dfb8cdd662db6479610959991
SHA1 hash:
6fe9de04f6af83e0a26f822b8e975f2f8d2489af
Detections:
win_xworm_w0
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
e259a639547fafbbd90900e4619bb876daff524737c9ac2345f8b6de39e086e0
MD5 hash:
8355448464d291a19259727dd935c8b2
SHA1 hash:
151a8f4b9c9f4ab7355fb7a717ff833fe31eefbe
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
9edc5ba5c3e78b000a14ebb496742324c1bf7be66617a68542a0699972a8d31a
MD5 hash:
1d1b6dff03ea4017041dccb79a8bb182
SHA1 hash:
5e3bd34cb97416e55ad5033f09c26c95a6272443
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
08e02628b16bd057e22704884d8955bf3b6bcb68059ff5974bf3d49dbc77bd0e
MD5 hash:
0ab4cec052b94d7cfbc1cc9ecba326ce
SHA1 hash:
9970498ac6e2bec25de1b8d438dcddcfc84a566f
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
8d4fc8a3c7fb64737f5e7e6799347b0bf03b75d09deaab120233827ae920c9f0
MD5 hash:
0c80116da4c9de6e6bd1ef4efcf63740
SHA1 hash:
335209864d481319a4b1681ee4c5b2d9b64fd804
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
SH256 hash:
744cf95d7839a7923a2024e0748577b7ff55b38a6d11e6e87b3f4f3dd8f8688c
MD5 hash:
c4393bc4f47533747f745bc623188285
SHA1 hash:
4c20ee6d5c4ace724ba0c0b4736c0c7612a43920
Link:
https://www.unpac.me/results/54a29fd5-36df-416e-a779-666517a5d2a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da8f90cdf55dac9dc49c588d9bca732abf392fcf1d8e8b0c56d1742b66f18ddd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16900/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments