MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43
SHA3-384 hash: 0cef17c7cd58e3e3078f061c3dc8c9916b8c4ea1f8638caedf3d1b7716d86563962f33c7445ef8c36fff1fc3f595a4ae
SHA1 hash: 5a005d65303aaa1ffb813c76126a8df887c98813
MD5 hash: 4fd7da886ec5687497dbd3cc9184d0f4
humanhash: potato-aspen-vermont-robin
File name:Mbbank_07860731.gz
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:977'404 bytes
First seen:2025-12-09 09:25:10 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 24576:GDtQHk/AjgIqeiHcQcTApBtPWKbNSOj5rzQxujB:GWHhjJJiVcTA3g8NFJx
TLSH T12E25333D03293ED3B549C5B4278B9C4923A8C6F65C950FD84AAC62FCA8A250E771F5C7
Magika gzip
Reporter cocaman
Tags:gz PureLogsStealer


Avatar
cocaman
Malicious email (T1566.001)
From: "MB Bank <export@pinebattery.com>" (likely spoofed)
Received: "from mail.pinebattery.com (mail.pinebattery.com [104.223.66.94]) "
Date: "Tue, 09 Dec 2025 06:23:11 +0100"
Subject: "=?UTF-8?Q?H=C3=93A_=C4=90=C6=A0N_=C4=90I=E1=BB=86N_T=E1=BB=AC_NG?=
=?UTF-8?Q?=C3=82N_H=C3=80NG_TMCP_QU=C3=82N_=C4=90=E1=BB=98I_=28MBB_E-INVO?=
=?UTF-8?Q?ICE=29?="
Attachment: "Mbbank_07860731.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Mbbank_07860731.exe
File size:1'061'888 bytes
SHA256 hash: 6712822d0051f3cf96949990caaf64dc9f9b0ed059d80fdfa040170dc2199cd5
MD5 hash: cf9ca1a410674e1af26582ca113f89b5
MIME type:application/x-dosexec
Signature PureLogsStealer
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6937eb04881313558a2babb5
Tags:
virus micro msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt obfuscated obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/6937eb00bba50eaf04293142/reports/759fa718-be9b-4427-913d-49014f5a668f/overview
Verdict:
Suspicious
Labled as:
Trojan.Wacatac
Link:
https://www.hybrid-analysis.com/sample/deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43
Verdict:
Malicious
File Type:
gz
First seen:
2025-12-09T04:19:00Z UTC
Last seen:
2025-12-11T06:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
.Net Executable GZip Archive Managed .NET PE (Portable Executable) PE File Layout SOS: 0.82
Link:
https://app.malva.re/file/4fd7da886ec5687497dbd3cc9184d0f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Malware.Heuristic
Link:
https://tip.neiki.dev/file/deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-12-09 04:45:13 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=323ex4hn2g7ohhfrneomthxp5st2jezrniyw66kep3nkbhbjbvbq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/251209-n3lexawmfw/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

gz deb64bf0edd1bee39cb1691cc99eefeca7a493316a316f79447edaa09c290d43

(this sample)

PureLogsStealer

Executable exe 6712822d0051f3cf96949990caaf64dc9f9b0ed059d80fdfa040170dc2199cd5

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6712822d0051f3cf96949990caaf64dc9f9b0ed059d80fdfa040170dc2199cd5
  
Dropping
MD5 cf9ca1a410674e1af26582ca113f89b5

Comments