MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4
SHA3-384 hash: d97189d464d70e0dd9296a424cf529480861d4d21fc48d6001a2e65de39dfa58da2e2edc4ee240687f8c258aa12c79c7
SHA1 hash: 14daabf98de18aff4e2392266d6f7e982b1c979e
MD5 hash: 6737c77e8ee4db7099c297210c7ebd01
humanhash: hot-virginia-nineteen-carpet
File name:6737c77e8ee4db7099c297210c7ebd01.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:1'662'976 bytes
First seen:2026-06-25 08:19:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'039 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 49152:HzL17RKfePGkEhc8bymg0WUdFA2djD538:HzL17RKf6tE7ymgKd
Threatray 668 similar samples on MalwareBazaar
TLSH T1E97512586259DB01DDE64FF2D935D2F523612DCAE826C3875EE6BEDB39357002E003A2
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/3ddfe704-ea00-493b-be1e-05a93f2fd48a/
Malware family:
n/a
ID:
1
File name:
_ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4.exe
Verdict:
Suspicious activity
Analysis date:
2026-06-25 08:21:06 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/a5a1cf34-48c6-4b99-a91b-f3caa97333b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71907/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3288.18372.7193.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3ce4e91548daf709f9a484
Tags:
snake virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-22T04:38:00Z UTC
Last seen:
2026-06-24T11:50:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/543f9993-a50f-4bab-b5b5-041df69a8342
Result
Threat name:
PureLogs Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1933581
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected MSIL Injector
Yara detected PureLogs Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1933581 Sample: auY79k77Sm.exe Startdate: 25/06/2026 Architecture: WINDOWS Score: 100 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected PureLogs Stealer 2->48 50 7 other signatures 2->50 8 auY79k77Sm.exe 4 2->8         started        process3 file4 32 C:\Users\user\AppData\...\auY79k77Sm.exe.log, ASCII 8->32 dropped 52 Found many strings related to Crypto-Wallets (likely being stolen) 8->52 54 Adds a directory exclusion to Windows Defender 8->54 56 Switches to a custom stack to bypass stack traces 8->56 58 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->58 12 auY79k77Sm.exe 15 3 8->12         started        16 powershell.exe 23 8->16         started        signatures5 process6 dnsIp7 36 155.103.69.184, 49698, 49699, 49700 WHITELABELUS United States 12->36 60 Tries to steal Mail credentials (via file / registry access) 12->60 62 Found many strings related to Crypto-Wallets (likely being stolen) 12->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->64 68 6 other signatures 12->68 18 chrome.exe 3 12->18         started        21 chrome.exe 2 12->21 injected 23 chrome.exe 2 12->23 injected 66 Loading BitLocker PowerShell Module 16->66 25 WmiPrvSE.exe 16->25         started        27 conhost.exe 16->27         started        signatures8 process9 dnsIp10 34 192.168.2.5, 138, 443, 49280 unknown unknown 18->34 29 chrome.exe 2 18->29         started        process11 dnsIp12 38 play.google.com 142.250.65.78, 443, 49734, 49735 GOOGLE-GoogleLLCUS United States 29->38 40 www.google.com 142.251.153.119, 443, 49712, 49713 GOOGLE-GoogleLLCUS United States 29->40 42 5 other IPs or domains 29->42
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4/
Verdict:
Malicious
Threat:
Trojan.MSIL.Crypt
Link:
https://tip.neiki.dev/file/ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-06-22 10:34:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5r7knix6xncmstoat46ruzxkjgxzjzq7fjfdgdp2tysopn3wwd2a._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
2103f9166d9826bd3465d7f5b6c626cd9c8054e6b75d7b507abc096487bfd7c2
PureLogsStealer
700bbe8a6f8d93252ba474406f233d41e3fe702c33ef0563f25abba14192424d
PureLogsStealer
8a82da328a3db0fca63f31e7b464b5989cecfd619ebab0b238c07b63544bf823
PureLogsStealer
c73ce00558fd70ab673cdd385ed5b4c30a2a07227ec2035c0657a9aa3ba14741
PureLogsStealer
d483519637f670022a8e862bfbb12247abe0d31abd3f048cfe9ff559ac9dd1c3
PureLogsStealer
error
PureLogsStealer
f8361430fa1ff9d98d30ce69d66fe7863ed9d0b9437c2373c83e627bfaae8145
PureLogsStealer
+ 658 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution spyware stealer
Link:
https://tria.ge/reports/260625-j8v43sas7x/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4
MD5 hash:
6737c77e8ee4db7099c297210c7ebd01
SHA1 hash:
14daabf98de18aff4e2392266d6f7e982b1c979e
Link:
https://www.unpac.me/results/05788126-2773-441a-bde9-64219c6f897f/
SH256 hash:
b1e8c657ecab0b26fc46907e8d0ef00eabe104cf911df5db5c5ce6337aaa070b
MD5 hash:
2e75d9b6f8cf9da99e990b0d67cef0b5
SHA1 hash:
07fec98fce9e48a65b584712f8d57eda2ad7d97c
Link:
https://www.unpac.me/results/05788126-2773-441a-bde9-64219c6f897f/
SH256 hash:
9b7b864b1e026793db7fe15147751249b43d26caeaa90537a9dc4b4cd29c8a35
MD5 hash:
f3f10a350a46d35893c6583dd78e9d16
SHA1 hash:
a8d4eb50dc881e14652e2c339ee341a6cd57b41d
Link:
https://www.unpac.me/results/05788126-2773-441a-bde9-64219c6f897f/
SH256 hash:
ff63ffd900f3e34f05b91a20561a5a616311d61105112fc2f514c3dfc87ec01e
MD5 hash:
ad6741f0d3e99f8da83aabe2b8856a67
SHA1 hash:
ac57df440ecc2660fe1c174d427686fb567309e7
Link:
https://www.unpac.me/results/05788126-2773-441a-bde9-64219c6f897f/
SH256 hash:
57dab4b516bacb1db29fafa0c0bdd5c61cf2429adaa809f2f7da3023f259ebfd
MD5 hash:
55280e8deade7993fd10e2b6e73e6706
SHA1 hash:
53238ce83626f024398e775d844be5ed7a6a331a
Link:
https://www.unpac.me/results/05788126-2773-441a-bde9-64219c6f897f/
SH256 hash:
b2a66e9864f81c2800a5afef4bfd1faf7c910e5a43ea2eb9dbb15c8ab6ffc633
MD5 hash:
f0a13fb422cdb1f3ce667df897b5045b
SHA1 hash:
9b6566603e3a292482788924a83a1d94a9cd4627
Link:
https://www.unpac.me/results/05788126-2773-441a-bde9-64219c6f897f/
SH256 hash:
d6c2c735fc1a273964fceff7feb01b80fbcbb6a80a6c7eb4a6fc4102962c0560
MD5 hash:
e6832125fbf8451bf4689b281da63c64
SHA1 hash:
a626ff48ea470179371e27334935fabc34765252
Link:
https://www.unpac.me/results/05788126-2773-441a-bde9-64219c6f897f/
Malware family:
PureRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec7ea6a2febb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec7ea6a2febb44c94dc09f3d1a66ea49af94e61f2a4a330dfa9e24e7b776b0f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71907/

Comments