MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6
SHA3-384 hash:	f51dcb576995d8f679c90d16f0ebfdf68e170e48887e0112842532141b0408e1c4d51b3ae0b16eeff481b685a92ae3d9
SHA1 hash:	e4d4bf25acb9ab825db87aaafc2b2c060aedc50f
MD5 hash:	94579ecff67b88fef9014fab1aafc4e1
humanhash:	saturn-uncle-network-fish
File name:	emcs.exe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	1'162'240 bytes
First seen:	2025-11-05 13:13:02 UTC
Last seen:	2025-11-05 13:39:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:Bc1o+vZTk3YCuLHOx02971OY+d7Po5w9jnhCH9FdYTi9B:OlQgDHM71Obf9jg7C
TLSH	T1793523171A1DCB1AE5E64BF02EB2D27043B48E4CE961EB575DE8AFC774627207908327
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	Anonymous
Tags:	185-149-24-201 exe PureLogsStealer Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

emcs.exe

Verdict:

Malicious activity

Analysis date:

2025-11-05 13:17:48 UTC

Tags:

stealer purecrypter netreactor purehvnc

Link:

https://app.any.run/tasks/7884a9b2-bb09-4da1-8776-6b7306de8a10

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35495/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690b4d80ea0f3e915c23218c

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Connection attempt

Using the Windows Management Instrumentation requests

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/690b4d7154bd57cadc98a652/reports/37228a69-a025-4a1b-add7-683dd516ea88/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-05T06:21:00Z UTC

Last seen:

2025-11-05T09:22:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/bf55e2ee-51f1-4ebd-bfe1-908dfbdba70e

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1808551

Signature

.NET source code contains potential unpacker

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.22 Win 32 Exe x86

Link:

https://app.malva.re/file/94579ecff67b88fef9014fab1aafc4e1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6/

Verdict:

Malicious

Threat:

VHO:Backdoor.MSIL.XWorm

Link:

https://tip.neiki.dev/file/ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5s2svrlra5geyuatiqsbsevjmsvtanlkhcb4ula5woz3nekdtgta._file

Verdict:

malicious

Label(s):

unc_loader_037

purecrypter

katzstealer

Similar samples:

error

PureLogsStealer

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/251105-qgb1fswjc1/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6d9dbf15-a3c0-4d4f-b649-a3cc10068bea

Unpacked files

SH256 hash:

ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6

MD5 hash:

94579ecff67b88fef9014fab1aafc4e1

SHA1 hash:

e4d4bf25acb9ab825db87aaafc2b2c060aedc50f

Link:

https://www.unpac.me/results/6ec4e947-23cb-46de-9ab6-0044995b7504/

SH256 hash:

8e4377c9aeb0cf61a71249dc8a3fce7550e92222667587bfd6c9c32dea9efce3

MD5 hash:

ee6fee04d0358d7e6da05a44d5d5234e

SHA1 hash:

7d6013721aec610bf810f01d7c8dd3d0499fac23

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/6ec4e947-23cb-46de-9ab6-0044995b7504/

SH256 hash:

bc2927f389e140b629c71d7cf20bec7897660d55a4ede2bee416bc7a3e90646f

MD5 hash:

52dc0590d461e02f5148961b29ac16e5

SHA1 hash:

951a795bbf23f6750db87dc657eb724e51e70f58

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/6ec4e947-23cb-46de-9ab6-0044995b7504/

Parent samples :

ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6
5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db
86bab321000ab08a9bc5c2eb689c46f779fe62763a0a3fb44b3b79dc958b203d
2675cf7ad014da2525a0fd9ac10362a6b5f8ce33375d0225d299ed2342e196e0
d41a54ee9f6f0de81009d98955fdd03cc7458ef3089bd4d21f8a1fc167f72928
8565683618c7ee771b85070d5694bc041ec25aa7086ce04a44135a81493e3970
d7911c750b95eda25760d99dbc911f231f831492be7f55ee2620c25e85d01dee
4dd4dc6e537cd6431e9f5b84a99a81349e2aa2816dc2c95db9590ee958acd05d
9d020d9aa66b2f0f5ed13065b7d9a8413e8834fc77d78572f4e280965758ae42
45f1f0c4c76cee479f0bb2966f4d9c157e344f9749cdfeb5e4b396aa3285c18d
b2b9e06249eca4b3378f0fcc6b2dbf3fe279f8d2e803f053a406c1de4145623d
6c09b777df1a95bac8b74f67909ea7a24dd048d58847003546ccef328f72aff6
ef2ef9c4bbc252a65d09f98c7dfe0c89a004bf4df3ccc3dcf65230cfcadf580f
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
628a3c3cbfd3a17bb69a617224e33d239729ced5665091578bf96cde788155c3
d96541e0ccbe6b139e9cc92a198fbe5e759e37369ad0fa0233828afefe8cdd34

SH256 hash:

9c164687268cf1235c52a649e4d7ac9497b4925637c7b9abcbb6df1811e09472

MD5 hash:

8cef51e0b1584b8b1efbb552b1831f17

SHA1 hash:

d8ec994aedaa19ae3309d6f243705be7a1867b51

Link:

https://www.unpac.me/results/6ec4e947-23cb-46de-9ab6-0044995b7504/

SH256 hash:

7f10d97fb028cbf0e63b89ed45500eeb2e5bfd10d149788edd7eec7d242408a5

MD5 hash:

338822a082df7cd0df2d08cdb4ad7468

SHA1 hash:

562f54585dfbb34215503b584652475faa504440

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/6ec4e947-23cb-46de-9ab6-0044995b7504/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ecb52ac57107/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

zgRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35495/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample