MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17
SHA3-384 hash: c5ca8c7b863a156188cdf94da88214450688e68d2376908cbde4a270e0c0fe214a672740bad1e44cc62c955a64100d16
SHA1 hash: 9bc258075432cd4a2156d5936f1b462fd8b3a02a
MD5 hash: 801b32929be13ba45c9eaa411a33e368
humanhash: fanta-georgia-fanta-delaware
File name:Swift103December25-1121-100101294-002894-2002.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:444'824 bytes
First seen:2025-12-16 08:20:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 744 x AgentTesla, 437 x GuLoader)
ssdeep 12288:cYiPMFdFRO2sLMfjokSpu9tBSL53oPETr:cYiOdFRmMbcpu9nSLViEf
TLSH T1F99412C8FDD4C063D25224F1F5AE566AAAF4E80223D18F6B67211F8870A716CD9DD2E1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon da9b5bae12020202 (1 x PureLogsStealer)
Reporter abuse_ch
Tags:exe PureLogsStealer signed

Code Signing Certificate

Organisation:Selvhjaelp
Issuer:Selvhjaelp
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-19T10:29:31Z
Valid to:2026-10-19T10:29:31Z
Serial number: 491856805425294700374867e528b0db6e8b83d2
Thumbprint Algorithm:SHA256
Thumbprint: 93f4baf84e4e8fdeceda2929b1c7c1ac84c89bbf8a9a0b809312d1f1f0e886da
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
PureLogsStealer C2:
213.152.161.201:6844

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.152.161.201:6844 https://threatfox.abuse.ch/ioc/1680656/

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d79a25aa-a22a-48bb-8920-bd97a2466253/
Malware family:
n/a
ID:
1
File name:
Swift103December25-1121-100101294-002894-2002.exe
Verdict:
Malicious activity
Analysis date:
2025-12-16 08:21:21 UTC
Tags:
auto-reg stealer purecrypter
Link:
https://app.any.run/tasks/fdda6b18-5db3-4aba-a22a-fa89fca066ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45181/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694116484d2b81828c3b452f
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/694116463f8fdbf8e9477f1e/reports/ac6f8dfc-8886-4aa6-94da-2169c5d4e01f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-16T05:10:00Z UTC
Last seen:
2025-12-18T03:53:00Z UTC
Hits:
~100
Detections:
Trojan.NSIS.Makoob.sba Packed.NSIS.Krynis.sb HEUR:Trojan.Win32.GuLoader.gen Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb
Link:
https://opentip.kaspersky.com/efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/887eb4c8-01ff-4128-af8b-db45d1d2572d
Result
Threat name:
GuLoader, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1833718
Signature
AI detected suspicious PE digital signature
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1833718 Sample: Swift103December25-1121-100... Startdate: 16/12/2025 Architecture: WINDOWS Score: 100 38 www.malogistics.net 2->38 40 r12.c.lencr.org 2->40 42 2 other IPs or domains 2->42 58 Suricata IDS alerts for network traffic 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 5 other signatures 2->64 9 Swift103December25-1121-100101294-002894-2002.exe 2 47 2->9         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\System.dll, PE32 9->32 dropped 66 Tries to detect virtualization through RDTSC time measurements 9->66 68 Unusual module load detection (module proxying) 9->68 70 Switches to a custom stack to bypass stack traces 9->70 72 Found direct / indirect Syscall (likely to bypass EDR) 9->72 13 Swift103December25-1121-100101294-002894-2002.exe 12 9->13         started        18 Swift103December25-1121-100101294-002894-2002.exe 9->18         started        signatures6 process7 dnsIp8 46 213.152.161.201, 49709, 49733, 49734 GLOBALLAYERNL Netherlands 13->46 48 euronova-eu.com 72.62.53.232, 49708, 80 SPCSUS United States 13->48 50 2 other IPs or domains 13->50 34 C:\Users\user\AppData\...\Producenters.exe, PE32 13->34 dropped 36 Swift103December25...002894-2002.exe.log, ASCII 13->36 dropped 74 Tries to steal Mail credentials (via file / registry access) 13->74 76 Tries to harvest and steal browser information (history, passwords, etc) 13->76 78 Writes to foreign memory regions 13->78 80 4 other signatures 13->80 20 chrome.exe 1 13->20         started        23 chrome.exe 13->23 injected 25 chrome.exe 13->25 injected 27 6 other processes 13->27 file9 signatures10 process11 dnsIp12 44 192.168.2.6, 138, 443, 49685 unknown unknown 20->44 29 chrome.exe 20->29         started        process13 dnsIp14 52 googlehosted.l.googleusercontent.com 172.253.124.132, 443, 49719 GOOGLEUS United States 29->52 54 www.google.com 64.233.176.106, 443, 49714, 49717 GOOGLEUS United States 29->54 56 5 other IPs or domains 29->56
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/801b32929be13ba45c9eaa411a33e368
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17/
Verdict:
Malicious
Threat:
Trojan.Win32.Guloader
Link:
https://tip.neiki.dev/file/efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-16 08:20:24 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57cypwraxzx4ijfpp3p5dmpe7xyfe45bwswl7fk3gmb3pnms3ulq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/251216-j8ky4swrgp/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9dcdf89e-9794-44f6-9b79-14371b4e6aaf
Unpacked files
SH256 hash:
efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17
MD5 hash:
801b32929be13ba45c9eaa411a33e368
SHA1 hash:
9bc258075432cd4a2156d5936f1b462fd8b3a02a
Link:
https://www.unpac.me/results/f9494916-ebad-4b00-a789-6b6368f7b74c/
SH256 hash:
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
MD5 hash:
6c3f8c94d0727894d706940a8a980543
SHA1 hash:
0d1bcad901be377f38d579aafc0c41c0ef8dcefd
Link:
https://www.unpac.me/results/f9494916-ebad-4b00-a789-6b6368f7b74c/
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/f9494916-ebad-4b00-a789-6b6368f7b74c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efc587da20be6fc424af7edfd1b1e4fdf05273a1b4acbf955b3303b7b592dd17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45181/

Comments