MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde
SHA3-384 hash:	7b470e42e1c55abdb5359f69f86147dabd7e720d3f2a81dd13f019aa4714701334fd08b087401709d6d880e7fe073915
SHA1 hash:	7834d73a62612971e83f37373987f644f4819415
MD5 hash:	ce8e5ddebfbdc8233228637f9e923c28
humanhash:	fanta-music-gee-lactose
File name:	SecuriteInfo.com.Heur.MSIL.Benin.5.98476599
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	780'800 bytes
First seen:	2026-06-08 18:22:02 UTC
Last seen:	2026-06-08 19:32:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'067 x AgentTesla, 20'019 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	12288:amQSe21iqIms3EihKaBOHGi7eAQOOvAhzMOnhJrlQyu8GDljP:BihKaQmi7RQOOvyzM2hJKyu8AlP
TLSH	T10CF4CF2BB6528E12D2C45733C0CB190097F5DA823677EB0E758523A71E163BBDE4A397
TrID	70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win64 Executable (generic) (6522/11/2) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe PureLogsStealer

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NETReactor

Details

Link:

https://research.acce.ciphertechsolutions.com/results/b3baeb9f-2ad3-4763-aef3-6cdaadec01c9/

Malware family:

n/a

ID:

File name:

f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde.zip

Verdict:

No threats detected

Analysis date:

2026-06-09 09:08:18 UTC

Tags:

arch-exec

Link:

https://app.any.run/tasks/3d015d42-27fc-4c3a-8f46-dbe602dab6b6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70142/

Detection(s):

SecuriteInfo.com.Heur.MSIL.Benin.5.98476599.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a270870ae2f98c00a68efe0

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 net_reactor obfuscated obfuscated packed packed

Link:

https://www.filescan.io/uploads/6a2708671f652d6865703095/reports/184c1a9f-75b8-41ea-8478-f25517568b78/overview

Verdict:

Malicious

Labled as:

MSIL.Benin.Generic

Link:

https://www.hybrid-analysis.com/sample/f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-06-08T15:38:00Z UTC

Last seen:

2026-06-09T20:25:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2f26aead-88bf-4769-b93e-92f6f7d53ff7

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde/

Threat name:

ByteCode-MSIL.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-06-08 18:22:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6to4jrlvjpvl5k7dpjrggpirrfva5jfo6dcxe6ygbtkwycl4ntpa._file

Verdict:

malicious

Label(s):

purecrypter

Similar samples:

error

PureLogsStealer

Result

Malware family:

n/a

Score:

7/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/260608-wz6wfadx3v/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Windows directory

Accesses Microsoft Outlook profiles

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde

MD5 hash:

ce8e5ddebfbdc8233228637f9e923c28

SHA1 hash:

7834d73a62612971e83f37373987f644f4819415

Link:

https://www.unpac.me/results/92a6b891-39ac-4314-a1d8-4ef4312439f9/

SH256 hash:

9f5dddfdb2e9dae88ba6f87639a9cb1a769a7c030e9b06a3f943ba172140be3f

MD5 hash:

a5ff60299cb6d10a55016c715517231a

SHA1 hash:

22c456f43a2a6172344b4e3b5013e6423fbbd7b0

Link:

https://www.unpac.me/results/92a6b891-39ac-4314-a1d8-4ef4312439f9/

SH256 hash:

4f9c665f4588423d689e2a55aae7c668eb3b5190f40c8992c8d08543f564551f

MD5 hash:

cc28580c504665b6c34ebd3ddc8c1243

SHA1 hash:

6d62c8fbd799a2fc84cfc98f4f51d57709ab03cb

Link:

https://www.unpac.me/results/92a6b891-39ac-4314-a1d8-4ef4312439f9/

SH256 hash:

b2a66e9864f81c2800a5afef4bfd1faf7c910e5a43ea2eb9dbb15c8ab6ffc633

MD5 hash:

f0a13fb422cdb1f3ce667df897b5045b

SHA1 hash:

9b6566603e3a292482788924a83a1d94a9cd4627

Link:

https://www.unpac.me/results/92a6b891-39ac-4314-a1d8-4ef4312439f9/

Malware family:

PureHVNC

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f4ddc4c5754b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4ddc4c5754beabeabe37a62633d11896a0ea4aef0c5727b060cd56c097c6cde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.