MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 5 File information Comments

SHA256 hash:	f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514
SHA3-384 hash:	d07e9afb585c76230c52cb7e0c645a0bc135ced9c699753e4fddd5d0732eb764aafa3451da72bc886173dd475bfc286e
SHA1 hash:	5e7f89e3012f0c7d9c7a6e7fee94135c762a92e5
MD5 hash:	5bf99ec67f4aaea0a71fdc15540288e4
humanhash:	stairway-eighteen-neptune-freddie
File name:	f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97.exe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	669'963 bytes
First seen:	2025-09-17 14:15:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	97e5a31c945b50f9f6676688768eef5e (8 x PureLogsStealer)
ssdeep	12288:sL/rcET9/vNhyQDR8vamg/UI0bex/8ftAKGEYhGJiKGr4q:u55/vLyhhuUfbeQtAvEyfKI
Threatray	395 similar samples on MalwareBazaar
TLSH	T113E42207FE7258DBCC1187B926E4E235B631FED48662FA07A70443302D675846EAEDC6
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe PureLogsStealer

abuse_ch

PureLogsStealer C2:
107.189.23.136:7720

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
107.189.23.136:7720	https://threatfox.abuse.ch/ioc/1593283/

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97.exe

Verdict:

Malicious activity

Analysis date:

2025-09-17 15:02:56 UTC

Tags:

stealer purecrypter

Link:

https://app.any.run/tasks/8ddf1bdc-b444-41b5-9beb-0675c82a418f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27943/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68cac29c2432032546472b39

Tags:

injection obfusc

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug expand hacktool lolbin obfuscated overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/68cac29973287948292d652f/reports/26adb7d9-a0a1-4bd1-8cfa-00723e855867/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-17T12:47:00Z UTC

Last seen:

2025-09-17T12:47:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/182cc7be-9016-4223-af40-e1d317cd4774

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1779335

Signature

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/5bf99ec67f4aaea0a71fdc15540288e4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514/

Threat name:

Win64.Trojan.Nekark

Status:

Malicious

First seen:

2025-09-17 14:16:38 UTC

File Type:

PE+ (Exe)

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ud3agiis7mm7v6ut4hfeafcl3jy2eorzd4x6shjwwtybtyk4uka._file

Verdict:

malicious

Label(s):

donut_injector

PureLogsStealer

33bc65e4f8bc25a0289128c3ee2b25f9811a50589d5de93e3c65a89401d20270

PureLogsStealer

a2baa23bbe548f06cf0ae0f0487cf55bbec120d7d36d7d4eeaafe3ba3397faee

PureLogsStealer

d096e8bd91561e5192b5323aaec30ad22e6026f2fbf9e4cedfd440e32d41143e

PureLogsStealer

ed641141bde4baf238710ead8205eeee5c3ac8095cb3cdc17afc4b35e90752a9

PureLogsStealer

error

PureLogsStealer

f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514

PureLogsStealer

+ 385 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250917-rk27gsz1dt/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/511f3cba-5187-45dc-afa5-f6b4724769e4

Unpacked files

SH256 hash:

f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514

MD5 hash:

5bf99ec67f4aaea0a71fdc15540288e4

SHA1 hash:

5e7f89e3012f0c7d9c7a6e7fee94135c762a92e5

Link:

https://www.unpac.me/results/ad754f7c-9a6e-440e-980d-b973ec94f5e4/

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f507b0190897/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f507b0190897d8cfd7d49f0e5200a25ed38d11d1c8f97f48e9b5a780cf0ae514

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_FindWindowA_iat Create hunting rule

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/27943/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample