MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777
SHA3-384 hash: 699d22488b5621bd4eff3dc2c11fa3dad75de8727fc8903eed93d04ae34f851d2442933f2e4e3f1a0c8af7e5c8a46053
SHA1 hash: 57b20d3d4e7360702cba79f54dad40d6763b1af7
MD5 hash: 77f50e7d9326980acdc80cdf02011ef6
humanhash: thirteen-magnesium-alaska-paris
File name:Company profile.lnk
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:2'558 bytes
First seen:2025-09-24 16:34:21 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 48:81sJ9SPJETOeR7sx4FkU+n1bdpsx4hdpsx4/7:81G0BEbNg4l+ndg49g4
Threatray 8 similar samples on MalwareBazaar
TLSH T12251BC210BF20318F3B38B3E19FA6310D636FD58DA52CB8E020056894C75121E968F7F
Magika lnk
Reporter smica83
Tags:lnk PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d5481f1e4783989051dfe0
Tags:
obfuscate xtreme overt
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777/results/dashboard
Payload URLs
URL
File name
https://l.station307.com/H8xZG3WD4UA7vcpDHfQiLL/Wzqfttpid.exe
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive lolbin masquerade update
Link:
https://www.filescan.io/uploads/68d41f4f74e5a289899161c8/reports/86643450-f539-459e-bf7e-9bb1cf4b7854/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Boxter.151
Link:
https://www.hybrid-analysis.com/sample/fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777
Verdict:
Malicious
File Type:
lnk
First seen:
2025-09-24T05:15:00Z UTC
Last seen:
2025-09-24T05:15:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.Multi.Powedon.a HEUR:Trojan.Multi.Powedon.c HEUR:Trojan.Multi.Powedon.h Trojan.Multi.GenAutorunLnkFile.a PDM:Trojan.Win32.Generic HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.GenBadur.genw Trojan.WinLNK.Agent.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777/results?tab=lookup
Result
Threat name:
Phantom stealer, PureLog Stealer, Resolv
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1783445
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Phantom stealer
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1783445 Sample: Company profile.lnk Startdate: 24/09/2025 Architecture: WINDOWS Score: 100 80 mail.novochrom.us 2->80 82 l.station307.com 2->82 84 15 other IPs or domains 2->84 110 Antivirus detection for URL or domain 2->110 112 Windows shortcut file (LNK) starts blacklisted processes 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 16 other signatures 2->116 10 powershell.exe 14 20 2->10         started        15 wscript.exe 2->15         started        17 firefox.exe 1 2->17         started        19 msedge.exe 2->19         started        signatures3 process4 dnsIp5 92 l.station307.com 51.158.131.31, 443, 49718 OnlineSASFR France 10->92 78 C:\Users\user\AppData\Local\Temp\Update.exe, PE32 10->78 dropped 134 Found many strings related to Crypto-Wallets (likely being stolen) 10->134 136 Powershell drops PE file 10->136 21 Update.exe 4 10->21         started        25 conhost.exe 1 10->25         started        138 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->138 27 Settings.exe 15->27         started        29 firefox.exe 3 159 17->29         started        94 192.168.2.4, 138, 21, 443 unknown unknown 19->94 96 239.255.255.250 unknown Reserved 19->96 140 Maps a DLL or memory area into another process 19->140 32 msedge.exe 19->32         started        34 setup.exe 19->34         started        36 msedge.exe 19->36         started        38 4 other processes 19->38 file6 signatures7 process8 dnsIp9 64 C:\Users\user\AppData\Roaming\Settings.exe, PE32 21->64 dropped 66 C:\Users\user\AppData\...\Settings.vbs, ASCII 21->66 dropped 120 Multi AV Scanner detection for dropped file 21->120 122 Drops VBS files to the startup folder 21->122 124 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->124 40 InstallUtil.exe 25 108 21->40         started        45 InstallUtil.exe 27->45         started        98 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49798, 49799, 80 GOOGLEUS United States 29->98 100 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123, 443, 49800, 49801 GOOGLEUS United States 29->100 106 6 other IPs or domains 29->106 68 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 29->68 dropped 70 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 29->70 dropped 47 firefox.exe 29->47         started        49 firefox.exe 29->49         started        102 a1666.dscr.akamai.net 23.213.34.187, 443, 49735, 49736 NTT-COMMUNICATIONS-2914US United States 32->102 104 sb.scorecardresearch.com 18.65.229.52, 443, 49748 MIT-GATEWAYSUS United States 32->104 108 33 other IPs or domains 32->108 51 setup.exe 34->51         started        file10 signatures11 process12 dnsIp13 86 mail.novochrom.us 31.222.235.232, 49777, 587 GIGALIS-ASFR unknown 40->86 88 ftp.xma0.com 51.75.150.177, 21, 49786 OVHFR France 40->88 90 icanhazip.com 104.16.185.241, 49776, 49785, 80 CLOUDFLARENETUS United States 40->90 72 C:\Users\user\AppData\...\ZIPXYXWIOY.pdf, ASCII 40->72 dropped 74 C:\Users\user\AppData\...\JDDHMPCDUJ.pdf, ASCII 40->74 dropped 76 C:\Users\user\AppData\...\JDDHMPCDUJ.docx, ASCII 40->76 dropped 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->126 128 Tries to steal Mail credentials (via file / registry access) 40->128 130 Found many strings related to Crypto-Wallets (likely being stolen) 40->130 132 5 other signatures 40->132 53 msedge.exe 40->53         started        56 firefox.exe 1 40->56         started        58 chrome.exe 40->58         started        60 4 other processes 40->60 file14 signatures15 process16 signatures17 118 Monitors registry run keys for changes 53->118 62 msedge.exe 53->62         started        process18
Verdict:
Malware
YARA:
2 match(es)
Tags:
Batch Command Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:powershell.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/77f50e7d9326980acdc80cdf02011ef6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777/
Verdict:
Malicious
Threat:
Trojan.Multi.GenAutorunLnkFile
Link:
https://tip.neiki.dev/file/fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777
Threat name:
Win32.Trojan.WinLnk
Create hunting rule
Status:
Malicious
First seen:
2025-09-24 08:07:57 UTC
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nmiemwelq3ghwfd7spwhpet2spd3tqpugxqo2ashldxyu5mw53q._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
1bf4e2c7314d1559dcdcb38a7a094407274133e6545b3e6534b4adb4aedda8f7
PureLogsStealer
630fee17afddacbf766f51459603dd9e8a401c538fd8333e1be72fbf6f1a06ae
PureLogsStealer
67de6fb5afc5af13a1c7d7eec47738efbea3366de56263d56f929f9a195ce082
PureLogsStealer
8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608
PureLogsStealer
d1bc4e42ecce35e89268c590d57779b243c1c9726468aebe52f286c309d26d5d
PureLogsStealer
error
PureLogsStealer
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery execution persistence
Link:
https://tria.ge/reports/250924-t5ggmazybv/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb588232c45c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

PureLogsStealer

Shortcut (lnk) lnk fb588232c45c3663d8a3fc9f63bc93d49e3dce0fa1af0768123ac77c53acb777

(this sample)

PureLogsStealer

Executable exe 1bf4e2c7314d1559dcdcb38a7a094407274133e6545b3e6534b4adb4aedda8f7

  
Dropping
SHA256 1bf4e2c7314d1559dcdcb38a7a094407274133e6545b3e6534b4adb4aedda8f7
  
Dropping
MD5 ecc5ab1fb8de30ed9f89aae99f203f5a

Comments