MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fce42dbbd8155dd05d3333fcc37b8c64183b6f2541f821f52433b8d790773775. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fce42dbbd8155dd05d3333fcc37b8c64183b6f2541f821f52433b8d790773775
SHA3-384 hash: dfad4d681c3fbd72d019da8fea6f6a2fab280e304b5f683805889df6ce727e7c8fb533f83b6d4b6d89b9f1fd9e86cfd1
SHA1 hash: 2d62271e828aec2867b00687209c0f07c234d5de
MD5 hash: 078d850bc82b9d39a712b73f17ca0c36
humanhash: solar-washington-alpha-texas
File name:078d850bc82b9d39a712b73f17ca0c36.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:4'973'568 bytes
First seen:2025-07-29 15:06:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:TLi8y1uDnt3AfXgyhRQ8ESWgtgRzY2Pa802Q3DQqwBGlM6eMDijoh:pyIhQffhq8ESWxvPa80l3gyeMD6oh
TLSH T1D4363309E79980B6F49557F869770EC31B72BEF3EF3296122A163D0F78B612451B1B80
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
196.251.88.52:66

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.88.52:66 https://threatfox.abuse.ch/ioc/1562047/

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
078d850bc82b9d39a712b73f17ca0c36.exe
Verdict:
Malicious activity
Analysis date:
2025-07-29 15:11:22 UTC
Tags:
lumma stealer amadey botnet loader evasion rdp telegram auto-reg python stealc vidar
Link:
https://app.any.run/tasks/63705464-51e8-4fd9-b758-27c4a79d0cc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17591/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-9942160-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6888e3980b4775fb21330bba
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Sending an HTTP POST request
Launching a service
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fce42dbbd8155dd05d3333fcc37b8c64183b6f2541f821f52433b8d790773775
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbc55270-e93c-4c3a-8a70-30e70db57441
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1746413
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: PUA - NSudo Execution
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1746413 Sample: 2mCBB2rLz5.exe Startdate: 29/07/2025 Architecture: WINDOWS Score: 100 132 Found malware configuration 2->132 134 Antivirus detection for dropped file 2->134 136 Antivirus / Scanner detection for submitted sample 2->136 138 14 other signatures 2->138 11 2mCBB2rLz5.exe 1 4 2->11         started        14 VFK2RDhm.exe 2->14         started        17 rundll32.exe 2->17         started        process3 file4 110 C:\Users\user\AppData\Local\...\2N7422.exe, PE32 11->110 dropped 112 C:\Users\user\AppData\Local\...\1h68t2.exe, PE32 11->112 dropped 19 2N7422.exe 7 11->19         started        23 1h68t2.exe 11->23         started        180 Binary is likely a compiled AutoIt script file 14->180 26 cmd.exe 14->26         started        28 aNCtECwJ.exe 14->28         started        30 cmd.exe 14->30         started        32 cmd.exe 14->32         started        signatures5 process6 dnsIp7 96 C:\Jm2X0U0\VFK2RDhm.exe, PE32 19->96 dropped 98 C:\Jm2X0U0\HtYuXa9A.exe, PE32 19->98 dropped 100 C:\Jm2X0U0\BWKlQnqT.exe, PE32 19->100 dropped 156 Antivirus detection for dropped file 19->156 34 cmd.exe 1 19->34         started        37 Conhost.exe 19->37         started        124 23.54.187.178 AKAMAI-ASUS United States 23->124 158 Detected unpacking (changes PE section rights) 23->158 160 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->160 162 Tries to evade debugger and weak emulator (self modifying code) 23->162 168 3 other signatures 23->168 164 Suspicious powershell command line found 26->164 39 powershell.exe 26->39         started        41 conhost.exe 26->41         started        166 Contains functionality to start a terminal service 28->166 43 conhost.exe 30->43         started        45 HtYuXa9A.exe 30->45         started        47 conhost.exe 32->47         started        49 schtasks.exe 32->49         started        file8 signatures9 process10 signatures11 140 Suspicious powershell command line found 34->140 142 Uses cmd line tools excessively to alter registry or file data 34->142 144 Bypasses PowerShell execution policy 34->144 148 2 other signatures 34->148 51 VFK2RDhm.exe 34->51         started        54 BWKlQnqT.exe 15 34->54         started        57 conhost.exe 34->57         started        146 Loading BitLocker PowerShell Module 39->146 process12 file13 150 Multi AV Scanner detection for dropped file 51->150 152 Binary is likely a compiled AutoIt script file 51->152 154 Found API chain indicative of sandbox detection 51->154 59 aNCtECwJ.exe 43 51->59         started        64 cmd.exe 51->64         started        66 cmd.exe 1 51->66         started        68 cmd.exe 51->68         started        102 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 54->102 dropped 104 C:\Users\user\AppData\Local\...\cecho.exe, PE32 54->104 dropped 106 C:\Users\user\AppData\Local\...106SudoLG.exe, PE32+ 54->106 dropped 108 2 other malicious files 54->108 dropped 70 cmd.exe 1 54->70         started        signatures14 process15 dnsIp16 126 94.154.35.25 SELECTELRU Ukraine 59->126 128 176.46.158.8 ESTPAKEE Iran (ISLAMIC Republic Of) 59->128 130 167.160.161.247 ASN-QUADRANET-GLOBALUS United States 59->130 114 C:\Users\user\AppData\Local\...\7rpIPkQ.exe, PE32+ 59->114 dropped 116 C:\Users\user\AppData\Local\...\w4k69PJ.exe, PE32+ 59->116 dropped 118 C:\Users\user\AppData\Local\...\OLkGMsG.exe, PE32+ 59->118 dropped 120 17 other malicious files 59->120 dropped 172 Multi AV Scanner detection for dropped file 59->172 174 Contains functionality to start a terminal service 59->174 176 Suspicious powershell command line found 64->176 72 powershell.exe 64->72         started        75 conhost.exe 64->75         started        77 HtYuXa9A.exe 2 66->77         started        80 conhost.exe 66->80         started        88 2 other processes 68->88 178 Uses cmd line tools excessively to alter registry or file data 70->178 82 find.exe 70->82         started        84 cmd.exe 70->84         started        86 conhost.exe 70->86         started        90 19 other processes 70->90 file17 signatures18 process19 file20 170 Loading BitLocker PowerShell Module 72->170 122 C:\Jm2X0U0\aNCtECwJ.exe, PE32 77->122 dropped 92 Conhost.exe 82->92         started        94 tasklist.exe 84->94         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fce42dbbd8155dd05d3333fcc37b8c64183b6f2541f821f52433b8d790773775
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fce42dbbd8155dd05d3333fcc37b8c64183b6f2541f821f52433b8d790773775/
Verdict:
Malicious
Threat:
VHO:Backdoor.MSIL.Bladabindi
Link:
https://tip.neiki.dev/file/fce42dbbd8155dd05d3333fcc37b8c64183b6f2541f821f52433b8d790773775
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 03:19:47 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
30 of 37 (81.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tsc3o6ycvo5axjtgp6mg64mmqmdw3zfih4cd5jego4npedxg52q._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:xmrig family:xworm botnet:fbf543 defense_evasion discovery execution miner persistence pyinstaller rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250729-sg352shr3w/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
Detect Xworm Payload
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Modifies WinLogon for persistence
Xmrig family
Xworm
Xworm family
xmrig
Malware Config
C2 Extraction:
https://perpenab.icu/xiut
https://royaltbn.xyz/xaoi
https://columnez.shop/xlak
https://mixp.digital/amnt
https://woodenso.top/xaoi
https://foundrr.bet/zuqy
https://onyxistn.bet/xlkg
https://keulkgl.fun/qpdl
https://nanoceus.run/agkr
https://bittsgly.my/atop/api
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://inkermen.top/nuxe
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://soberano.top/wert
http://94.154.35.25
regone.dnsframe.com:66
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/f1484f47-64a0-473a-86c8-b517260679b7
Unpacked files
SH256 hash:
fce42dbbd8155dd05d3333fcc37b8c64183b6f2541f821f52433b8d790773775
MD5 hash:
078d850bc82b9d39a712b73f17ca0c36
SHA1 hash:
2d62271e828aec2867b00687209c0f07c234d5de
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
SH256 hash:
473769f9f599d4947d7811e96b8c76a9d4c6db039a7d889aaea313111e7d7c1f
MD5 hash:
91d746c4ef5dbf1818bdcc3db83ae367
SHA1 hash:
ed7b8e6bead0dbea2eac2e0c93575a348bd6783b
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
SH256 hash:
4b441b5c638e2ff587245e81d487346f6d576cf04ce17aeb9a3ce3e281a14eea
MD5 hash:
315fb279fde28c0e97a1f509e24bf7a6
SHA1 hash:
b678df7a78c308e330410c1a789e4444ef782514
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
SH256 hash:
f7d533e4106f5b6908c6ea5e205f6a0d5422dd14f58f4da461976bcdb87d0bfc
MD5 hash:
4413a8b2b55f4feb0cab99cca282bded
SHA1 hash:
5da70f64afcf06eaeb23cb771c122376da5f10f7
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
SH256 hash:
7b1bcc89fa4135f74e0044dd87a158d57e01d82df259b05b931d6070c4281199
MD5 hash:
934db2a28fb7d2de90dc119ef4fcfb85
SHA1 hash:
00d1dd8d2131bb8e5925ff4cdef856e677ab9be5
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
SH256 hash:
4223ded98117740646da6a5df9fa6261b2f2c3029dce613830f83bf3a75bda82
MD5 hash:
0b126718d44ce3cc1ed3f4f9767f39d3
SHA1 hash:
c802e624895a4ae1a5be1f1783b759d407a3168b
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
SH256 hash:
3c7959d26a0e983a65a0f0cb9501567ad6b7149f9052e649649d1f4f8390480a
MD5 hash:
d6a28e90544f88191342edd75cd1732b
SHA1 hash:
25f16dc288f9f819b113f090227c32f36704c6d1
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
SH256 hash:
b0554f7ad0eca5f6743c198a6cba8fd18a740af295280272fc5a993f5133ac1b
MD5 hash:
1cc6e520ac6bdcfe032a4ce27771fd84
SHA1 hash:
12314bff8e8450efcbc670ca43cffaa0cdda0fda
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/6443e304-800c-4bf0-9bf0-8c0d2d301828/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fce42dbbd815/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fce42dbbd8155dd05d3333fcc37b8c64183b6f2541f821f52433b8d790773775

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17591/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments