๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJul 30, 2025
UPDATE: Turns out the whole /wp-admin/js/ directory on Vรคstkupan's website allows directory listing. Among the files in that directory is "New PO 102456688.exe", which drops #PureLogs.
๐Ÿ”ฅ MD5: b2647b263c14226c62fe743dbff5c70a
๐Ÿ”ฅ C2: 147.124.219.201:65535
https://netresec.com/?b=257eead
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJul 21, 2025
Do #PureLogs Stealer and #PureCrypter use the same C2 protocol, or is there some way to tell the C2 protocols apart?
C2 servers:
๐Ÿ”ฅ 45.141.233.100:7708
๐Ÿ”ฅ 144.172.91.74:7709
๐Ÿ”ฅ 62.60.235.100:9100
๐Ÿ”ฅ 65.108.24.103:62050
๐Ÿ”ฅ 91.92.120.102:62050
๐Ÿ”ฅ 192.30.240.242:62520
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJul 16, 2025
Two more #PureLogs Stealer DLL files found on vastkupan[.]com. The original blog post has been updated.
https://netresec.com/?b=257eead
PureLogs Forensics

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this fi[...]

Netresec
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJul 2, 2025

PureLogs Forensics
๐Ÿ’ง Dropper connects to legitimate website
๐Ÿ“„ A fake PDF is downloaded over HTTPS
๐Ÿ’พ The fake PDF is decrypted to a #PureLogs DLL
โš™๏ธ InstallUtil.exe or RegAsm.exe is started.
๐Ÿ’‰ PureLogs DLL is injected into the running process
๐Ÿ‘พ PureLogs connects to C2 server

IOC List
๐Ÿ”ฅ 91.92.120.101:62520
๐Ÿ”ฅ 91.92.120.101:65535
https://netresec.com/?b=257eead

PureLogs Forensics

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this fi[...]

Netresec
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJun 9, 2025
Video: Detecting #PureLogs traffic with #CapLoader
https://netresec.com/?b=256a8c4
Detecting PureLogs traffic with CapLoader

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the PureLogs C2 protocol. The PureLogs protocol detection was added to[...]

Netresec
D3LabMay 17, 2024

Campagne #Malware #Italy Week 20

โ˜ ๏ธ๐Ÿ”ฅ๐Ÿ’ฃ๐Ÿ‘ป
#AgentTesla: Bozza Contratto
#Guloader: Ordine
#Formbook: Pagamento
#ZGRat: Contratto
#Irata: APK Bank
#PureLogs: Documenti
#Nanocore: Fattura
#LokiBot: Delivery
#RemcosRat: Ordine

#mwitaly

D3LabMay 10, 2024

Campagne #Malware #Italy Week 19

โ˜ ๏ธ๐Ÿ”ฅ๐Ÿ‘ป๐Ÿ’ฃ
#AgentTesla: Documenti
#GuLoader: Ordine
#RemcosRat: Bank
#Formbook: Preventivo
#PureLogs: Ordine

#mwitaly

James_inthe_boxMar 12, 2024

Some fresh #purelogs #purestealer :

https://app.any.run/tasks/dcf25c0e-d1f6-4a4c-a0c4-cbb2ae6cca76

Analysis Mpyiuepnw.exe (MD5: F01BB0EAE2C545DB34C5EEC3C4E5864D) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

James_inthe_boxNov 21, 2023

Some fresh #pureloader + #purelogs #stealer

https://app.any.run/tasks/b7141b83-ab60-4072-b208-f6cbdeb224f2

c2: 91.92.253.88

Analysis filez.7z (MD5: 1031600E833AF2947144563FE6D56711) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

D3LabOct 6, 2023

Campagne #Malware #Italy Week 40

๐Ÿ”ฅ Persistenti
#AgentTesla: Ordine d'acquisto
#Ursnif - #PureLogs: #AgenziaEntrate
#SpyNote: #APK Bancario

๐Ÿ’ฃ D'eccezione
#PikaBot: Resend link ZIP

#mwitaly