π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jul 30, 2025
UPDATE: Turns out the whole /wp-admin/js/ directory on VΓ€stkupan's website allows directory listing. Among the files in that directory is "New PO 102456688.exe", which drops #PureLogs.
πŸ”₯ MD5: b2647b263c14226c62fe743dbff5c70a
πŸ”₯ C2: 147.124.219.201:65535
https://netresec.com/?b=257eead
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jul 21, 2025
Do #PureLogs Stealer and #PureCrypter use the same C2 protocol, or is there some way to tell the C2 protocols apart?
C2 servers:
πŸ”₯ 45.141.233.100:7708
πŸ”₯ 144.172.91.74:7709
πŸ”₯ 62.60.235.100:9100
πŸ”₯ 65.108.24.103:62050
πŸ”₯ 91.92.120.102:62050
πŸ”₯ 192.30.240.242:62520
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jul 16, 2025
Two more #PureLogs Stealer DLL files found on vastkupan[.]com. The original blog post has been updated.
https://netresec.com/?b=257eead
PureLogs Forensics

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this fi[...]

Netresec
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jul 2, 2025

PureLogs Forensics
πŸ’§ Dropper connects to legitimate website
πŸ“„ A fake PDF is downloaded over HTTPS
πŸ’Ύ The fake PDF is decrypted to a #PureLogs DLL
βš™οΈ InstallUtil.exe or RegAsm.exe is started.
πŸ’‰ PureLogs DLL is injected into the running process
πŸ‘Ύ PureLogs connects to C2 server

IOC List
πŸ”₯ 91.92.120.101:62520
πŸ”₯ 91.92.120.101:65535
https://netresec.com/?b=257eead

PureLogs Forensics

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this fi[...]

Netresec
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jun 9, 2025
Video: Detecting #PureLogs traffic with #CapLoader
https://netresec.com/?b=256a8c4
Detecting PureLogs traffic with CapLoader

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the PureLogs C2 protocol. The PureLogs protocol detection was added to[...]

Netresec
D3LabMay 17, 2024

Campagne #Malware #Italy Week 20

☠️πŸ”₯πŸ’£πŸ‘»
#AgentTesla: Bozza Contratto
#Guloader: Ordine
#Formbook: Pagamento
#ZGRat: Contratto
#Irata: APK Bank
#PureLogs: Documenti
#Nanocore: Fattura
#LokiBot: Delivery
#RemcosRat: Ordine

#mwitaly

D3LabMay 10, 2024

Campagne #Malware #Italy Week 19

☠️πŸ”₯πŸ‘»πŸ’£
#AgentTesla: Documenti
#GuLoader: Ordine
#RemcosRat: Bank
#Formbook: Preventivo
#PureLogs: Ordine

#mwitaly

James_inthe_boxMar 12, 2024

Some fresh #purelogs #purestealer :

https://app.any.run/tasks/dcf25c0e-d1f6-4a4c-a0c4-cbb2ae6cca76

Analysis Mpyiuepnw.exe (MD5: F01BB0EAE2C545DB34C5EEC3C4E5864D) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

James_inthe_boxNov 21, 2023

Some fresh #pureloader + #purelogs #stealer

https://app.any.run/tasks/b7141b83-ab60-4072-b208-f6cbdeb224f2

c2: 91.92.253.88

Analysis filez.7z (MD5: 1031600E833AF2947144563FE6D56711) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

D3LabOct 6, 2023

Campagne #Malware #Italy Week 40

πŸ”₯ Persistenti
#AgentTesla: Ordine d'acquisto
#Ursnif - #PureLogs: #AgenziaEntrate
#SpyNote: #APK Bancario

πŸ’£ D'eccezione
#PikaBot: Resend link ZIP

#mwitaly