Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

PureLogs

94
Global rank
47 infographic chevron month
Month rank
45 infographic chevron week
Week rank
0
IOCs

PureLogs is a stealer that collects a wide range of data from infected systems, including browser data, crypto wallets, PC configuration details, etc. It is delivered by PureCrypter, another malware that belongs to the Pure malware family. PureLogs is distributed based on a subscription model, allowing any threat actor to utilize it in their attacks.

Stealer
Type
ex-USSR
Origin
1 March, 2022
First seen
13 December, 2024
Last seen

How to analyze PureLogs with ANY.RUN

Type
ex-USSR
Origin
1 March, 2022
First seen
13 December, 2024
Last seen

IOCs

IP addresses
64.95.10.19
116.203.19.97
91.92.252.74
5.188.159.44
31.220.90.137
89.39.106.35
89.238.176.4
38.240.56.253
51.255.78.213
95.214.25.73
89.238.176.5
41.216.183.3
195.201.23.210
51.75.154.192
185.196.10.233
212.224.86.54
91.92.253.88
86.106.87.133
87.120.84.140
5.182.86.248
Domains
newhvmo.duckdns.org
puredating.top
download-files-pdf.de
data.pornsworld.xyz
eiseesaeheeg.fun
srv-fattureincloud.de
pornsworld.xyz
utente.service-fatturecloud.de
lkvbb-lkvbb.de
service-fatturecloud.de
sicherer-download-pdf.de
chaifoomasho.foundation
strompreis.ru
337727.seu2.cleverreach.com
puritylgs.duckdns.org
rustercoin.com
dksj.wi-fi.rip
backend-server78.com
vertextech.buzz
fallback-01-static.com
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 269
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1412
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1848
comments 0

What is malware: PureLogs Stealer?

PureLogs is a stealer malware that is part of the Pure ecosystem of products. This malware family, which includes PureCrypter and other tools, was first distributed in March 2021. It is offered as malware-as-a-service (MaaS) meaning that different threat actors can freely purchase access to this malware

The Pure malware family products are sold openly on the developer’s website and forums. Despite being promoted as software for testing purposes, it is widely employed for malicious activities.

PureCrypter, another tool in the Pure ecosystem, is often used in conjunction with PureLogs. PureCrypter is tasked with encrypting malicious payloads and delivering them to the victim’s system.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

PureLogs Stealer malware technical details

PureLogs Stealer is designed to collect a wide range of data from infected systems:

  • Browser Data: PureLogs Stealer collects including browsing history, cookies, autofill data from Chrome and other Chromium- and Gecko-based browsers.
  • Crypto Wallets: The malware targets cryptocurrency wallets, including browser (MetaMask, Trust Wallet) and desktop ones (Exodus, Electrum), stealing private keys.
  • Complete User Information: PureLogs Stealer collects usernames, passwords, email addresses, and other personal data.
  • Full PC Configuration Details: The malware gathers info about the infected system's hardware and software configuration, such as OS and CPU details.
  • Application Data: The malware can hijack apps like FileZilla, Telegram, and more.
  • File Grabbing: The malware can locate and exfiltrate files by folder path and extension.
  • Clipboard Data: It can monitor the clipboard and steal any data that is copied and pasted.
  • Screenshots: The malware can take screenshots of the infected system's desktop.
  • Keylogging: PureLogs Stealer can record keystrokes, allowing cybercriminals to steal login credentials, and other information entered by the victim.

The malware uses PureCrypter, a loader that is capable of delivering staged and stage-less payloads. The loader has also been observed to drop third-party malware, such as AgentTesla.

Learn more about the Pure Malware family in ANY.RUN’s article “A Full Analysis of the Pure Malware Family: Unique and Growing Threat”.

The malware can gain persistence on the system via Registry Run Keys. It is also capable of removing itself via a PowerShell command.

PureLogs Stealer uses TCP/IP communication with its Command and Control (C2) server. It encrypts the data which it exfiltrates from the infected system.

PureLogs Stealer execution process

We can conduct an in-depth analysis of a PureLogs sample in the ANY.RUN sandbox.

PureLogs begins its execution chain by infecting a host machine, typically through phishing emails or malicious downloads.

Once on the host, it unpacks itself to deploy the payload, often avoiding detection by employing techniques such as encryption or obfuscation.

The stealer then scans the infected system for valuable data, such as credentials, financial information, and other sensitive personal data. This information is extracted and often encrypted to ensure it is securely transmitted back to the command and control (C2) server. Throughout this process, PureLogs maintains communication with the C2 server to receive further instructions and update its operational parameters.

Finally, the stolen data is utilized by the attackers for various malicious purposes, including identity theft, financial fraud, or selling on the dark web

PureLogs Suricata rule in ANY.RUN PureLogs Suricata rule shown in ANY.RUN

PureLogs Stealer malware distribution methods

Since PureLogs is a MaaS stealer, different threat actors utilize their own methods for infecting victims’ devices.

Similar to Gh0stRAT and LimeRAT, some cybercriminals employ a tactic of renaming the malicious files associated with PureLogs Stealer infection to popular legitimate software and video games to trick unsuspecting users into downloading and installing the malware.

Conclusion

PureLogs Stealer's ability to collect a vast array of sensitive data coupled with a relatively low barrier to acquire it presents a significant risk to individuals and organizations. When used together with PureCrypter, this malware becomes even more challenging to detect, making it easier for cybercriminals to infect systems and compromise sensitive information.

To prevent infection, it is crucial to have a robust security infrastructure that includes sandboxing capabilities to analyze any suspicious files and links that enter the organization. By taking proactive measures, individuals and organizations can significantly reduce the risk of falling victim to PureLogs Stealer and other malware threats.

ANY.RUN, a cloud-based sandbox, provides the tools for quick, easy, and conclusive analysis of PureLogs Stealer, as well as dozens of other malware families. Thanks to ANY.RUN’s interactive approach, users can engage with the virtual environment and perform any actions needed to study the threat comprehensively. The service provides threat reports on each analyzed sample that feature indicators of compromise, TTPs, and other info that can empower users to make informed security decisions.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More