Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

PureLogs

86
Global rank
29 infographic chevron month
Month rank
34 infographic chevron week
Week rank
0
IOCs

PureLogs is a stealer that collects a wide range of data from infected systems, including browser data, crypto wallets, PC configuration details, etc. It is delivered by PureCrypter, another malware that belongs to the Pure malware family. PureLogs is distributed based on a subscription model, allowing any threat actor to utilize it in their attacks.

Stealer
Type
ex-USSR
Origin
1 March, 2022
First seen
21 March, 2025
Last seen

How to analyze PureLogs with ANY.RUN

Type
ex-USSR
Origin
1 March, 2022
First seen
21 March, 2025
Last seen

IOCs

IP addresses
31.220.90.137
45.10.83.157
45.10.81.188
45.10.81.111
91.92.120.119
58.220.33.199
91.92.240.144
61.147.96.195
91.92.247.178
74.119.193.203
5.182.86.248
5.188.159.44
51.255.78.213
89.238.176.4
38.240.56.253
51.75.154.192
95.214.25.73
88.80.145.97
195.201.23.210
212.224.86.54
Domains
purelog.duckdns.org
data.pornsworld.xyz
pornsworld.xyz
download-files-pdf.de
puredating.top
srv-fattureincloud.de
eiseesaeheeg.fun
utente.service-fatturecloud.de
lkvbb-lkvbb.de
sicherer-download-pdf.de
service-fatturecloud.de
relay-02-static.com
gjhfhgdg.insane.wang
dksj.wi-fi.rip
chaifoomasho.foundation
strompreis.ru
337727.seu2.cleverreach.com
puritylgs.duckdns.org
rustercoin.com
relay-03-static.cloud
Last Seen at

Recent blog posts

post image
TI Lookup Named Best Threat Intelligence Serv...
watchers 187
comments 0
post image
Decoding a Malware Analyst: Essential Skills...
watchers 252
comments 0
post image
Expose Android Malware in Seconds: ANY.RUN Sa...
watchers 2785
comments 0

What is malware: PureLogs Stealer?

PureLogs is a stealer malware that is part of the Pure ecosystem of products. This malware family, which includes PureCrypter and other tools, was first distributed in March 2021. It is offered as malware-as-a-service (MaaS) meaning that different threat actors can freely purchase access to this malware

The Pure malware family products are sold openly on the developer’s website and forums. Despite being promoted as software for testing purposes, it is widely employed for malicious activities.

PureCrypter, another tool in the Pure ecosystem, is often used in conjunction with PureLogs. PureCrypter is tasked with encrypting malicious payloads and delivering them to the victim’s system.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

PureLogs Stealer malware technical details

PureLogs Stealer is designed to collect a wide range of data from infected systems:

  • Browser Data: PureLogs Stealer collects including browsing history, cookies, autofill data from Chrome and other Chromium- and Gecko-based browsers.
  • Crypto Wallets: The malware targets cryptocurrency wallets, including browser (MetaMask, Trust Wallet) and desktop ones (Exodus, Electrum), stealing private keys.
  • Complete User Information: PureLogs Stealer collects usernames, passwords, email addresses, and other personal data.
  • Full PC Configuration Details: The malware gathers info about the infected system's hardware and software configuration, such as OS and CPU details.
  • Application Data: The malware can hijack apps like FileZilla, Telegram, and more.
  • File Grabbing: The malware can locate and exfiltrate files by folder path and extension.
  • Clipboard Data: It can monitor the clipboard and steal any data that is copied and pasted.
  • Screenshots: The malware can take screenshots of the infected system's desktop.
  • Keylogging: PureLogs Stealer can record keystrokes, allowing cybercriminals to steal login credentials, and other information entered by the victim.

The malware uses PureCrypter, a loader that is capable of delivering staged and stage-less payloads. The loader has also been observed to drop third-party malware, such as AgentTesla.

Learn more about the Pure Malware family in ANY.RUN’s article “A Full Analysis of the Pure Malware Family: Unique and Growing Threat”.

The malware can gain persistence on the system via Registry Run Keys. It is also capable of removing itself via a PowerShell command.

PureLogs Stealer uses TCP/IP communication with its Command and Control (C2) server. It encrypts the data which it exfiltrates from the infected system.

PureLogs Stealer execution process

We can conduct an in-depth analysis of a PureLogs sample in the ANY.RUN sandbox.

PureLogs begins its execution chain by infecting a host machine, typically through phishing emails or malicious downloads.

Once on the host, it unpacks itself to deploy the payload, often avoiding detection by employing techniques such as encryption or obfuscation.

The stealer then scans the infected system for valuable data, such as credentials, financial information, and other sensitive personal data. This information is extracted and often encrypted to ensure it is securely transmitted back to the command and control (C2) server. Throughout this process, PureLogs maintains communication with the C2 server to receive further instructions and update its operational parameters.

Finally, the stolen data is utilized by the attackers for various malicious purposes, including identity theft, financial fraud, or selling on the dark web

PureLogs Suricata rule in ANY.RUN PureLogs Suricata rule shown in ANY.RUN

PureLogs Stealer malware distribution methods

Since PureLogs is a MaaS stealer, different threat actors utilize their own methods for infecting victims’ devices.

Similar to Gh0stRAT and LimeRAT, some cybercriminals employ a tactic of renaming the malicious files associated with PureLogs Stealer infection to popular legitimate software and video games to trick unsuspecting users into downloading and installing the malware.

Conclusion

PureLogs Stealer's ability to collect a vast array of sensitive data coupled with a relatively low barrier to acquire it presents a significant risk to individuals and organizations. When used together with PureCrypter, this malware becomes even more challenging to detect, making it easier for cybercriminals to infect systems and compromise sensitive information.

To prevent infection, it is crucial to have a robust security infrastructure that includes sandboxing capabilities to analyze any suspicious files and links that enter the organization. By taking proactive measures, individuals and organizations can significantly reduce the risk of falling victim to PureLogs Stealer and other malware threats.

ANY.RUN, a cloud-based sandbox, provides the tools for quick, easy, and conclusive analysis of PureLogs Stealer, as well as dozens of other malware families. Thanks to ANY.RUN’s interactive approach, users can engage with the virtual environment and perform any actions needed to study the threat comprehensively. The service provides threat reports on each analyzed sample that feature indicators of compromise, TTPs, and other info that can empower users to make informed security decisions.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More