Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

PureLogs

86
Global rank
36 infographic chevron month
Month rank
41 infographic chevron week
Week rank
0
IOCs

PureLogs is a stealer that collects a wide range of data from infected systems, including browser data, crypto wallets, PC configuration details, etc. It is delivered by PureCrypter, another malware that belongs to the Pure malware family. PureLogs is distributed based on a subscription model, allowing any threat actor to utilize it in their attacks.

Stealer
Type
ex-USSR
Origin
1 March, 2022
First seen
13 April, 2025
Last seen

How to analyze PureLogs with ANY.RUN

Type
ex-USSR
Origin
1 March, 2022
First seen
13 April, 2025
Last seen

IOCs

IP addresses
31.220.90.137
87.120.84.140
185.196.10.233
116.203.19.97
88.80.145.97
94.156.71.237
91.92.249.233
91.92.252.74
74.119.193.203
51.81.115.28
15.204.0.108
41.216.183.3
91.92.120.119
45.10.83.157
45.10.81.188
45.10.81.111
58.220.33.199
91.92.240.144
61.147.96.195
51.255.78.213
Domains
eiseesaeheeg.fun
puredating.top
utente.service-fatturecloud.de
lkvbb-lkvbb.de
chaifoomasho.foundation
rustercoin.com
purelog.duckdns.org
vertextech.buzz
strang-01-static.com
relay-03-static.cloud
pdf-builder.theworkpc.com
wi-fi.rip
undernamingtry.xyz
downloadpdf-fattura.de
service-fatturecloud.de
pukrilug.duckdns.org
337727.seu2.cleverreach.com
relay-01-static.com
stremasster.duckdns.org
purfufu3flujs.duckdns.org
Last Seen at

Recent blog posts

post image
Why Practice Is Key to Training Top Malware A...
watchers 331
comments 0
post image
How MSSP Expertware Uses ANY.RUN's Interactiv...
watchers 412
comments 0
post image
Release Notes: Android VM, Pre-Installed Dev...
watchers 1888
comments 0

What is malware: PureLogs Stealer?

PureLogs is a stealer malware that is part of the Pure ecosystem of products. This malware family, which includes PureCrypter and other tools, was first distributed in March 2021. It is offered as malware-as-a-service (MaaS) meaning that different threat actors can freely purchase access to this malware

The Pure malware family products are sold openly on the developer’s website and forums. Despite being promoted as software for testing purposes, it is widely employed for malicious activities.

PureCrypter, another tool in the Pure ecosystem, is often used in conjunction with PureLogs. PureCrypter is tasked with encrypting malicious payloads and delivering them to the victim’s system.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

PureLogs Stealer malware technical details

PureLogs Stealer is designed to collect a wide range of data from infected systems:

  • Browser Data: PureLogs Stealer collects including browsing history, cookies, autofill data from Chrome and other Chromium- and Gecko-based browsers.
  • Crypto Wallets: The malware targets cryptocurrency wallets, including browser (MetaMask, Trust Wallet) and desktop ones (Exodus, Electrum), stealing private keys.
  • Complete User Information: PureLogs Stealer collects usernames, passwords, email addresses, and other personal data.
  • Full PC Configuration Details: The malware gathers info about the infected system's hardware and software configuration, such as OS and CPU details.
  • Application Data: The malware can hijack apps like FileZilla, Telegram, and more.
  • File Grabbing: The malware can locate and exfiltrate files by folder path and extension.
  • Clipboard Data: It can monitor the clipboard and steal any data that is copied and pasted.
  • Screenshots: The malware can take screenshots of the infected system's desktop.
  • Keylogging: PureLogs Stealer can record keystrokes, allowing cybercriminals to steal login credentials, and other information entered by the victim.

The malware uses PureCrypter, a loader that is capable of delivering staged and stage-less payloads. The loader has also been observed to drop third-party malware, such as AgentTesla.

Learn more about the Pure Malware family in ANY.RUN’s article “A Full Analysis of the Pure Malware Family: Unique and Growing Threat”.

The malware can gain persistence on the system via Registry Run Keys. It is also capable of removing itself via a PowerShell command.

PureLogs Stealer uses TCP/IP communication with its Command and Control (C2) server. It encrypts the data which it exfiltrates from the infected system.

PureLogs Stealer execution process

We can conduct an in-depth analysis of a PureLogs sample in the ANY.RUN sandbox.

PureLogs begins its execution chain by infecting a host machine, typically through phishing emails or malicious downloads.

Once on the host, it unpacks itself to deploy the payload, often avoiding detection by employing techniques such as encryption or obfuscation.

The stealer then scans the infected system for valuable data, such as credentials, financial information, and other sensitive personal data. This information is extracted and often encrypted to ensure it is securely transmitted back to the command and control (C2) server. Throughout this process, PureLogs maintains communication with the C2 server to receive further instructions and update its operational parameters.

Finally, the stolen data is utilized by the attackers for various malicious purposes, including identity theft, financial fraud, or selling on the dark web

PureLogs Suricata rule in ANY.RUN PureLogs Suricata rule shown in ANY.RUN

PureLogs Stealer malware distribution methods

Since PureLogs is a MaaS stealer, different threat actors utilize their own methods for infecting victims’ devices.

Similar to Gh0stRAT and LimeRAT, some cybercriminals employ a tactic of renaming the malicious files associated with PureLogs Stealer infection to popular legitimate software and video games to trick unsuspecting users into downloading and installing the malware.

Conclusion

PureLogs Stealer's ability to collect a vast array of sensitive data coupled with a relatively low barrier to acquire it presents a significant risk to individuals and organizations. When used together with PureCrypter, this malware becomes even more challenging to detect, making it easier for cybercriminals to infect systems and compromise sensitive information.

To prevent infection, it is crucial to have a robust security infrastructure that includes sandboxing capabilities to analyze any suspicious files and links that enter the organization. By taking proactive measures, individuals and organizations can significantly reduce the risk of falling victim to PureLogs Stealer and other malware threats.

ANY.RUN, a cloud-based sandbox, provides the tools for quick, easy, and conclusive analysis of PureLogs Stealer, as well as dozens of other malware families. Thanks to ANY.RUN’s interactive approach, users can engage with the virtual environment and perform any actions needed to study the threat comprehensively. The service provides threat reports on each analyzed sample that feature indicators of compromise, TTPs, and other info that can empower users to make informed security decisions.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
HijackLoader screenshot
HijackLoader
hijackloader
HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
Read More