BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details


Global rank
46 infographic chevron month
Month rank
50 infographic chevron week
Week rank

PureLogs is a stealer that collects a wide range of data from infected systems, including browser data, crypto wallets, PC configuration details, etc. It is delivered by PureCrypter, another malware that belongs to the Pure malware family. PureLogs is distributed based on a subscription model, allowing any threat actor to utilize it in their attacks.

1 March, 2022
First seen
22 May, 2024
Last seen

How to analyze PureLogs with ANY.RUN

1 March, 2022
First seen
22 May, 2024
Last seen


IP addresses
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 54
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 768
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 573
comments 0

What is malware: PureLogs Stealer?

PureLogs is a stealer malware that is part of the Pure ecosystem of products. This malware family, which includes PureCrypter and other tools, was first distributed in March 2021. It is offered as malware-as-a-service (MaaS) meaning that different threat actors can freely purchase access to this malware

The Pure malware family products are sold openly on the developer’s website and forums. Despite being promoted as software for testing purposes, it is widely employed for malicious activities.

PureCrypter, another tool in the Pure ecosystem, is often used in conjunction with PureLogs. PureCrypter is tasked with encrypting malicious payloads and delivering them to the victim’s system.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

PureLogs Stealer malware technical details

PureLogs Stealer is designed to collect a wide range of data from infected systems:

  • Browser Data: PureLogs Stealer collects including browsing history, cookies, autofill data from Chrome and other Chromium- and Gecko-based browsers.
  • Crypto Wallets: The malware targets cryptocurrency wallets, including browser (MetaMask, Trust Wallet) and desktop ones (Exodus, Electrum), stealing private keys.
  • Complete User Information: PureLogs Stealer collects usernames, passwords, email addresses, and other personal data.
  • Full PC Configuration Details: The malware gathers info about the infected system's hardware and software configuration, such as OS and CPU details.
  • Application Data: The malware can hijack apps like FileZilla, Telegram, and more.
  • File Grabbing: The malware can locate and exfiltrate files by folder path and extension.
  • Clipboard Data: It can monitor the clipboard and steal any data that is copied and pasted.
  • Screenshots: The malware can take screenshots of the infected system's desktop.
  • Keylogging: PureLogs Stealer can record keystrokes, allowing cybercriminals to steal login credentials, and other information entered by the victim.

The malware uses PureCrypter, a loader that is capable of delivering staged and stage-less payloads. The loader has also been observed to drop third-party malware, such as AgentTesla.

Learn more about the Pure Malware family in ANY.RUN’s article “A Full Analysis of the Pure Malware Family: Unique and Growing Threat”.

The malware can gain persistence on the system via Registry Run Keys. It is also capable of removing itself via a PowerShell command.

PureLogs Stealer uses TCP/IP communication with its Command and Control (C2) server. It encrypts the data which it exfiltrates from the infected system.

PureLogs Stealer execution process

We can conduct an in-depth analysis of a PureLogs sample in the ANY.RUN sandbox.

PureLogs begins its execution chain by infecting a host machine, typically through phishing emails or malicious downloads.

Once on the host, it unpacks itself to deploy the payload, often avoiding detection by employing techniques such as encryption or obfuscation.

The stealer then scans the infected system for valuable data, such as credentials, financial information, and other sensitive personal data. This information is extracted and often encrypted to ensure it is securely transmitted back to the command and control (C2) server. Throughout this process, PureLogs maintains communication with the C2 server to receive further instructions and update its operational parameters.

Finally, the stolen data is utilized by the attackers for various malicious purposes, including identity theft, financial fraud, or selling on the dark web

PureLogs Suricata rule in ANY.RUN PureLogs Suricata rule shown in ANY.RUN

PureLogs Stealer malware distribution methods

Since PureLogs is a MaaS stealer, different threat actors utilize their own methods for infecting victims’ devices.

Similar to Gh0stRAT and LimeRAT, some cybercriminals employ a tactic of renaming the malicious files associated with PureLogs Stealer infection to popular legitimate software and video games to trick unsuspecting users into downloading and installing the malware.


PureLogs Stealer's ability to collect a vast array of sensitive data coupled with a relatively low barrier to acquire it presents a significant risk to individuals and organizations. When used together with PureCrypter, this malware becomes even more challenging to detect, making it easier for cybercriminals to infect systems and compromise sensitive information.

To prevent infection, it is crucial to have a robust security infrastructure that includes sandboxing capabilities to analyze any suspicious files and links that enter the organization. By taking proactive measures, individuals and organizations can significantly reduce the risk of falling victim to PureLogs Stealer and other malware threats.

ANY.RUN, a cloud-based sandbox, provides the tools for quick, easy, and conclusive analysis of PureLogs Stealer, as well as dozens of other malware families. Thanks to ANY.RUN’s interactive approach, users can engage with the virtual environment and perform any actions needed to study the threat comprehensively. The service provides threat reports on each analyzed sample that feature indicators of compromise, TTPs, and other info that can empower users to make informed security decisions.

Create your ANY.RUN account – it’s free!


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy