{
	"id": "54372625-a0fe-4bad-9e4d-67c38efb40fc",
	"created_at": "2026-04-06T00:13:36.734623Z",
	"updated_at": "2026-04-10T03:22:04.044109Z",
	"deleted_at": null,
	"sha1_hash": "2f6468b4a2249bec0d1e759543d38206cf224904",
	"title": "PureLogs Forensics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 412678,
	"plain_text": "PureLogs Forensics\r\nBy Erik Hjelmvik\r\nPublished: 2025-07-02 · Archived: 2026-04-05 18:05:15 UTC\r\n, \r\nWednesday, 02 July 2025 11:52:00 (UTC/GMT)\r\nI analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and\r\nartifacts that I want to share.\r\nPureLogs infections sometimes start with a dropper/downloader (PureCrypter) that retrieves a .pdf file from a\r\nlegitimate website. The dropper I will demo here downloaded this file:\r\nhxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf\r\nThis file isn’t really a PDF though, but more on that later. Here’s a CapLoader screenshot with some interesting\r\nflows from the infection:\r\nThe PCAP in the screenshot above comes from a sandbox execution on any.run of a file called BSN100357-\r\nHHGBM100002525.exe.\r\nHere’s a breakdown of what happens behind the scenes in this execution:\r\n1. Dropper connects to www.vastkupan[.]com (DNS and TLS flows).\r\n2. A fake PDF (Daupinslenj.pdf) is downloaded over HTTPS.\r\n3. The fake PDF is decrypted to a DLL (PureLogs), which is stored in memory.\r\n4. InstallUtil.exe is started.\r\n5. The PureLogs DLL is injected into the running InstallUtil process.\r\n6. PureLogs connects to C2 server at 91.92.120.101:65535\r\nThe same dropper has also been run on JoeSandbox, with almost identical behavior. The vastkupan.com website\r\nbelongs to a legitimate company (Västkupan Fastigheter).\r\nThe PDF that Wasn’t\r\nThis is what the downloaded “PDF” looks like:\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics\r\nPage 1 of 6\n\nSo, what’s up with all that “171171” data? Let’s XOR with “711” and see what we get.\r\nThe downloaded PDF turns out to be a .NET DLL file with MD5 38d29f5ac47583f39a2ff5dc1c366f7d. This is the\r\nfile that was injected into the otherwise legitimate InstallUtil process. Some PureLogs droppers use RegAsm.exe\r\ninstead of InstallUtil though (see JoeSandbox and any.run).\r\nIOC List\r\nDroppers (MD5):\r\n711d9cbf1b1c77de45c4f1b1a82347e6\r\n6ff95e302e8374e4e1023fbec625f44b\r\ne6d7bbc53b718217b2de1b43a9193786\r\na9bc0fad0b1a1d6931321bb5286bf6b7\r\n09bb5446ad9055b9a1cb449db99a7302\r\nDropper TLS handshake signatures:\r\nJA3: 3b5074b1b5d032e5620f69f9f700ff0e\r\nJA4: t12d210700_76e208dd3e22_2dae41c691ec\r\nPayload URLs:\r\nhxxps://www.vastkupan[.]com/wp-admin/js/Cicdwkknms.pdf\r\nhxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics\r\nPage 2 of 6\n\nhxxps://www.new.eventawardsrussia[.]com/wp-includes/Ypeyqku.pdf\r\nPayloads (MD5):\r\nab250bb831a9715a47610f89d0998f86 (Cicdwkknms.pdf)\r\ncec53e8df6c115eb7494c9ad7d2963d4 (Daupinslenj.pdf)\r\needc8bb54465bd6720f28b41f7a2acf6 (Ypeyqku.pdf)\r\nDecrypted payloads:\r\nMD5: 38d29f5ac47583f39a2ff5dc1c366f7d\r\nSHA1: fc8b0ee149027c4c02f7d44cc06cade3222bb6b6\r\nSHA256: 8d7729ca0b25a677287076b4461304a21813e6f15053e190975512e58754988f\r\nPureLogs C2:\r\n91.92.120.101:62520 (old)\r\n91.92.120.101:65535 (new)\r\nUpdate 2025-07-16\r\nAdditional PureLogs payloads have been found on vastkupan.com.\r\nPayload URLs:\r\nhxxps://www.vastkupan[.]com/wp-admin/js/Cxqyoub.dat\r\nhxxps://www.vastkupan[.]com/wp-admin/js/Qlwxqgsag.dat\r\nCxqyoub.dat is decrypted by XOR-ing with \"414\".\r\nQlwxqgsag.dat is a DLL with reversed content.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics\r\nPage 3 of 6\n\nPayloads (MD5):\r\n22a304ea9c006e2ccb2f6110c4d3f53f (Cxqyoub.dat)\r\nd5b6607ee4718506eb4970c02cf286cd (XOR decrypted DLL from Cxqyoub.dat)\r\n062d2a5906fac4c2ef07c6b43141e19c (Qlwxqgsag.dat)\r\n40624de03bc3c53331b6e903d9e3860f (DLL from reversed Qlwxqgsag.dat)\r\nC2 server:\r\n91.92.120.102:62050\r\nSee JoeSandbox and any.run for sandbox executions of the dropper aa06d06ddb6d3801c70cc1991f393112\r\n(retrieves Cxqyoub.dat), and JoeSandbox and any.run for c45a95dc7ebc8c78217cd996a8f6dda7 (gets\r\nQlwxqgsag.dat).\r\nUpdate 2025-07-21\r\nYet another PureLogs payload found on vastkupan.com.\r\nDropped by: 031a9c2f44881f4db1c6f6d88a540206\r\nURL of encrypted DLL: hxxp://www.vastkupan[.]com/wp-admin/js/Kplbc.pdf\r\nEncrypted DLL MD5: 6ed3c9b70ca02d1c558d1ef9a8aaab77\r\nC2: 65.108.24.103:62050\r\nSandbox executions are available on JoeSandbox and any.run.\r\nUpdate 2025-07-30\r\nAdditional encrypted PureLogs DLLs found on vastkupan.com\r\nDropped by: 67861615d765d0c59d65e8d4454e5ffc\r\nURL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Qytqk.pdf\r\nEncrypted DLL MD5: 668a42bdfd253e0d54716cd115479b9f\r\nC2: 91.92.120.102:62050 (same as Cxqyoub.dat and (Qlwxqgsag.dat)\r\nDropped by: 031a9c2f44881f4db1c6f6d88a540206\r\nURL of encrypted DLL: hxxps://www.vastkupan[.]com:443/wp-admin/js/Kplbc.pdf\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics\r\nPage 4 of 6\n\nEncrypted DLL MD5: 6ed3c9b70ca02d1c558d1ef9a8aaab77\r\nC2: 65.108.24.103:62050\r\nDropped by: 07ff4006101f117aa4f198c984a45137\r\nURL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Pnnvrpjewlq.vdf\r\nEncrypted DLL MD5: 98cf831688941cc8bccfe1e8a33c9c16\r\nDropped by: a1fd8053b49442028d66e3adea550d19\r\nURL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Niose.wav\r\nEncrypted DLL MD5: 067086aff11080357b92931e96ecebae\r\nDropped by: 3cf704e64cbba6560663ec45ce2dabc2\r\nURL of encrypted DLL: hxxps://www.vastkupan[.]com:443/wp-admin/js/Frfkft.vdf\r\nEncrypted DLL MD5: c9bac721c9b6f2900fd3d8ed922bc759\r\nC2: 91.92.120.101:7705\r\nDropped by: 486d6c9cbdb638f9d574c58459676ed9\r\nURL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Skrcygatz.dat\r\nEncrypted DLL MD5: a3cf5108315a06d564c97c8367994fd1\r\nC2: 216.250.252.231:2080\r\nUpdate 2025-07-31\r\nTurns out the whole /wp-admin/js/ directory on Västkupan's website allows directory listing. Among the files in\r\nthat directory is \"New PO 102456688.exe\", which drops PureLogs.\r\nFilename: New PO 102456688.exe\r\nMD5: b2647b263c14226c62fe743dbff5c70a\r\nC2: 147.124.219.201:65535\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics\r\nPage 5 of 6\n\nSee executions on Tria.ge and any.run for details.\r\nPosted by Erik Hjelmvik on Wednesday, 02 July 2025 11:52:00 (UTC/GMT)\r\nTags: #PureLogs#PureCoder#3b5074b1b5d032e5620f69f9f700ff0e#JoeSandbox\r\nShort URL: https://netresec.com/?b=257eead\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics"
	],
	"report_names": [
		"?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics"
	],
	"threat_actors": [],
	"ts_created_at": 1775434416,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f6468b4a2249bec0d1e759543d38206cf224904.pdf",
		"text": "https://archive.orkl.eu/2f6468b4a2249bec0d1e759543d38206cf224904.txt",
		"img": "https://archive.orkl.eu/2f6468b4a2249bec0d1e759543d38206cf224904.jpg"
	}
}