PureLogs Forensics By Erik Hjelmvik Published: 2025-07-02 · Archived: 2026-04-05 18:05:15 UTC ,  Wednesday, 02 July 2025 11:52:00 (UTC/GMT) I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader (PureCrypter) that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this file: hxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf This file isn’t really a PDF though, but more on that later. Here’s a CapLoader screenshot with some interesting flows from the infection: The PCAP in the screenshot above comes from a sandbox execution on any.run of a file called BSN100357- HHGBM100002525.exe. Here’s a breakdown of what happens behind the scenes in this execution: 1. Dropper connects to www.vastkupan[.]com (DNS and TLS flows). 2. A fake PDF (Daupinslenj.pdf) is downloaded over HTTPS. 3. The fake PDF is decrypted to a DLL (PureLogs), which is stored in memory. 4. InstallUtil.exe is started. 5. The PureLogs DLL is injected into the running InstallUtil process. 6. PureLogs connects to C2 server at 91.92.120.101:65535 The same dropper has also been run on JoeSandbox, with almost identical behavior. The vastkupan.com website belongs to a legitimate company (Västkupan Fastigheter). The PDF that Wasn’t This is what the downloaded “PDF” looks like: https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics Page 1 of 6 So, what’s up with all that “171171” data? Let’s XOR with “711” and see what we get. The downloaded PDF turns out to be a .NET DLL file with MD5 38d29f5ac47583f39a2ff5dc1c366f7d. This is the file that was injected into the otherwise legitimate InstallUtil process. Some PureLogs droppers use RegAsm.exe instead of InstallUtil though (see JoeSandbox and any.run). IOC List Droppers (MD5): 711d9cbf1b1c77de45c4f1b1a82347e6 6ff95e302e8374e4e1023fbec625f44b e6d7bbc53b718217b2de1b43a9193786 a9bc0fad0b1a1d6931321bb5286bf6b7 09bb5446ad9055b9a1cb449db99a7302 Dropper TLS handshake signatures: JA3: 3b5074b1b5d032e5620f69f9f700ff0e JA4: t12d210700_76e208dd3e22_2dae41c691ec Payload URLs: hxxps://www.vastkupan[.]com/wp-admin/js/Cicdwkknms.pdf hxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics Page 2 of 6 hxxps://www.new.eventawardsrussia[.]com/wp-includes/Ypeyqku.pdf Payloads (MD5): ab250bb831a9715a47610f89d0998f86 (Cicdwkknms.pdf) cec53e8df6c115eb7494c9ad7d2963d4 (Daupinslenj.pdf) eedc8bb54465bd6720f28b41f7a2acf6 (Ypeyqku.pdf) Decrypted payloads: MD5: 38d29f5ac47583f39a2ff5dc1c366f7d SHA1: fc8b0ee149027c4c02f7d44cc06cade3222bb6b6 SHA256: 8d7729ca0b25a677287076b4461304a21813e6f15053e190975512e58754988f PureLogs C2: 91.92.120.101:62520 (old) 91.92.120.101:65535 (new) Update 2025-07-16 Additional PureLogs payloads have been found on vastkupan.com. Payload URLs: hxxps://www.vastkupan[.]com/wp-admin/js/Cxqyoub.dat hxxps://www.vastkupan[.]com/wp-admin/js/Qlwxqgsag.dat Cxqyoub.dat is decrypted by XOR-ing with "414". Qlwxqgsag.dat is a DLL with reversed content. https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics Page 3 of 6 Payloads (MD5): 22a304ea9c006e2ccb2f6110c4d3f53f (Cxqyoub.dat) d5b6607ee4718506eb4970c02cf286cd (XOR decrypted DLL from Cxqyoub.dat) 062d2a5906fac4c2ef07c6b43141e19c (Qlwxqgsag.dat) 40624de03bc3c53331b6e903d9e3860f (DLL from reversed Qlwxqgsag.dat) C2 server: 91.92.120.102:62050 See JoeSandbox and any.run for sandbox executions of the dropper aa06d06ddb6d3801c70cc1991f393112 (retrieves Cxqyoub.dat), and JoeSandbox and any.run for c45a95dc7ebc8c78217cd996a8f6dda7 (gets Qlwxqgsag.dat). Update 2025-07-21 Yet another PureLogs payload found on vastkupan.com. Dropped by: 031a9c2f44881f4db1c6f6d88a540206 URL of encrypted DLL: hxxp://www.vastkupan[.]com/wp-admin/js/Kplbc.pdf Encrypted DLL MD5: 6ed3c9b70ca02d1c558d1ef9a8aaab77 C2: 65.108.24.103:62050 Sandbox executions are available on JoeSandbox and any.run. Update 2025-07-30 Additional encrypted PureLogs DLLs found on vastkupan.com Dropped by: 67861615d765d0c59d65e8d4454e5ffc URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Qytqk.pdf Encrypted DLL MD5: 668a42bdfd253e0d54716cd115479b9f C2: 91.92.120.102:62050 (same as Cxqyoub.dat and (Qlwxqgsag.dat) Dropped by: 031a9c2f44881f4db1c6f6d88a540206 URL of encrypted DLL: hxxps://www.vastkupan[.]com:443/wp-admin/js/Kplbc.pdf https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics Page 4 of 6 Encrypted DLL MD5: 6ed3c9b70ca02d1c558d1ef9a8aaab77 C2: 65.108.24.103:62050 Dropped by: 07ff4006101f117aa4f198c984a45137 URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Pnnvrpjewlq.vdf Encrypted DLL MD5: 98cf831688941cc8bccfe1e8a33c9c16 Dropped by: a1fd8053b49442028d66e3adea550d19 URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Niose.wav Encrypted DLL MD5: 067086aff11080357b92931e96ecebae Dropped by: 3cf704e64cbba6560663ec45ce2dabc2 URL of encrypted DLL: hxxps://www.vastkupan[.]com:443/wp-admin/js/Frfkft.vdf Encrypted DLL MD5: c9bac721c9b6f2900fd3d8ed922bc759 C2: 91.92.120.101:7705 Dropped by: 486d6c9cbdb638f9d574c58459676ed9 URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Skrcygatz.dat Encrypted DLL MD5: a3cf5108315a06d564c97c8367994fd1 C2: 216.250.252.231:2080 Update 2025-07-31 Turns out the whole /wp-admin/js/ directory on Västkupan's website allows directory listing. Among the files in that directory is "New PO 102456688.exe", which drops PureLogs. Filename: New PO 102456688.exe MD5: b2647b263c14226c62fe743dbff5c70a C2: 147.124.219.201:65535 https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics Page 5 of 6 See executions on Tria.ge and any.run for details. Posted by Erik Hjelmvik on Wednesday, 02 July 2025 11:52:00 (UTC/GMT) Tags: #PureLogs#PureCoder#3b5074b1b5d032e5620f69f9f700ff0e#JoeSandbox Short URL: https://netresec.com/?b=257eead Source: https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics Page 6 of 6