{ "id": "89063ffa-65ec-49e0-ba6d-f62c7d7e7fde", "created_at": "2026-04-06T00:13:11.375515Z", "updated_at": "2026-04-10T03:19:59.975565Z", "deleted_at": null, "sha1_hash": "5fc66e24e23b402956d80b250297cc531b95e2d3", "title": "Malware Analysis - PXRECVOWEIWOEI", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 504375, "plain_text": "Malware Analysis - PXRECVOWEIWOEI\r\nBy Mandar Naik\r\nPublished: 2024-09-20 · Archived: 2026-04-05 18:06:11 UTC\r\nIn this post, We will do malware analysis and reverse engineering on a sample called PXRECVOWEIWOEI\r\n(AKA PureLogs Stealer).\r\nThe source of the sample is\r\nhxxps[://]bazaar[.]abuse[.]ch/sample/574403dce45be3a5edec18e66f16fef5e013ce99c7713479ab67c11e6f472330/#intel\r\nStatic Analysis\r\nLet’s get the hash of the file first.\r\nSHA256: 574403DCE45BE3A5EDEC18E66F16FEF5E013CE99C7713479AB67C11E6F472330\r\nOn VirusTotal, the file is detected as malicious by 25 engines.\r\nThe sample opened in notepad++ looks full of long strings assigned to variables with extremely long names.\r\nhttps://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/\r\nPage 1 of 7\n\nThe variables seem to be added purposely to distract us from the actual investigation point. The occurrence of\r\nvariables is only one for each, meaning they are declared with strings but never used.\r\nAfter ignoring them, we see some interesting variables that have been used repeatedly.\r\nLet’s evaluate the variables.\r\nhttps://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/\r\nPage 2 of 7\n\nThe variables are interconnected. i.e. the variable tonta is used in variable aligulado, inturn that variable is used in\r\npublicista. We are going to focus on the content of publicista. We can see a base64 string, after decoding it.\r\nThe decoded base64 is a powershell script that is gibberish. Let’s evaluate the script to make it understandable.\r\nAfter beautifying the script, we can connect the dots\r\nhttps://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/\r\nPage 3 of 7\n\nThe powershell script downloads the DetahNoteJ.txt, loads the content into a variable, then base64 decodes that\r\ncontent, eventually storing it in a variable called $assembly. The result of the above script can be accessed via\r\nvariable $OWjuxD (I.e. base64 decode of $Codigo).\r\nFinally, the output is executed via a powershell.\r\nLet’s check the content of a file called DetahNoteJ.txt. (PSSS: Shouldn’t the filename be DeathNote and not\r\nDetahNoteJ?)\r\nAfter base64 decoding and checking the file type\r\nNow we can check the compiler or packer used to compile or protect the program; we can use DIE for this.\r\nhttps://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/\r\nPage 4 of 7\n\nDynamic Analysis\r\nThe sample is compiled in .NET without any packer or crypter used. we can directly decompile it using dnSpy\r\nAfter a night with tea by my side, I was not able to understand the logic behind few variables, and was not able to\r\ndecrypt them either. Let’s directly execute the sample.\r\nhttps://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/\r\nPage 5 of 7\n\nMy platform architecture seems incompatible, the program exited with some errors.\r\nAtlast, we get no intel from dynamic analysis.\r\nOn VirusTotal, the file DetahNoteJ.txt is detected by 17 engines.\r\nSHA256: 16912B71BDEFBB0B9E0B0E71D85B0095880D4DC250239E7D26E12454F7F6BADF\r\nhttps://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/\r\nPage 6 of 7\n\nWhereas the base64 decoded content of DetahNoteJ.txt is a DLL file, detected by 7 engines.\r\nSHA256: 97164081607B6FDB9B095CB01BB0A818FC77DB92DAD38B910B05A90160748756\r\nWe meet next time dissecting another sample or comming up with an evasion technique until then čau čau\r\nSource: https://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/\r\nhttps://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/" ], "report_names": [ "2024-09-21-malware-analysis-pxrecvoweiwoei" ], "threat_actors": [], "ts_created_at": 1775434391, "ts_updated_at": 1775791199, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5fc66e24e23b402956d80b250297cc531b95e2d3.pdf", "text": "https://archive.orkl.eu/5fc66e24e23b402956d80b250297cc531b95e2d3.txt", "img": "https://archive.orkl.eu/5fc66e24e23b402956d80b250297cc531b95e2d3.jpg" } }