PureLogs Stealer: Complete Malware Analysis & CTF Walkthrough By Zyad Waleed Elzyat Published: 2025-10-18 · Archived: 2026-04-05 20:02:58 UTC Press enter or click to view image in full size Executive Summary PureLogs represents a new generation of Windows information stealers that combines sophisticated obfuscation techniques, robust anti-analysis mechanisms, and military-grade encryption to evade detection and exfiltrate https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 1 of 19 sensitive data. This analysis reveals the malware’s complete attack chain, from initial execution to data exfiltration over encrypted channels. Key Findings: Commercial-grade .NET packer obfuscation Multi-layered anti-VM and anti-debugging defenses AES-256 encryption with PBKDF2 key derivation UAC bypass through COM elevation Geographic filtering to avoid CIS regions Credential harvesting from browsers and popular applications Sample Hash (SHA-256): 7505E02F9E72CE781892C01AC7638A8FAC011F39C020CDA61E2EADA9EEE1C31D Analysis Challenge: https://malops.io/challenges/10 Table of Contents 1. Introduction 2. Core Capabilities 3. De-obfuscation 4. Mutex Identification 5. Anti-sandboxing 6. Anti-debugging 7. Registry Execution Prevention 8. Process Masquerading 9. Anti-VM & Anti-Analysis Techniques 10. UAC Bypass & Privilege Escalation 11. Credential Harvesting (Applications) 12. Data Exfiltration & C2 Communications 13. AES Encryption Details 14. Self Deletion 15. Conclusion 16. References Introduction PureLogs is a modern Windows-based information stealer specifically designed to harvest credentials, session tokens, and sensitive data from compromised systems. The malware demonstrates advanced capabilities typical of commercial-grade threats, including sophisticated evasion techniques that make detection and analysis particularly challenging. Core Capabilities Browser Credential Extraction: Steals saved passwords and session cookies from major browsers https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 2 of 19 Application Token Harvesting: Targets Discord, Telegram, Steam, and FileZilla authentication data Cryptocurrency Wallet Theft: Extracts wallet information and private keys System Reconnaissance: Collects detailed hardware and software information .NET Reactor Commercial Packing: Industry-standard obfuscation to hinder reverse engineering Multi-Stage Anti-Debugging: Detects and terminates when debuggers are present Sandbox Detection: Identifies and avoids known malware analysis environments Process Injection: Masquerades as trusted Windows processes Registry-Based Execution Control: Prevents multiple infections on the same system AES-256 Encryption: Protects exfiltrated data using CBC mode PBKDF2 Key Derivation: Strengthens encryption through password-based key derivation Custom C2 Protocol: Communicates with command and control servers over specific ports DE-obfuscation Question 01: PureLogs is obfuscated and packed to hinder static analysis. Which commercial .NET packer is used to protect the PureLogs binary? Initial analysis with dnSpy revealed that PureLogs employs heavy obfuscation through a commercial-grade .NET packer. This protection layer enforces anti-debugging mechanisms and significantly complicates static analysis efforts. Press enter or click to view image in full size Press enter or click to view image in full size https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 3 of 19 To analyze the sample, I applied .NET Reactor Slayer, a tool that assists in unpacking and deobfuscating .NET binaries. Once processed, the binary’s code structure became more legible, revealing the true execution flow and confirming the use of layered obfuscation coupled with commercial protection. Press enter or click to view image in full size Mutex Identification Question 02: What is the name of the mutex created by PureLogs? The malware implements a mutex (mutual exclusion object) to ensure only one instance runs on the infected system. This prevents resource conflicts and reduces the chance of detection through unusual system behavior. https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 4 of 19 Through dynamic debugging and method tracing in the initialization class, I identified the unique mutex name embedded in the malware’s configuration. This identifier serves as a system-wide lock mechanism for process management. Press enter or click to view image in full size Anti-Sandboxing Question 03: PureLogs includes several anti-analysis checks before proceeding with execution. One of them specifically targets a well-known sandboxing tool. What process name does PureLogs check for to detect this sandbox? Modern malware analysis relies heavily on automated sandbox environments that execute suspicious samples in isolated, monitored conditions. PureLogs implements sophisticated detection mechanisms to identify these environments and terminate before exhibiting malicious behavior. After locating this detection routine within the relevant class, it becomes evident that if the target process is found running, the malware exits immediately — successfully avoiding behavioral logging and artifact generation in sandboxed conditions. Press enter or click to view image in full size https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 5 of 19 Note: When submitting your solution, the correct answer should be written in full as: processName.exe Press enter or click to view image in full size Anti-debugging Question 04: PureLogs avoids external analysis by querying a debugger-related state via a process handle. What Windows API function is used for this check? PureLogs implements multiple anti-debugging checks to detect reverse engineering attempts. One sophisticated method involves querying the debugger attachment state through the Windows API. This function returns a Boolean value indicating if a debugger is attached, enabling PureLogs to detect debugging attempts indirectly. By leveraging this API, PureLogs can terminate or alter its behavior when a debugger is detected, effectively obstructing dynamic analysis and prolonging its stealth on compromised systems. Press enter or click to view image in full size Registry Execution Prevention Question 05: PureLogs checks a specific registry key to know if it has already run on the system before. What is the full path of that registry key? The malware prevents multiple instances of a program from running simultaneously using the Windows Registry as a lock mechanism. It first checks if a configuration setting in GClass4.string_18 is enabled, and if so, searches for a specific registry key under HKEY_CURRENT_USER\Software\ with the name stored in GClass4.string_19. If the registry key exists, it means another instance is already running, so the program immediately exits. If the key doesn’t exist, the malware proceeds with execution. https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 6 of 19 Press enter or click to view image in full size Process Masquerading Question 06: PureLogs modifies its process name and command-line to appear as a legitimate Windows process. What process name does it use to masquerade as a trusted system process? Process masquerading is a sophisticated defense evasion technique where malware disguises itself as legitimate system processes to avoid detection by security software and system administrators. The malware checks if the program is running with required privileges or in the correct process context using Class13.smethod_0(). If the check fails, it performs process injection or replacement by calling Class12.smethod_4() with the path to a legitimate Windows executable, essentially hiding the malware inside a legitimate Windows process. After the injection, it runs cleanup with Class13.smethod_2() and terminates the current process. Anti-VM and Anti-Analysis Techniques The malware implements multiple detection methods to identify virtual machines and analysis environments, allowing it to evade security researchers and sandboxes. Virtual Machine Detection The malware searches for VM-specific artifacts across multiple system components: Hypervisor Indicators: VMware products: vmware , vmbox , VMXh VirtualBox: virtualbox , vbox , innotek gmbh KVM, Xen, Hyper-V, QEMU, VirtualPC https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 7 of 19 Parallels, Fusion, Proxmox, ESXi, vSphere Virtualization Software: ThinApp, TPVCGateway, TPAutoConnSvc Press enter or click to view image in full size Analysis Tools Detection The malware scans for common debugging and network analysis tools to avoid running in monitored environments: Debuggers: x32dbg, x64dbg, WinDbg, OllyDbg, dnSpy IDA Pro, IDA64, Immunity Debugger, HyperDbg Process Monitors: Process Monitor, Process Hacker, Cheat Engine Network Analysis: Wireshark, Fiddler, Charles, Burp Suite mitmproxy, OWASP ZAP, Proxyman, HTTPDebugger Hex Editors: HxD Press enter or click to view image in full size https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 8 of 19 Sandbox Environment Detection The malware checks for indicators commonly found in malware analysis sandboxes: 1. Screen Resolution Checks: Common sandbox configurations use specific resolutions: 1280×1024 1280×720 1024×768 Execution Path Analysis: Running from C:\ root directory Execution from temporary directories Executable names exceeding 11 characters Known Sandbox Usernames: The malware maintains an extensive list of default usernames found in automated analysis environments: WALKER , JOHN-PC , Abby , Bruno , george , M0S2hGyR , Frank , verzulli , azure , Harry Johnson , dekker , and many more. Press enter or click to view image in full size Question 07: What WMI class does PureLogs query to retrieve the system’s manufacturer and model? The WMI class is associated with the namespace root\CIMV2 using the query SELECT * FROM WMI_Class https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 9 of 19 Press enter or click to view image in full size UAC Bypass and Privilege Escalation The malware leverages Windows COM (Component Object Model) interfaces through the smethod_1() function: Get Zyad Waleed Elzyat’s stories in your inbox Join Medium for free to get updates from this writer. Remember me for faster sign in The malware uses the Windows COM elevation moniker technique through the smethod_1() function. It constructs a special elevation moniker string using a specific format and calls the Windows CoGetObject function to instantiate a COM object with elevated privileges. This leverages specific Windows COM interfaces that allow silent elevation through trusted system components. Key COM GUIDs: 6EDD6D74-C007–4E75-B76A-E5740995E24C 3E5FC7F9–9A51–4367–9063-A120244FBEC7 Question 08: PureLogs uses a trick to bypass the “Run as Administrator” (UAC) prompt by starting a special COM object. What exact string does it add before the COM CLSID to request an elevated instance? PureLogs uses a trick to bypass the “Run as Administrator” (UAC) prompt by starting a special COM object. What exact string does it add before the COM CLSID to request an elevated instance? Press enter or click to view image in full size https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 10 of 19 Press enter or click to view image in full size Credential Harvesting (Applications) The malware implements targeted credential theft from popular applications through parallel execution to maximize efficiency and speed. Press enter or click to view image in full size Multi-Application Targeting The smethod_0() function orchestrates credential harvesting based on configuration flags stored in GClass4. It dynamically builds a list of theft operations and executes them in parallel using Parallel.ForEach with configurable thread limits. https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 11 of 19 The malware targets four major applications: FileZilla (FTP client): Extracts server credentials from `recentservers.xml` configuration file Telegram (messaging): Steals session data and authentication tokens Steam (gaming platform): Harvests account credentials and session information Discord (communication): Performs sophisticated token extraction from local storage database Discord Token Extraction The Discord credential theft (smethod_2()) demonstrates advanced techniques by targeting the application’s LevelDB local storage database located in %AppData%\discord\Local Storage\leveldb. The malware: 1. Iterates through all .ldb database files in the directory 2. Searches for encrypted Discord authentication tokens using regex pattern dQw4w9WgXcQ:[^\”]* 3. Extracts and decodes the Base64-encoded token when found 4. Retrieves the master encryption key using Class7.smethod_19() to decrypt protected data Press enter or click to view image in full size Press enter or click to view image in full size Data Exfiltration & C2 Communications https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 12 of 19 The malware implements comprehensive system reconnaissance and data exfiltration capabilities through the `smethod_0()` function, which collects detailed victim information. System Information Collection The malware gathers extensive hardware and software details from the infected machine: User identification: Username (GClass0.GClass1.smethod_1()) and domain name Hardware specifications: GPU model, CPU information, RAM capacity System configuration: Windows version, system architecture (32/64-bit), screen resolution Security software: Installed antivirus products Timestamp: Current date and time of infection Geographic and Network Data The malware queries geolocation services to determine the victim’s location and network information including country, city, region, ZIP code, public IP address, and timezone. Press enter or click to view image in full size Question 10: What regex pattern does PureLogs use to find Steam session tokens? Hint: Search for “steam” references inside the `Class5` class to identify the regex pattern used for extracting Steam session tokens. Question 11: PureLogs adds a unique tag to the stolen data before sending it to the attacker. What is the exact string it adds to identify this specific build of the malware? PureLogs adds a unique tag to the stolen data before sending it to the attacker. What is the exact string it adds to identify this specific build of the malware? Hint: You will find it in the GClass4 class. https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 13 of 19 Location Identifications The malware implements geographic filtering to avoid infecting systems in specific regions, likely to evade law enforcement or reduce attention from certain countries. The smethod_0() function performs comprehensive location checks to determine if the victim is located in Commonwealth of Independent States (CIS) countries or Russian-speaking regions. The malware queries multiple data points to ensure accurate geographic identification: The malware checks against two-letter ISO country codes for the following nations: RU — Russia AZ — Azerbaijan AM — Armenia BY — Belarus KZ — Kazakhstan KG — Kyrgyzstan MD — Moldova TJ — Tajikistan TM — Turkmenistan UZ — Uzbekistan Press enter or click to view image in full size Command and Control (C2) Communication Question 12: What port number does PureLogs use to communicate with its Command and Control (C2) server? Analysis of network communication indicators reveals TCP client implementation containing hardcoded IP address and port number strings for C2 connectivity. Press enter or click to view image in full size https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 14 of 19 AES Encryption AES (Advanced Encryption Standard) is a symmetric encryption algorithm, meaning it uses the same key to both encrypt and decrypt data. Press enter or click to view image in full size AES Modes of Operation AES operates on 128-bit blocks only. To encrypt longer messages, we use modes of operation — these are often referred to as “AES methods” in practice. https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 15 of 19 Question 13: What mode of AES does PureLogs use to encrypt stolen data? What mode of AES does PureLogs use to encrypt stolen data? internal static byte[] Encrypt(byte[] plainBytes, byte[] passwordBytes) { byte[] encryptedBytes = null; byte[] salt = new byte[] { 117, 45, 158, 253, 184, 172, 96, 158, 239, 125, 30, 70, 145, 225, 3, 161 }; using (MemoryStream ms = new MemoryStream()) { using (RijndaelManaged aes = new RijndaelManaged()) { aes.KeySize = 256; aes.BlockSize = 128; Rfc2898DeriveBytes keyGen = new Rfc2898DeriveBytes(passwordBytes, salt, 1000); aes.Key = keyGen.GetBytes(aes.KeySize / 8); aes.IV = keyGen.GetBytes(aes.BlockSize / 8); https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 16 of 19 aes.Mode = CipherMode.CBC; using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(), CryptoStreamMode.Wri { cs.Write(plainBytes, 0, plainBytes.Length); cs.Close(); } encryptedBytes = ms.ToArray(); } } return encryptedBytes; } Why It’s CBC Mode In the encryption function, the code sets: rijndaelManaged.Mode = 1; The number 1 corresponds to the CBC mode in the `CipherMode` enumeration: Question 14: What is the length (in bytes) of the derived Initialization Vector (IV) used in the encryption? Hint: Default is 128 bit, so just do: 128 / 8 = Answer Question 15: What algorithm is used to derive the AES key and IV from the SHA-512 hash in PureLogs? What algorithm is used to derive the AES key and IV from the SHA-512 hash in PureLogs? https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 17 of 19 Based on this line: Rfc2898DeriveBytes keyGen = new Rfc2898DeriveBytes(passwordBytes, salt, 1000); In .NET, the class **Rfc2898DeriveBytes** is **Microsoft’s implementation of the PBKDF2 algorithm**. Its name literally comes from the standard that defines PBKDF2: RFC 2898 → “PKCS #5: Password-Based Cryptography Specification Version 2.0”So whenever you see this class being used, you can directly conclude: The program is using PBKDF2. Question 16: What fixed salt value is used in the PBKDF2 function in PureLogs (in hex starts as 0x)? What fixed salt value is used in the PBKDF2 function in PureLogs (in hex starting with 0x)? Hint: You will find an array containing data in decimal format. Convert it to hex and start it with 0x Self Deletion The malware implements a self-deletion mechanism to remove traces of its execution from the infected system. 1. `/C` — Executes the command and terminates 2. `choice /C Y /N /D Y /T 3` — Waits 3 seconds before proceeding 3. `/C Y` — Accepts only ‘Y’ as valid input 4. `/N` — Hides choice list 5. `/D Y` — Default choice after timeout 6. `/T 3` — Timeout in 3 seconds 7. `&` — Command separator 8. `Del “”` — Deletes the malware executable internal static void smethod_2() { try { Process.Start(new ProcessStartInfo { Arguments = "/C choice /C Y /N /D Y /T 3 & Del \"" + Assembly.GetExecutingAssembly().Location + "\"", WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, FileName = "cmd.exe" }); Environment.Exit(0); } catch https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 18 of 19 { Environment.Exit(0); } } Press enter or click to view image in full size Conclusion The PureLogs Stealer is a highly modular information stealer integrating multi-layered .NET obfuscation, AES-256 encryption, and strong anti-analysis features. Its detailed encryption design using CBC mode and PBKDF2 key derivation ensures secure exfiltration, while evasion mechanisms hinder dynamic or sandboxed examination. This sample reflects the increasing sophistication of commodity stealers, merging C2 resilience, cryptographic rigor, and AI-resistant evasion measures — emphasizing the need for proactive detection engineering and machine-assisted malware analysis workflows. References 1. Simplilearn. “AES Encryption: Secure Data with Advanced Encryption Standard (AES).” Retrieved October 2025. https://www.simplilearn.com/tutorials/cryptography-tutorial/aes-encryption 2. DExpose.io. “PureLogger Deep Analysis: Evasion, Data Theft, and Encryption Mechanism.” Published August 2025. https://www.dexpose.io/purelogger-deep-analysis-evasion-data-theft-and-encryption-mechanism/ Source: https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd Page 19 of 19