Erik Hjelmvik
Wednesday, 02 July 2025 11:52:00 (UTC/GMT)

PureLogs Forensics

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share.

PureLogs infections sometimes start with a dropper/downloader that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this file:

hxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf

This file isn’t really a PDF though, but more on that later. Here’s a CapLoader screenshot with some interesting flows from the infection:

Flows from PureLogs infection in CapLoader

The PCAP in the screenshot above comes from a sandbox execution on any.run of a file called BSN100357-HHGBM100002525.exe.

Here’s a breakdown of what happens behind the scenes in this execution:

  1. Dropper connects to www.vastkupan[.]com (DNS and TLS flows).
  2. A fake PDF (Daupinslenj.pdf) is downloaded over HTTPS.
  3. The fake PDF is decrypted to a DLL (PureLogs), which is stored in memory.
  4. InstallUtil.exe is started.
  5. The PureLogs DLL is injected into the running InstallUtil process.
  6. PureLogs connects to C2 server at 91.92.120.101:65535

The same dropper has also been run on JoeSandbox, with almost identical behavior. The vastkupan.com website belongs to a legitimate company (Västkupan Fastigheter).

The PDF that Wasn’t

This is what the downloaded “PDF” looks like:

Hex view of Daupinslenj.pdf

So, what’s up with all that “171171” data? Let’s XOR with “711” and see what we get.

Hex view of decrypted Daupinslenj.pdf

The downloaded PDF turns out to be a .NET DLL file with MD5 38d29f5ac47583f39a2ff5dc1c366f7d. This is the file that was injected into the otherwise legitimate InstallUtil process. Some PureLogs droppers use RegAsm.exe instead of InstallUtil though (see JoeSandbox and any.run).

IOC List

Droppers (MD5):

  • 711d9cbf1b1c77de45c4f1b1a82347e6
  • 6ff95e302e8374e4e1023fbec625f44b
  • e6d7bbc53b718217b2de1b43a9193786
  • a9bc0fad0b1a1d6931321bb5286bf6b7
  • 09bb5446ad9055b9a1cb449db99a7302

Dropper TLS handshake signatures:

  • JA3: 3b5074b1b5d032e5620f69f9f700ff0e
  • JA4: t12d210700_76e208dd3e22_2dae41c691ec

Payload URLs:

  • hxxps://www.vastkupan[.]com/wp-admin/js/Cicdwkknms.pdf
  • hxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf
  • hxxps://www.new.eventawardsrussia[.]com/wp-includes/Ypeyqku.pdf

Payloads (MD5):

  • ab250bb831a9715a47610f89d0998f86 (Cicdwkknms.pdf)
  • cec53e8df6c115eb7494c9ad7d2963d4 (Daupinslenj.pdf)
  • eedc8bb54465bd6720f28b41f7a2acf6 (Ypeyqku.pdf)

Decrypted payloads:

  • MD5: 38d29f5ac47583f39a2ff5dc1c366f7d
  • SHA1: fc8b0ee149027c4c02f7d44cc06cade3222bb6b6
  • SHA256: 8d7729ca0b25a677287076b4461304a21813e6f15053e190975512e58754988f

PureLogs C2:

  • 91.92.120.101:62520 (old)
  • 91.92.120.101:65535 (new)

Posted by Erik Hjelmvik on Wednesday, 02 July 2025 11:52:00 (UTC/GMT)

Tags: #PureLogs#3b5074b1b5d032e5620f69f9f700ff0e#JoeSandbox

Short URL: https://netresec.com/?b=257eead

Recent Posts

» PureLogs Forensics

» CapLoader 2.0.1 Released

» Detecting PureLogs traffic with CapLoader

» CapLoader 2.0 Released

» Comparison of tools that extract files from PCAP

» Decoding njRAT traffic with NetworkMiner

» How to Install NetworkMiner in Linux

» Online Network Forensics Training

Blog Archive

» 2025 Blog Posts

» 2024 Blog Posts

» 2023 Blog Posts

» 2022 Blog Posts

» 2021 Blog Posts

» 2020 Blog Posts

» 2019 Blog Posts

» 2018 Blog Posts

» 2017 Blog Posts

» 2016 Blog Posts

» 2015 Blog Posts

» 2014 Blog Posts

» 2013 Blog Posts

» 2012 Blog Posts

» 2011 Blog Posts

List all blog posts

Video blog posts

News Feeds

» FeedBurner

» RSS Feed

X / twitter

𝕏: @netresec

Bluesky

Bluesky: @netresec.com

Mastodon

Mastodon: @netresec@infosec.exchange