Pure Logs Stealer Fails to Impress

Pure Logs Stealer is a .NET stealer distributed by PureCoder that collects system info, browser credentials (including encrypted mnemonics), Discord tokens, and other application data, then encrypts and sends it to a C2 via a TCP socket. The tool is obfuscated with Eazfuscator.NET, packaged with Pure Crypter, uses registry run keys for persistence, and transmits data encrypted with 3DES; #PureLogsStealer #PureCrypter

Keypoints

Pure Logs Stealer is a 64-bit .NET stealer obfuscated with Eazfuscator.NET and commonly distributed crypted by Pure Crypter.
Persistence is implemented via Registry Run Keys (T1547.001) and the sample can self-delete using a PowerShell command.
The stealer enumerates system info via WMI (win32_operatingsystem, Win32_Processor, Win32_VideoController, etc.) and builds an MD5-based HWID from processor/BIOS values.
It collects screenshots, clipboard contents, Windows product key, and data from many apps including Chromium- and Gecko-based browsers (logins.json), Discord local storage tokens, crypto-wallet extensions, and various application files.
Collected data is compressed and encrypted with 3DES (key derived from an MD5 of a supplied string) and sent over a TCP socket to C2 (default port 7702); the stealer sends the entire payload at once, making exfiltration fragile.
Several features (file grabber, loader, anti-VM, etc.) are present but reported as unreliable in current builds; sample Yara and Sigma rules and payload hashes are published.

MITRE Techniques

[T1547.001] Registry Run Keys – Adds persistence via registry run keys (‘The persistence is added via Registry Run Keys (T1547.001)’).
[T1059.003] PowerShell – Uses PowerShell to self-delete the payload (‘powershell Start-Sleep -Seconds 10; Remove-Item -Path ’“”‘ -Force’).
[T1047] Windows Management Instrumentation – Gathers host and OS information using WMI queries (‘SELECT * FROM win32_operatingsystem’).
[T1082] System Information Discovery – Collects OS version, username, machine name, AV products, RAM, GPU and BIOS details (‘gets the host information, including the version of the OS, via WMI’).
[T1113] Screen Capture – Captures a screenshot of the primary display and converts it to JPEG bytes (‘captures a screenshot of the entire primary display screen of the infected host’).
[T1115] Clipboard Data – Reads clipboard contents from the host (‘The method below gets the content of the clipboard.’).
[T1555.003] Credentials from Web Browsers – Extracts saved logins and encrypted mnemonics from Chromium and Gecko storages (e.g., ‘accesses file logins.json’ and reads ‘encrypted_mnemonic’).
[T1005] Data from Local System – Implements a file grabber and loader to collect local files and application data (‘file grabber’ and lists of applications and files collected).
[T1027] Obfuscated Files or Information – Uses Eazfuscator.NET to obfuscate the .NET assembly (‘Eazfuscator.NET, which obviously is a .NET obfuscator’).
[T1041] Exfiltration Over C2 Channel – Sends compressed, 3DES-encrypted data via a TCP socket to a C2 server (default port 7702) (‘The stealer uses a Socket for TCP/IP communication… default port for communication is 7702’).

Indicators of Compromise

[File Hashes] Stealer payload samples – 2b84f504b2b8389d28f2a8179a8369fc511391e7331f852aaf3a6a2f26a79ee4, 8543ea15813ea170dd0538d7cd629f451ceb7e18b07c4db1cdbce5e089b227d4
[Filenames] Dropped/collected files – sqlite.interop.dll (dependency), logins.json (Firefox/Gecko credentials), and App_Windows Serial Key.txt (Windows product key)
[Registry Paths] Persistence and credential locations – HKU:Software subkey with HWID; Outlook profile keys under SoftwareMicrosoftOffice…Outlook9375CFF0413111d3B88A00104B2A6676 (multiple Office versions)
[Network] C2 communication – default TCP port 7702 (uses custom socket communication and sends data size before payload)
[URLs/Rules] Detection resources and analysis links – https://github.com/RussianPanda95/Yara-Rules/…purelogs_stealer.yar, https://github.com/RussianPanda95/Sigma-Rules/…purelogs_stealer_dll_creation.yaml (analysis and rules)

Pure Logs Stealer is delivered as a 64-bit .NET binary obfuscated with Eazfuscator.NET and often wrapped with the vendor’s Pure Crypter. On execution it creates a TEMP folder (e.g., %TEMP%Costura…) and drops dependencies such as sqlite.interop.dll, then loads C2 and build parameters from the crypter arguments. The main payload performs extensive system and application enumeration using WMI queries (e.g., SELECT * FROM win32_operatingsystem, Win32_Processor, Win32_VideoController) to collect OS version, BIOS/CPU identifiers (used to derive an MD5 HWID), GPU and memory details, and enumerates many application directories for browser profiles, crypto-wallet extensions, and other apps.

For credential and data collection, the stealer reads browser user data (Chromium user data paths and Gecko files like logins.json), extracts encrypted fields such as encrypted_mnemonic, pulls Discord local storage (leveldb) to locate tokens, and collects application-specific files (FileZilla, WinSCP, Telegram, OpenVPN, ProtonVPN, etc.). It also captures screen images (primary display to JPEG byte arrays), reads clipboard contents, and extracts the Windows DigitalProductId from SOFTWAREMicrosoftWindows NTCurrentVersion to save the product key.

Collected data is compressed and encrypted with 3DES using a key derived from the MD5 hash of a supplied string, then exfiltrated over a TCP socket to the C2 (default port 7702); the stealer first sends the data size and then transmits the entire payload in one block, which can cause total data loss if the connection drops. The sample supports registry-run persistence, a PowerShell self-delete routine, and contains a Python 3DES decryptor/decompressor example for analysts to decode traffic, but several advertised features (anti-VM, file grabber/loader) are reported as unreliable in current builds.