MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e
SHA3-384 hash: 480e62dd2de5d2965d78907a3176f5b1fa4e7d23f123028f09d2d4bb3c545cbe4e21ce35fe5458ecac7ab0d6d2c96caa
SHA1 hash: 63e6ff1edd9e0eb6550a37a9f7aa06e5aa153889
MD5 hash: a45e296431b54c2aec1fb7b2ea02629e
humanhash: glucose-mike-carolina-bacon
File name:tsetup-x64.6.1.3.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:15'003'950 bytes
First seen:2025-10-03 06:47:04 UTC
Last seen:2025-10-04 12:18:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (60 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 393216:iA50wYCfKa8DjtLyxGjQ5wj7jFvAtEF1bwifZcT/x/oU7JIJA:b50wCa8DjdyxGc5wXZYe1kiq/oUVB
Threatray 913 similar samples on MalwareBazaar
TLSH T1F2E63317B2C7E43EE41E0B334976A01899F72A60A922ED6797E8C46CCF348611D3F756
TrID 60.0% (.EXE) Inno Setup installer (107240/4/30)
23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
137
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe
Verdict:
Malicious activity
Analysis date:
2025-10-02 22:09:47 UTC
Tags:
auto redline stealer amadey botnet netsupport rmm-tool rdp remote loader arch-exec evasion tool generic vidar stealc possible-phishing autoit banker grandoreiro ms-smartcard purecrypter darkvision anti-evasion ransomware miner phishing winring0-sys vuln-driver gcleaner silentcryptominer rat njrat bladabindi
Link:
https://app.any.run/tasks/c2c87bd1-5333-4dd2-a202-3c50109aca2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29989/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68df7195c21e799f5cd48aab
Tags:
shellcode obfuscate asyncrat xtreme
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Moving a file to the %temp% subdirectory
Launching a process
Loading a suspicious library
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi evasive fingerprint installer obfuscated overlay packed packer_detected threat
Link:
https://www.filescan.io/uploads/68df71ccc564c8e81d0d237c/reports/b7561f66-4ba4-4bdf-bed8-abd3c002e701/overview
Verdict:
Malicious
Labled as:
Win32_TrojanDropper_Agent_TCM
Link:
https://www.hybrid-analysis.com/sample/05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-02T12:41:00Z UTC
Last seen:
2025-10-04T10:14:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/862e1d20-d011-4984-b8e0-064614c9c31d
Result
Threat name:
PureCrypter, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1788554
Signature
Bypasses PowerShell execution policy
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1788554 Sample: tsetup-x64.6.1.3.exe Startdate: 03/10/2025 Architecture: WINDOWS Score: 100 79 Suricata IDS alerts for network traffic 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 4 other signatures 2->85 11 tsetup-x64.6.1.3.exe 2 2->11         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 file4 57 C:\Users\user\...\tsetup-x64.6.1.3.tmp, PE32 11->57 dropped 18 tsetup-x64.6.1.3.tmp 3 5 11->18         started        22 regsvr32.exe 14->22         started        process5 file6 49 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->49 dropped 51 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->51 dropped 87 Multi AV Scanner detection for dropped file 18->87 24 tsetup-x64.6.1.3.exe 2 18->24         started        signatures7 process8 file9 55 C:\Users\user\...\tsetup-x64.6.1.3.tmp, PE32 24->55 dropped 27 tsetup-x64.6.1.3.tmp 5 11 24->27         started        process10 file11 59 C:\Users\user\AppData\...\is-PUV4J.tmp, PE32 27->59 dropped 61 C:\Users\user\...\eppplconfig.dll (copy), PE32 27->61 dropped 63 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->63 dropped 65 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 27->65 dropped 91 Multi AV Scanner detection for dropped file 27->91 93 Suspicious powershell command line found 27->93 95 Bypasses PowerShell execution policy 27->95 31 regsvr32.exe 1 3 27->31         started        35 powershell.exe 16 27->35         started        signatures12 process13 dnsIp14 67 27.124.10.44, 49720, 56001 BCPL-SGBGPNETGlobalASNSG Singapore 31->67 69 System process connects to network (likely due to code injection or exploit) 31->69 71 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 31->71 73 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->73 77 4 other signatures 31->77 38 powershell.exe 37 31->38         started        41 powershell.exe 31->41         started        53 C:\Users\user\...\f0A0_f0A07_f0A_v2.dll, PE32 35->53 dropped 75 Powershell drops PE file 35->75 43 conhost.exe 35->43         started        file15 signatures16 process17 signatures18 89 Loading BitLocker PowerShell Module 38->89 45 conhost.exe 38->45         started        47 conhost.exe 41->47         started        process19
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-10-02 15:30:25 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aw3dm2blxyvqpgf7hp2zih6qhdnzqk4ldfbhd2etlqqcxqqmeq7a._file
Verdict:
malicious
Label(s):
katzstealer
Create hunting rule
purecrypter
Create hunting rule
Similar samples:
05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e
PureLogsStealer
0d40a18d67005a5ade12b5593df3cf9e7ae996bebedacad64de81de3ffb9821a
PureLogsStealer
9d842f5a96486c5f9606f15c6bbdce6b9729d0b80f86eca108dd5484ac31257b
PureLogsStealer
a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689
PureLogsStealer
b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082
PureLogsStealer
cc3b5887e35bf3551e25c22cbefa4c51e6b14426094ec763661ef938f4023bf8
PureLogsStealer
error
PureLogsStealer
+ 903 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/251003-hk611atkt7/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c7797697-ee27-476c-87b7-3af8b4e344d1
Unpacked files
SH256 hash:
96a18e03947a55345f4acd1c4bab7e8b0c8fa79334ec934d44bd4c7100473966
MD5 hash:
29a88ea2408c28e5c4bdf9051912ccf6
SHA1 hash:
cf0aee7e0b82d67daff4056a1c27bccf3d299259
Link:
https://www.unpac.me/results/be20a552-44ad-44ed-b9fe-6387106377b3/
SH256 hash:
6d26c4eeefc17bad4152486c2c0c411b165b32d8c04f7b494f28eb0dcfc00835
MD5 hash:
af2142e8809bcc692509d83ba7dec1a1
SHA1 hash:
2ef4c7ca74a326c7b98ff83526333e9e443073e8
Link:
https://www.unpac.me/results/be20a552-44ad-44ed-b9fe-6387106377b3/
SH256 hash:
05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e
MD5 hash:
a45e296431b54c2aec1fb7b2ea02629e
SHA1 hash:
63e6ff1edd9e0eb6550a37a9f7aa06e5aa153889
Link:
https://www.unpac.me/results/be20a552-44ad-44ed-b9fe-6387106377b3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/05b636682bbe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3646427/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/29989/
  
URLhaus
https://urlhaus.abuse.ch/url/3646604/

Comments