MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021
SHA3-384 hash: 8f41914bfe83bc2058d2b42acf44abf778033f82f85eb35b738826537a958d59f395a07a725fb668e83ca89f6122b7b4
SHA1 hash: 4be467334357fec872b672107b0c8d6b42b2f7c3
MD5 hash: 21db01f68d130e526343b2680aeeec5c
humanhash: sixteen-arizona-failed-stream
File name:file
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:677'376 bytes
First seen:2025-10-17 04:00:56 UTC
Last seen:2025-11-14 00:19:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 70eaf5d3ee55868b76c2167983e53398 (1 x PureLogsStealer, 1 x CoinMiner)
ssdeep 12288:2e4CMeEufqpxlcLZVk1mJxP77wBsn5ddafwCoIWm1A:2evEoq3HIPWgxaYCo61A
Threatray 530 similar samples on MalwareBazaar
TLSH T1DDE41226CE45A062F5397130B94BAFE316B1EEC01859B6FF037852368F777960329D4A
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe PureLogsStealer


Avatar
Bitsight
url: http://178.16.55.189/files/8434554557/ckHhVTd.exe

Intelligence

File Origin
# of uploads :
50
# of downloads :
372
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-10-17 04:01:34 UTC
Tags:
stealer purecrypter
Link:
https://app.any.run/tasks/002af40a-3f01-4429-a3cc-bbd438b2dfae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33137/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f1bfac72d478f9059883b8
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug mingw packed unsafe
Link:
https://www.filescan.io/uploads/68f1bfa4df5cb32bf1f096a5/reports/694efc5f-69e3-4414-bbe7-bc3447fae22a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-16T22:17:00Z UTC
Last seen:
2025-10-18T22:58:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Shellcode.sb Trojan-PSW.PureLogs.TCP.C&C Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.gkc PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Convagent.gen HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c2080cae-94c0-4e35-8aec-8b68e5363fd9
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/21db01f68d130e526343b2680aeeec5c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-17 04:02:37 UTC
File Type:
PE+ (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7sobj7oskflgetdp5dtji5wma4pcl5uqqk6kz24grkdd6wdyaqq._file
Verdict:
malicious
Label(s):
katzstealer
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
1ee66c400eff12bfaf129aa702b60f747a9b777f73b9d2df8e50c7fbd4e86472
PureLogsStealer
288cbb7498f2c534d38c27b1f94cef2731ea2a5f3e3ef976c596a41c67ff2663
PureLogsStealer
2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021
PureLogsStealer
36f2aa3f82dade82ea8f932752979db717ac6b69445cab36eec5bea58d20f124
PureLogsStealer
68ceae64d7bd6c09e24598da9a4ab1e52f08a896384e8d3bc725c3688298d1bb
PureLogsStealer
c308ddf6267bd9d5c1dc16fc7e0202a83f46205ef98594d1bdf8db75d862382f
PureLogsStealer
error
PureLogsStealer
+ 520 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader collection discovery loader spyware stealer
Link:
https://tria.ge/reports/251017-eljejsxky6/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/65c76089-ecca-4b76-82a0-7eef640a2899
Unpacked files
SH256 hash:
2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021
MD5 hash:
21db01f68d130e526343b2680aeeec5c
SHA1 hash:
4be467334357fec872b672107b0c8d6b42b2f7c3
Link:
https://www.unpac.me/results/fc6d086b-b0eb-477f-8f61-385e376dc91b/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fe4e0a7ee92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/33137/
  
URLhaus
https://urlhaus.abuse.ch/url/3659905/

Comments