MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96
SHA3-384 hash: 4c1df0bfeec6d0021608bbdf0e963ec94df98adad4b860ed76e7a2f2058fa89198d2cf36075af301d469b19ca0c2c559
SHA1 hash: c88859ff597fc67dde5b35bfd24ac7fc75d1afe4
MD5 hash: 7714b76087e4e15dc88060d277e32132
humanhash: minnesota-artist-september-illinois
File name:TASCJBAO.msi
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:4'218'880 bytes
First seen:2026-02-06 13:43:37 UTC
Last seen:2026-02-06 14:41:29 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:BuTMX6w9mHJbA8+v6l+C58YEHs12VRV/EIULRampKGR1:SMKw9mpPljeYEM1GRVXULa01
Threatray 152 similar samples on MalwareBazaar
TLSH T11B1633223DE867DBD4C7557B1303B324E4693C21E769829B1648FAC42F3E5697B038DA
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi PureLogsStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
embedded components, an injection process, and filepaths
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/ec85de61-d91b-49f6-8153-11a43f8c02a6/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52493/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698588a8ae5379bb660a0870
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer installer keylogger packed wix
Link:
https://www.filescan.io/uploads/6985f02f2ffccda0976997dc/reports/779908e1-2eec-4745-bf05-a4214b12b05c/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2026-02-06T03:29:00Z UTC
Last seen:
2026-02-06T03:54:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.OLE2.Alien.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb
Link:
https://opentip.kaspersky.com/3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96/results?tab=lookup
Result
Threat name:
HijackLoader, PureLog Stealer, ResolverR
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1864728
Signature
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
Yara detected HijackLoader
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1864728 Sample: TASCJBAO.msi Startdate: 06/02/2026 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected HijackLoader 2->55 57 4 other signatures 2->57 8 msiexec.exe 90 50 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\...\WsBurn.dll, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\WS_Log.dll, PE32 8->35 dropped 37 C:\Users\user\AppData\...\WS_ImageProc.dll, PE32 8->37 dropped 39 10 other malicious files 8->39 dropped 13 Hub_Bandwidth64.exe 17 8->13         started        process5 file6 41 C:\ProgramData\executor\WsBurn.dll, PE32 13->41 dropped 43 C:\ProgramData\executor\WS_Log.dll, PE32 13->43 dropped 45 C:\ProgramData\executor\WS_ImageProc.dll, PE32 13->45 dropped 47 10 other files (5 malicious) 13->47 dropped 79 Switches to a custom stack to bypass stack traces 13->79 81 Found direct / indirect Syscall (likely to bypass EDR) 13->81 17 Hub_Bandwidth64.exe 7 13->17         started        signatures7 process8 file9 27 C:\Users\user\AppData\Roaming\...\Crisp.exe, PE32 17->27 dropped 29 C:\Users\user\AppData\Local\...\F7413F9.tmp, PE32 17->29 dropped 31 C:\Users\user\AppData\Local\PFramework.exe, PE32 17->31 dropped 59 Found hidden mapped module (file has been removed from disk) 17->59 61 Maps a DLL or memory area into another process 17->61 63 Switches to a custom stack to bypass stack traces 17->63 65 Found direct / indirect Syscall (likely to bypass EDR) 17->65 21 PFramework.exe 2 17->21         started        25 Crisp.exe 1 17->25         started        signatures10 process11 dnsIp12 49 45.133.74.65, 49692, 49693, 49694 EVERYONE-BANDWIDTH-INCDE Germany 21->49 67 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 21->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 21->69 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->71 77 2 other signatures 21->77 73 Unusual module load detection (module proxying) 25->73 75 Switches to a custom stack to bypass stack traces 25->75 signatures13
Score:
10%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2026-02-06 06:22:51 UTC
File Type:
Binary (Archive)
Extracted files:
77
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hpnw2lgccjoknnogdw564mvvwys5sy3yazg7dhcqn3aejb4djkla._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
0852ae81624c390a57e57d930e86b8c1bc080813481ee5bd505f81352c7e6fe6
PureLogsStealer
0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c
PureLogsStealer
36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
PureLogsStealer
57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
PureLogsStealer
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
PureLogsStealer
987765aa8da3a5f4ed465cca83080bbe1213f3c5bd4db631edc5db635fb2085b
PureLogsStealer
ba8f2313b3398187c424d9abed5f735907d01ebc9a11077136d2919e369501d6
PureLogsStealer
bbec376bc531a18adb2d4edc8e1bd781d7936bb9df29753e033cb2d423da2655
PureLogsStealer
c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
PureLogsStealer
error
PureLogsStealer
+ 142 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260206-q1x22agv7d/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bdb6d2cc212/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/52493/

Comments