MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af
SHA3-384 hash: bea9f72a8823198921e9778e9119c2f277765f613a7e73616151ad6846ea92f27d3696f90467d4023e7c1ac1098a94de
SHA1 hash: 7938eb577f7de3caab6f75f16d04d589f54b61a2
MD5 hash: 291f24bde5d3d465e1fda35171286cf1
humanhash: island-venus-ink-robin
File name:file
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:647'168 bytes
First seen:2025-10-10 04:02:23 UTC
Last seen:2025-10-13 04:09:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5058918662606f004bf682741a575666 (2 x PureLogsStealer)
ssdeep 12288:3iN4iVL8UZg7TlhXAOQ6heC4+kOAsQVV/o1ojm5b2W+ZK1LE9:yuiVBg7TlhwOQ6vvGVw1lbF51
Threatray 781 similar samples on MalwareBazaar
TLSH T1FBD423278D93D06CD1D346737642FDEEF971EC3164A73A34577A82A831E2436AE6408B
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe PureLogsStealer


Avatar
Bitsight
url: http://178.16.55.189/files/8434554557/ckHhVTd.exe

Intelligence

File Origin
# of uploads :
20
# of downloads :
176
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-10-09 18:13:23 UTC
Tags:
amadey botnet stealer loader themida rdp arcstealer netsupport rmm-tool arch-exec tool auto gcleaner generic darkvision remote rat phishing socks5systemz proxybot inno installer delphi rustystealer
Link:
https://app.any.run/tasks/d880756a-8a0d-452c-8cd8-4bee0d05886f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31969/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e7ed238b7b147cc4b6448b
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68e8855f4f3013c55e491e37/reports/b62050c1-c25e-4bca-94af-233497baddd9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-09T13:34:00Z UTC
Last seen:
2025-10-11T18:27:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Shellcode.gfm PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Agent.sb Backdoor.MSIL.Agent.sb Trojan-PSW.PureLogs.TCP.C&C HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.PureLogs.sb Trojan.Win32.Shellcode.sb Trojan.Win64.Agentb.sb BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9618e148-9b74-4c10-9bcd-f6424d0889b1
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/291f24bde5d3d465e1fda35171286cf1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Shellcode
Link:
https://tip.neiki.dev/file/53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af
Threat name:
Win64.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-10-09 17:13:09 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpmgyqf76gvsk2c6p7wp655vophhfs4dt6brhhw42j77mb2a2sxq._file
Verdict:
malicious
Label(s):
katzstealer
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
20f40bfb1e843441d4ffc7e6708d4057f5494e6587f41ba31a041462c49ebed1
PureLogsStealer
37883f9acd439e989fa665b51fe2b1b46e41a9551c6460c0bbf9c7adcd785023
PureLogsStealer
7d300eb1d4889aa70e74b2be67a76d6494c3840ffc2fda597b3dac711f57a999
PureLogsStealer
b9f61373e4555764594de3df3cdce59ebb08258d3c11f721de68b72731441d0e
PureLogsStealer
ce228d856a2a217ff4a0b5d2061c8414af08c222d3ce58b5a237ff27b54ef1f8
PureLogsStealer
+ 771 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader collection discovery loader spyware stealer
Link:
https://tria.ge/reports/251010-el59batthy/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/43b9c4d6-5cbe-4816-9274-aa28958689e5
Unpacked files
SH256 hash:
53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af
MD5 hash:
291f24bde5d3d465e1fda35171286cf1
SHA1 hash:
7938eb577f7de3caab6f75f16d04d589f54b61a2
Link:
https://www.unpac.me/results/3f676831-d3a0-4f51-aab1-a679a3200ca8/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/53d86c40bff1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

Executable exe 53d86c40bff1ab25685e7fecff77b573ce72cb839f83139edcd27ff60740d4af

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3659905/
Cape
Cape
https://www.capesandbox.com/analysis/31969/

Comments