MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47
SHA3-384 hash: 13f9d601f9bcac899bc6d3a0c05a929254c2ecf00bd86505604cbb5fc6d5355d55cde5794d0fc34b905dcaad2e443676
SHA1 hash: 91f9d7fd96a1dbb2f835165632e9abcf71773dfe
MD5 hash: 0673360af5cd67924c3f10c6f993f9b8
humanhash: bluebird-orange-golf-undress
File name:0673360af5cd67924c3f10c6f993f9b8.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:586'752 bytes
First seen:2025-11-08 07:49:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:a0PW/vy1Kn/+GYF2buEDfyzmYs9RkxVSeRU4xq:bPgK16JYF2bbfyavkZ
Threatray 582 similar samples on MalwareBazaar
TLSH T150C42322D99BD634D6744A33F8F3910182F9E7939C43C5B368AE26091F61751EA22F9C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0673360af5cd67924c3f10c6f993f9b8.exe
Verdict:
Malicious activity
Analysis date:
2025-11-08 07:53:09 UTC
Tags:
stealer zgrat purehvnc netreactor
Link:
https://app.any.run/tasks/10b6f499-bf67-4683-8db1-f0595641f2f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36495/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690ef63b30bacec888c9b67d
Tags:
obfuscate asyncrat xtreme virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 crypt net_reactor obfuscated packed packed unsafe
Link:
https://www.filescan.io/uploads/690ef6388938e2fe2215d034/reports/04af9bd7-b027-4bde-860f-12d8b507f7fd/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-04T02:26:00Z UTC
Last seen:
2025-11-04T05:01:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Convagent.gen
Link:
https://opentip.kaspersky.com/83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe566a01-dc40-4e40-bbd1-fbba7c1ec666
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1810374
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47/
Verdict:
Malicious
Threat:
Family.ZGRAT
Link:
https://tip.neiki.dev/file/83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 05:09:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qph6vyzu3clsp7zjzhvyvwqxczjdvwx2pntt2pbwliiif74nfvdq._file
Verdict:
malicious
Label(s):
katzstealer
Create hunting rule
Similar samples:
182272eef867fc6f3bcb4dfd68e7e9d27098a68f8f05dd45c12bb000537ea2bd
PureLogsStealer
1ae8f5d331a1c6138b60c0e9b7f3ddecda3868e6c408b97a061ed50916245b93
PureLogsStealer
83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47
PureLogsStealer
9492cef42975b42262a1df4b080447f1765be773b7a121f7eacdb43b8756d7b0
PureLogsStealer
a1638a6e9d55a06c4fe43c738950b84a01f43f7883f1bd06bb2cbb60f02c87d2
PureLogsStealer
d5aa5302121da2e131ae0cd7826a63043d98862776adff650c28bc86e504db22
PureLogsStealer
dcdd29b2d64f816751cec2150be92711e46f67bc657dd930630616f658605cbb
PureLogsStealer
error
PureLogsStealer
+ 572 additional samples on MalwareBazaar
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/251108-jpdexsvjhv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Reads user/profile data of web browsers
HawkEye
Hawkeye family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9b44f36b-dd3d-4fed-be74-afc12f153ad9
Unpacked files
SH256 hash:
d441f9065b772d51fac2dd4d46f0588f1dc6275f9addfbaa242a57bc7e4f16e1
MD5 hash:
3979c0e7ebf7e18ab13a7029ddf17ca1
SHA1 hash:
a9f5c56c5d271e2e8496a96ac31f42f2a74215b3
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3c74d198-828f-4e02-bb8d-3143a7be76ee/
SH256 hash:
3f4481109a31a83cdffbf83ee762d3836597d0da834e7950cf003aae43d9c725
MD5 hash:
280d10258b46a41b5b8e2864d639519f
SHA1 hash:
da84363195675b1999779eabf878a09af4f26c47
Link:
https://www.unpac.me/results/3c74d198-828f-4e02-bb8d-3143a7be76ee/
SH256 hash:
83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47
MD5 hash:
0673360af5cd67924c3f10c6f993f9b8
SHA1 hash:
91f9d7fd96a1dbb2f835165632e9abcf71773dfe
Link:
https://www.unpac.me/results/3c74d198-828f-4e02-bb8d-3143a7be76ee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/83cfeae334d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83cfeae334d89727ff29c9eb8ada1716523adafa7b673d3c365a1082ff8d2d47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36495/

Comments