MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608
SHA3-384 hash: 7281520ee7405f7ae7db53ce7d74acb953ffd29151c9ab3a8b63136fd1b2e9272e2441f010d08bb9c9dc61130dfc3105
SHA1 hash: 4fbf7662e2e95349504a7102984aba0bdf3c52bf
MD5 hash: 3b0cdefbd1724ac08722d25ac6937eed
humanhash: bacon-beryllium-fanta-uniform
File name:Jzkerzhded.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:8'192 bytes
First seen:2025-09-09 06:00:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 192:6ee6QU4WrU3CJ4BUcCbfeQlByKilAAB4FIftkg:6jPUJw3BULmQjyKyKyk
TLSH T1B3F1F645678C8B2AE5670732ACB7D28042B8F684ADD6DF0F3DD4900BAC6174057A3BBD
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Jzkerzhded.exe
Verdict:
Malicious activity
Analysis date:
2025-09-09 06:06:44 UTC
Tags:
auto-reg purecrypter netreactor stealer evasion phantom crypto-regex arch-doc
Link:
https://app.any.run/tasks/c35d3e86-e99f-47bc-85fc-18683cb36e51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26413/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.19401.11625.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bfc293b20052598879131a
Tags:
keylog micro word
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 purelogs tiny unsafe
Link:
https://www.filescan.io/uploads/68bfc294cfa59bfdc7f4e2d8/reports/c528457e-33f2-4732-9328-8efd9cdd1bd8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-08T11:37:00Z UTC
Last seen:
2025-09-08T11:37:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1775931d-8923-484c-8d9c-b2df9f4fb624
Result
Threat name:
AveMaria, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1773723
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1773723 Sample: Jzkerzhded.exe Startdate: 09/09/2025 Architecture: WINDOWS Score: 100 67 telemetry-incoming.r53-2.services.mozilla.com 2->67 69 services.addons.mozilla.org 2->69 71 19 other IPs or domains 2->71 97 Antivirus / Scanner detection for submitted sample 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Yara detected PureLog Stealer 2->101 103 8 other signatures 2->103 9 Jzkerzhded.exe 15 2 2->9         started        13 msedge.exe 2->13         started        15 firefox.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 87 drive.google.com 142.250.189.206, 443, 49685 GOOGLEUS United States 9->87 89 drive.usercontent.google.com 142.251.46.193, 443, 49687 GOOGLEUS United States 9->89 115 Found many strings related to Crypto-Wallets (likely being stolen) 9->115 117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->117 19 InstallUtil.exe 20 136 9->19         started        91 192.168.2.13 unknown unknown 13->91 93 192.168.2.14 unknown unknown 13->93 95 5 other IPs or domains 13->95 119 Maps a DLL or memory area into another process 13->119 24 msedge.exe 13->24         started        26 setup.exe 13->26         started        28 msedge.exe 13->28         started        36 5 other processes 13->36 30 firefox.exe 3 163 15->30         started        32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        signatures6 process7 dnsIp8 73 mail.taikei-rmc-co.biz 103.253.42.215, 49733, 587 TELE-ASTeleAsiaLimitedHK Hong Kong 19->73 75 ftp.xma0.com 51.75.150.177, 21, 49751, 49754 OVHFR France 19->75 77 icanhazip.com 104.16.184.241, 49731, 49749, 80 CLOUDFLARENETUS United States 19->77 55 C:\Users\user\AppData\...\WUTJSCBCFX.docx, ASCII 19->55 dropped 57 C:\Users\user\AppData\...\JSDNGYCOWY.docx, ASCII 19->57 dropped 59 C:\Users\user\AppData\...\CURQNKVOIX.png, ASCII 19->59 dropped 61 C:\Users\user\AppData\...\InstallUtil.exe, PE32 19->61 dropped 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->105 107 Tries to steal Mail credentials (via file / registry access) 19->107 109 Found many strings related to Crypto-Wallets (likely being stolen) 19->109 111 6 other signatures 19->111 38 msedge.exe 19->38         started        41 firefox.exe 1 19->41         started        43 chrome.exe 19->43         started        51 2 other processes 19->51 79 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49709, 49728 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->79 81 ln-0007.ln-msedge.net 150.171.22.17, 443, 49696 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->81 83 32 other IPs or domains 24->83 45 setup.exe 26->45         started        85 8 other IPs or domains 30->85 63 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 30->63 dropped 65 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 30->65 dropped 47 firefox.exe 30->47         started        49 firefox.exe 30->49         started        file9 signatures10 process11 signatures12 113 Monitors registry run keys for changes 38->113 53 msedge.exe 38->53         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-08 19:24:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2awu5dm3ek2dbqtvmt53fk2dzqixlrifbxodcfid6e6lkj3uyea._file
Verdict:
suspicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
error
PureLogsStealer
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery persistence
Link:
https://tria.ge/reports/250909-gqmnwatzgt/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c89301e9-d861-4a68-b9fa-a211fa42ad19
Unpacked files
SH256 hash:
8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608
MD5 hash:
3b0cdefbd1724ac08722d25ac6937eed
SHA1 hash:
4fbf7662e2e95349504a7102984aba0bdf3c52bf
Link:
https://www.unpac.me/results/c41558cc-9fea-4ef1-ba95-26ffbe8aed24/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e816a746cd9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

Executable exe 8e816a746cd915a18613ab27dd955a1e608bae28286ee188a81f89e5a93ba608

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26413/

Comments