MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3
SHA3-384 hash:	c3c2fa5fbe7fa9899c7d422efad46af7ab82380d33abcdf2b2023be1d3f8d4abe320344b81d141fa799c2a6eef0b4772
SHA1 hash:	9a4aded3eb39f5bba7df8da3613d4e1af9bb7eb4
MD5 hash:	8bf61dc7a30a52999b29a0363eeb7134
humanhash:	skylark-oven-texas-romeo
File name:	8bf61dc7a30a52999b29a0363eeb7134.exe
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	748'032 bytes
First seen:	2026-02-04 09:12:45 UTC
Last seen:	2026-02-04 10:26:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'664 x Formbook, 12'252 x SnakeKeylogger)
ssdeep	12288:cmKlr6Vc+x5bKIkou3E3DzRJjuQqtRuZdd9yaDO4DgrPOwDLcY:NKldaK5ORJqQcYZxyaq4D62q
TLSH	T17EF42351F38CAA04D2F74A3E6BD2C452DBA6D7D40B615634BB2872021F53EAFC265C92
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe PureLogsStealer

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

8bf61dc7a30a52999b29a0363eeb7134.exe

Verdict:

Malicious activity

Analysis date:

2026-02-04 09:15:06 UTC

Tags:

rat stealer zgrat purehvnc netreactor

Link:

https://app.any.run/tasks/951f7856-2206-4347-afc3-a91c51aa16ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51634/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3453.9209.11613.UNOFFICIAL

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69830db26b1af47db72cad9a

Tags:

virus msil

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 net_reactor obfuscated obfuscated packed packed

Link:

https://www.filescan.io/uploads/69830dae930564ff3c8916b6/reports/50b08f79-5acf-4a5a-836b-01f26c4f4139/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-14T09:15:00Z UTC

Last seen:

2026-01-14T10:29:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.MSIL.Cryptos.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d2126e5a-22bf-4074-b737-675ce28ca2d3

Result

Threat name:

PureCrypter, PureLog Stealer

Detection:

malicious

Classification:

spyw.evad.troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1863117

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Detected PureCrypter Trojan

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.98 Win 32 Exe x86

Link:

https://app.malva.re/file/8bf61dc7a30a52999b29a0363eeb7134

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3/

Verdict:

Malicious

Threat:

Family.ZGRAT

Link:

https://tip.neiki.dev/file/9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3

Threat name:

Win32.Trojan.Jalapeno

Status:

Malicious

First seen:

2026-01-14 13:16:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tekkmxf3qrqofnwu7pthsfe2ehgb5zz2svldmj3hyi7yfhfpmtzq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/260204-k6w42abx9g/

Behaviour

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3

MD5 hash:

8bf61dc7a30a52999b29a0363eeb7134

SHA1 hash:

9a4aded3eb39f5bba7df8da3613d4e1af9bb7eb4

Link:

https://www.unpac.me/results/b75ab259-a808-4347-b88f-1a3b089d66b2/

SH256 hash:

a70dc0948561ad397fff5ece5065dd6fd68dc2b83a2b6ceba2dedf660701e5c8

MD5 hash:

3cc9398089ec704c60dbc53e0956ff79

SHA1 hash:

191d2de58168b346cd8f272b4e5dc5e33baafd05

Detections:

SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b75ab259-a808-4347-b88f-1a3b089d66b2/

SH256 hash:

275f957b00eeef49dabf7b680e531aac708240dd061460ccb279a63eb7473a7a

MD5 hash:

acfb5ea3e63569ab546a0c3bf72ba2d4

SHA1 hash:

928b6a63007652bee454d79c0c25bfdee960703f

Link:

https://www.unpac.me/results/b75ab259-a808-4347-b88f-1a3b089d66b2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9914a65cbb84/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9914a65cbb8460e2b6d4fbe679149a21cc1ee73a9556362767c23f829caf64f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51634/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample