MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48
SHA3-384 hash: 2317691f0f47b08f6ff60e548ab1a09462d16fa1823ffd57b3519687d8e8e07988a464432eb3b8bf82bc99c02d17967f
SHA1 hash: a55523656b8a9faa6b1d1b2e2d5a7ed7a5b31fef
MD5 hash: 70a7ed55272ebfd41042585d02415436
humanhash: mango-vegan-louisiana-burger
File name:ie4eri45uie8rruerj484reurjhjdfgu8g43fdgh34gng.hta
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:83'596 bytes
First seen:2025-10-10 14:20:19 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:J6JuN0ktzgRCNCN1zmt3FId/ZwRZl2zNJVEX4t6yEuHim3idEMQRGO+YmA3OkBVD:WBAHyoBJ2H
Threatray 114 similar samples on MalwareBazaar
TLSH T159836C2EE43D04D870616AD58A39DD9EDF468B72094CA4BB78AC35B03FA3D690B1D734
Magika html
Reporter abuse_ch
Tags:hta PureLogsStealer


Avatar
abuse_ch
PureLogsStealer C2:
95.214.54.172:7610

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.214.54.172:7610 https://threatfox.abuse.ch/ioc/1611458/

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e91660777ae46bec41149c
Tags:
obfuscate xtreme virus
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48/results/dashboard
Payload URLs
URL
File name
http://ixti.net/development/javascript/2011/11/11/madreporites-enAkhenatondeAkhenaton-of-utf8-in-browser-with-js.html
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48
Result
Verdict:
MALICIOUS
Verdict:
Malicious
File Type:
hta
First seen:
2025-10-08T06:19:00Z UTC
Last seen:
2025-10-11T10:19:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.JS.SLoad.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic Trojan-PSW.PureLogs.TCP.C&C Trojan-Downloader.Agent.HTTP.C&C Trojan.Agentb.TCP.C&C PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48/results?tab=lookup
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1792951
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1792951 Sample: ie4eri45uie8rruerj484reurjh... Startdate: 10/10/2025 Architecture: WINDOWS Score: 100 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 6 other signatures 2->67 9 mshta.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        process3 dnsIp4 79 Suspicious powershell command line found 9->79 15 powershell.exe 15 15 9->15         started        51 127.0.0.1 unknown unknown 12->51 signatures5 process6 dnsIp7 53 104.243.37.232, 49684, 80 RELIABLESITEUS United States 15->53 55 198.23.177.201, 49683, 80 AS-COLOCROSSINGUS United States 15->55 57 Writes to foreign memory regions 15->57 59 Injects a PE file into a foreign processes 15->59 19 aspnet_compiler.exe 4 15->19         started        23 aspnet_compiler.exe 15->23         started        25 conhost.exe 15->25         started        signatures8 process9 dnsIp10 39 95.214.54.172, 49685, 49717, 49718 PL-SKYTECH-ASPL Poland 19->39 69 Tries to steal Mail credentials (via file / registry access) 19->69 71 Tries to harvest and steal browser information (history, passwords, etc) 19->71 73 Writes to foreign memory regions 19->73 77 4 other signatures 19->77 27 chrome.exe 1 19->27         started        30 chrome.exe 19->30 injected 32 chrome.exe 19->32 injected 34 5 other processes 19->34 75 Switches to a custom stack to bypass stack traces 23->75 signatures11 process12 dnsIp13 47 192.168.2.9, 138, 443, 49607 unknown unknown 27->47 49 192.168.2.6 unknown unknown 27->49 36 chrome.exe 27->36         started        process14 dnsIp15 41 www.google.com 142.250.217.164, 443, 49692, 49695 GOOGLEUS United States 36->41 43 googlehosted.l.googleusercontent.com 142.250.64.161, 443, 49704, 49705 GOOGLEUS United States 36->43 45 clients2.googleusercontent.com 36->45
Score:
63%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Link:
https://app.malva.re/file/70a7ed55272ebfd41042585d02415436
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48/
Verdict:
Malicious
Threat:
Trojan-Downloader.PureLogs.TCP
Link:
https://tip.neiki.dev/file/b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48
Threat name:
Script-JS.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-10-08 11:57:06 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbxyd7tonzpx3ryw5wbabj5nl3emuirlprcxepmljpsfx5trvrea._file
Verdict:
malicious
Label(s):
katzstealer
Create hunting rule
Similar samples:
2fac802da7057d67fa47ea71fd6f028a1f6a60c0120d087dd6603d82c8fc4779
PureLogsStealer
32854f6bd0f40b5de1e8ed8e456508d1db5a9b44293f3f20420f1e1919e794ec
PureLogsStealer
37b3468478740d625e9c1b9e5342530e5df1d99dd78cc269df96ff2fd59ac1b1
PureLogsStealer
6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186
PureLogsStealer
b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48
PureLogsStealer
e90c2dbd570b31b0052c55bd5cf38caeaf2fc06afa9bd8660f40c9733008c758
PureLogsStealer
error
PureLogsStealer
f62368673a9ad3758d7862e26c000ad41819316d08d9f750d06e73d67a880af5
PureLogsStealer
fdb4a43a6752e132e78ab65e681c6a7b188dc0fcfd7e29bafeb5acecaff3d739
PureLogsStealer
+ 104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/251010-rn53js1vev/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
http://198.23.177.201/img/optimized_MSI.png
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b06f81fe6e6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Webshells_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureLogsStealer

HTML Application (hta) hta b06f81fe6e6e5f7dc716ed8200a7ad5ec8ca222b7c45723d8b4be45bf671ac48

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3667247/
  
Delivery method
Distributed via web download

Comments