MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa
SHA3-384 hash:	e6e0c7cc7baaccb39a1fcd6ddfa574162020a4f796b307c5581fac595111a4eb0259ded97641d2cbafb6bf263bc44b6a
SHA1 hash:	846d3dda3d933929d7814a39a218a51fc8e5ae2f
MD5 hash:	5a025a3a398e6bf6aeead2fb14eee791
humanhash:	spaghetti-glucose-sink-item
File name:	download.bin
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	747'520 bytes
First seen:	2025-11-26 12:21:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'669 x AgentTesla, 19'482 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:QNxA6GtSxRl0/oqcGzmn8Iol2ILUxg6FfA/1emY//zN41n4rYGENu2M1lGu:QfA6GtSxH0/T/vIol2ILHOCem+N4CfEO
Threatray	320 similar samples on MalwareBazaar
TLSH	T19BF4235564E24475E1E00F37BF7BEE6062ACCC03FFA66F19798907E51809335E90AB29
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	johnk3r
Tags:	exe PureLogsStealer students-wellfare-wuaze-com

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa.exe

Verdict:

Malicious activity

Analysis date:

2025-11-26 12:22:18 UTC

Tags:

zgrat purehvnc netreactor

Link:

https://app.any.run/tasks/6130d8a1-2c54-4631-9d4b-ebc423f8cec3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41551/

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6926f0c26657e34332812715

Tags:

androm virus msil

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Connecting to a non-recommended domain

Connection attempt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 masquerade net_reactor obfuscated obfuscated packed packed

Link:

https://www.filescan.io/uploads/6926f0c0af4aba3912d5cfdb/reports/cc18c627-b9bd-4bc2-bfac-f4b0abb3d40a/overview

Verdict:

Malicious

Labled as:

MSIL.Androm.Generic

Link:

https://www.hybrid-analysis.com/sample/c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-26T03:33:00Z UTC

Last seen:

2025-11-26T08:14:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Cryptos.gen

Link:

https://opentip.kaspersky.com/c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ea647014-1e0d-41da-8d75-cdd88e219c8e

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1821108

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.99 Win 32 Exe x86

Link:

https://app.malva.re/file/5a025a3a398e6bf6aeead2fb14eee791

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa/

Verdict:

Malicious

Threat:

Family.ZGRAT

Link:

https://tip.neiki.dev/file/c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa

Threat name:

Win32.Trojan.Jalapeno

Status:

Malicious

First seen:

2025-11-25 23:49:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ydbt7qvutgfitpkp6x75uftnbuboivnnuy5ylqpaefxd4o77s6va._file

Verdict:

malicious

Label(s):

unc_loader_078

PureLogsStealer

54395c2ae81e3504904906ac117fd94101e6850e840397972b4f6623cff510e6

PureLogsStealer

55b3ec4ebfe1a2765ecbb18c84b9e70779774d56ab42778b09e83f02e3df7934

PureLogsStealer

8403705f9ec24cbede1aaa9982a0649aea928c66a5d41d7f47ba04701cea8f18

PureLogsStealer

99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305

PureLogsStealer

b6e0fb10c486aae7779fe8e7a93b314dcbcdd6f0afaa30820699941604d28b1d

PureLogsStealer

c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa

PureLogsStealer

eb791e76b50623254498d8d618de706f1f4ae0e26aa72726fd3704441a13f998

PureLogsStealer

error

PureLogsStealer

f43c4b3b64ec48a6a22a17045a174a737ae194ceb8b3f3bbdb23d53e5a2382af

PureLogsStealer

+ 310 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/251126-pjghaaap3z/

Behaviour

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4f9250b0-384d-4e9e-8c0a-aabd81f0c63d

Unpacked files

SH256 hash:

c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa

MD5 hash:

5a025a3a398e6bf6aeead2fb14eee791

SHA1 hash:

846d3dda3d933929d7814a39a218a51fc8e5ae2f

Link:

https://www.unpac.me/results/2611cf49-785a-4d92-850a-c42630fe0b5b/

SH256 hash:

6420e464a85c0d765397bc706df9dfb6b3f756ee41d121909990dd7ce654e7b0

MD5 hash:

dd2e63438a1ec693775ea8d569bd895e

SHA1 hash:

59660f9678193b8742e1e8d65a55430eba38fbdb

Detections:

SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/2611cf49-785a-4d92-850a-c42630fe0b5b/

SH256 hash:

5bfb3d67a3d7a18fd41eab498774443e8710765d11ae86d38e9ea3eb7ea6fc30

MD5 hash:

9ce67932244e6999baaebe93ae6c79c2

SHA1 hash:

df7555ac7a5cdad1fa75dc87d51b4e6abe8af80a

Link:

https://www.unpac.me/results/2611cf49-785a-4d92-850a-c42630fe0b5b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c0c33fc2b499/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c0c33fc2b4998a89bd4ff5ffda166d0d02e455ada63b85c1e0216e3e3bff97aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/41551/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample