MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfae3c8310231b314c6193d12274ef285de473ada117e66fa7fa1c7e298bd712. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfae3c8310231b314c6193d12274ef285de473ada117e66fa7fa1c7e298bd712
SHA3-384 hash: 49c44948c348a1bd284a1e8e4d0321b8719cb1ff7cd321f89eec44ecf3204d09d567b7f15ccbd3056618a8618170692c
SHA1 hash: 988572387fb44fff266bbb832c31e55ad462c825
MD5 hash: e394e49df6a4d71a5fbc4eb65ddf0f63
humanhash: sweet-zebra-hamper-hamper
File name:e394e49df6a4d71a5fbc4eb65ddf0f63.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:467'456 bytes
First seen:2025-09-16 07:55:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 941a3b2713c7a12223a7696c8685d4d8 (2 x PureLogsStealer)
ssdeep 6144:hh8lS/jjdpSK49AX8Tp8dCaIM/wDOt3qdoe3FaBQVkO:hSlS/y9AMd8dH3qB3FeikO
TLSH T16EA48C26FB9198F8D457C07486524562AB72BCC90731AAFF43A862352E76BF11F3CB14
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e394e49df6a4d71a5fbc4eb65ddf0f63.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 07:58:50 UTC
Tags:
anti-evasion payload susp-powershell
Link:
https://app.any.run/tasks/b72eb852-cfe9-4fd9-a59b-96dcdf76c08a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27680/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c91830d49ea3f1e4b655e2
Tags:
obfuscate phishing xtreme keylog
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Setting a global event handler
Setting a global event handler for the keyboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm fingerprint keylogger microsoft_visual_cc obfuscated threat
Link:
https://www.filescan.io/uploads/68c91887dbc6f5a29c472294/reports/487de980-3ddf-42f7-bd60-797d7d5187af/overview
Verdict:
Suspicious
Labled as:
Malware/MalwareX
Link:
https://www.hybrid-analysis.com/sample/dfae3c8310231b314c6193d12274ef285de473ada117e66fa7fa1c7e298bd712
Verdict:
Unknown
File Type:
exe x64
Link:
https://opentip.kaspersky.com/dfae3c8310231b314c6193d12274ef285de473ada117e66fa7fa1c7e298bd712/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f91e885f-1805-40fc-98ce-19d277a982f4
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778292
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Bypasses PowerShell execution policy
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Obfuscated command line found
PowerShell case anomaly found
Powershell drops PE file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Script Change Permission Via Set-Acl
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1778292 Sample: 1oHFSkdSs4.exe Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 125 001011000101100010110.duckdns.org 2->125 127 files-accl.zohoexternal.com 2->127 129 4 other IPs or domains 2->129 149 Malicious sample detected (through community Yara rule) 2->149 151 Yara detected PureLog Stealer 2->151 153 Yara detected zgRAT 2->153 157 14 other signatures 2->157 14 1oHFSkdSs4.exe 1 2->14         started        18 powershell.exe 3 50 2->18         started        20 mshta.exe 2->20         started        22 9 other processes 2->22 signatures3 155 Uses dynamic DNS services 125->155 process4 file5 111 kNDLNfnNDAJnIKdyUK...GWV38uXfv.venividiv, ASCII 14->111 dropped 199 Obfuscated command line found 14->199 201 Bypasses PowerShell execution policy 14->201 203 Hides threads from debuggers 14->203 205 Found direct / indirect Syscall (likely to bypass EDR) 14->205 24 powershell.exe 14 40 14->24         started        113 C:\Windows\System64NetworkNet.exe, PE32+ 18->113 dropped 115 C:\Windows\System64NetworkNative.exe, PE32+ 18->115 dropped 117 C:\Windows\System32NetworkNet.exe, PE32 18->117 dropped 119 2 other malicious files 18->119 dropped 207 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->207 209 Modifies the hosts file 18->209 211 Loading BitLocker PowerShell Module 18->211 28 powershell.exe 18->28         started        30 powershell.exe 18->30         started        40 4 other processes 18->40 213 Suspicious powershell command line found 20->213 32 powershell.exe 20->32         started        34 powershell.exe 22->34         started        36 powershell.exe 22->36         started        38 powershell.exe 22->38         started        42 9 other processes 22->42 signatures6 process7 dnsIp8 133 rebrand.ly 15.197.137.111, 443, 49690, 49692 TANDEMUS United States 24->133 135 uswest.zohoaccl.com 169.62.81.213, 443, 49689, 49691 SOFTLAYERUS United States 24->135 167 Suspicious powershell command line found 24->167 169 Obfuscated command line found 24->169 171 Uses cmd line tools excessively to alter registry or file data 24->171 177 4 other signatures 24->177 44 powershell.exe 35 24->44         started        48 conhost.exe 24->48         started        173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->173 62 2 other processes 28->62 50 conhost.exe 30->50         started        52 cmd.exe 32->52         started        54 conhost.exe 32->54         started        175 Loading BitLocker PowerShell Module 34->175 56 conhost.exe 34->56         started        137 8.33.38.62, 443, 49718, 49720 ZOHO-STREAMING-CONTENT-NETWORKUS United States 36->137 58 conhost.exe 36->58         started        60 conhost.exe 38->60         started        signatures9 process10 file11 109 ServisAntivirus_pz...tbH7vS1O14w.databas, PE32+ 44->109 dropped 195 Loading BitLocker PowerShell Module 44->195 64 cmd.exe 44->64         started        66 conhost.exe 44->66         started        68 ServisAntivirus_pzt9yIILJtbH7vS1O14w.databas 52->68         started        71 conhost.exe 52->71         started        197 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 62->197 signatures12 process13 signatures14 73 ServisAntivirus_pzt9yIILJtbH7vS1O14w.databas 64->73         started        159 Hides threads from debuggers 68->159 161 Found direct / indirect Syscall (likely to bypass EDR) 68->161 process15 file16 107 OJykP0lw7IAGKAGHOc...C0KY1bi0H.venividiv, ASCII 73->107 dropped 179 Obfuscated command line found 73->179 181 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 73->181 183 Hides threads from debuggers 73->183 77 powershell.exe 73->77         started        signatures17 process18 dnsIp19 139 3.33.143.57, 443, 49702, 49703 AMAZONEXPANSIONGB United States 77->139 121 ServisAntivirus_pz...O14w.databas (copy), PE32+ 77->121 dropped 215 Uses cmd line tools excessively to alter registry or file data 77->215 82 powershell.exe 77->82         started        85 powershell.exe 77->85         started        87 powershell.exe 77->87         started        89 4 other processes 77->89 file20 signatures21 process22 signatures23 141 Suspicious powershell command line found 82->141 143 Obfuscated command line found 82->143 145 PowerShell case anomaly found 82->145 91 powershell.exe 82->91         started        94 conhost.exe 82->94         started        96 powershell.exe 85->96         started        99 conhost.exe 85->99         started        147 Hides threads from debuggers 87->147 101 conhost.exe 87->101         started        process24 dnsIp25 185 Drops executables to the windows directory (C:\Windows) and starts them 91->185 187 Writes to foreign memory regions 91->187 189 Hides threads from debuggers 91->189 191 Injects a PE file into a foreign processes 91->191 103 System32NetworkNet.exe 91->103         started        123 google.com 142.250.188.238, 443, 49707, 49709 GOOGLEUS United States 96->123 193 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 96->193 signatures26 process27 dnsIp28 131 001011000101100010110.duckdns.org 45.74.0.110, 7934 VOXILITYGB United States 103->131 163 Hides that the sample has been downloaded from the Internet (zone.identifier) 103->163 165 Installs a global keyboard hook 103->165 signatures29
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dfae3c8310231b314c6193d12274ef285de473ada117e66fa7fa1c7e298bd712
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/e394e49df6a4d71a5fbc4eb65ddf0f63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfae3c8310231b314c6193d12274ef285de473ada117e66fa7fa1c7e298bd712/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-16 00:44:55 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36xdzayqemntctdbspise5hpfbo6i45nuel6m35h7ioh4kml24ja._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/250916-jtj39shn4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks for VMWare drivers on disk
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/158aaca7-8a7a-4cd8-aed2-649e4da2421a
Unpacked files
SH256 hash:
dfae3c8310231b314c6193d12274ef285de473ada117e66fa7fa1c7e298bd712
MD5 hash:
e394e49df6a4d71a5fbc4eb65ddf0f63
SHA1 hash:
988572387fb44fff266bbb832c31e55ad462c825
Link:
https://www.unpac.me/results/a36dd37d-a86c-404c-92ee-4f57730e514c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dfae3c831023/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfae3c8310231b314c6193d12274ef285de473ada117e66fa7fa1c7e298bd712

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27680/

Comments