MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60
SHA3-384 hash: 18a31351dc4a52a491e09d1261a6ef367fd591335117f9af128a19613e36cfbdde1e949742442f00013379f4ffdfdf2d
SHA1 hash: bd8caea98e1c4e200feeb144497a64dc2131bfb8
MD5 hash: 49382279198b796663f0a88dc9e634df
humanhash: washington-fix-maine-yellow
File name:KJ-103Swift-CN8400-GF4022-PL0039-YF4893-CHF849-JDE0003-EA392-KS9400-LAWIW.exe
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:587'264 bytes
First seen:2025-12-09 09:25:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (60 x GuLoader, 21 x RemcosRAT, 18 x AgentTesla)
ssdeep 12288:4caQh7Bepfe4KrrF2YlJ4ZU8EcWVADjY2+DajFmr13MRk:4zgdeJe4KfF72U9VAnWDaRmr13MR
TLSH T1F6C4D0E6FCE1F4AEC49850F4C69F8E828850789D5B820D656397A71C14E320DEDDE2F9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter cocaman
Tags:exe PureLogsStealer signed SWIFT

Code Signing Certificate

Organisation:Traditionsbunden
Issuer:Traditionsbunden
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-26T00:42:14Z
Valid to:2026-10-26T00:42:14Z
Serial number: 050cd323758804656a9da1fc8298fc8f24dffa73
Thumbprint Algorithm:SHA256
Thumbprint: 05b05d1c7b836bb0778d5cf46c028fff26790471c91ed33b49adf11da391570d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d439177c-0583-4483-a138-d5b3dd4637f2/
Malware family:
n/a
ID:
1
File name:
_fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60.exe
Verdict:
Malicious activity
Analysis date:
2025-12-09 09:26:38 UTC
Tags:
auto-reg purehvnc netreactor
Link:
https://app.any.run/tasks/dced2cae-abb0-4582-83e0-4598cbb66f0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43968/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6937eb3b881313558a2babcd
Tags:
injection obfusc virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/6937eb38bc15eab491f81d32/reports/8e4a67d1-719b-48c3-bd6b-c31374fefdf9/overview
Verdict:
Malicious
Labled as:
Trojan.Downloader.oa
Link:
https://www.hybrid-analysis.com/sample/fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-09T01:28:00Z UTC
Last seen:
2025-12-11T07:22:00Z UTC
Hits:
~100
Detections:
Trojan.NSIS.Makoob.sba Packed.NSIS.Krynis.sb Trojan-PSW.PureLogs.TCP.C&C Trojan.Makoob.HTTP.C&C Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbb HEUR:Trojan.Win32.GuLoader.gen
Link:
https://opentip.kaspersky.com/fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/85b78b4d-ed16-43f4-a7de-33fafb96dccd
Result
Threat name:
GuLoader, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1829352
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1829352 Sample: KJ-103Swift-CN8400-GF4022-P... Startdate: 09/12/2025 Architecture: WINDOWS Score: 100 36 musictunes.airdns.org 2->36 38 euronova-eu.com 2->38 52 Suricata IDS alerts for network traffic 2->52 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 6 other signatures 2->58 9 KJ-103Swift-CN8400-GF4022-PL0039-YF4893-CHF849-JDE0003-EA392-KS9400-LAWIW.exe 2 48 2->9         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\System.dll, PE32 9->32 dropped 60 Tries to detect virtualization through RDTSC time measurements 9->60 62 Unusual module load detection (module proxying) 9->62 64 Switches to a custom stack to bypass stack traces 9->64 13 KJ-103Swift-CN8400-GF4022-PL0039-YF4893-CHF849-JDE0003-EA392-KS9400-LAWIW.exe 11 9->13         started        18 KJ-103Swift-CN8400-GF4022-PL0039-YF4893-CHF849-JDE0003-EA392-KS9400-LAWIW.exe 9->18         started        signatures6 process7 dnsIp8 42 musictunes.airdns.org 146.70.245.66, 49696, 49727, 5437 TENET-1ZA United Kingdom 13->42 44 euronova-eu.com 72.62.53.232, 49695, 80 SPCSUS United States 13->44 34 C:\Users\user\Metanilic\Recoiler.exe, PE32 13->34 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->66 68 Tries to steal Mail credentials (via file / registry access) 13->68 70 Tries to harvest and steal browser information (history, passwords, etc) 13->70 72 4 other signatures 13->72 20 chrome.exe 1 13->20         started        23 chrome.exe 13->23 injected 25 chrome.exe 13->25 injected 27 4 other processes 13->27 file9 signatures10 process11 dnsIp12 40 192.168.2.6, 138, 443, 49682 unknown unknown 20->40 29 chrome.exe 20->29         started        process13 dnsIp14 46 play.google.com 142.250.105.102, 443, 49721, 49722 GOOGLEUS United States 29->46 48 googlehosted.l.googleusercontent.com 142.250.105.132, 443, 49712, 49713 GOOGLEUS United States 29->48 50 5 other IPs or domains 29->50
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/49382279198b796663f0a88dc9e634df
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60/
Verdict:
Malicious
Threat:
Family.GULOADER
Link:
https://tip.neiki.dev/file/fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-12-09 04:24:07 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kb73m3t2btqemutkz6xn3uuzyfewwjomgj4labfw5zf3wqg7rqa._file
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader collection discovery downloader persistence spyware stealer
Link:
https://tria.ge/reports/251209-leax6awnfr/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Guloader family
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8fd63eb4-0714-4dc6-b0bc-0dc53d99d5fd
Unpacked files
SH256 hash:
fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60
MD5 hash:
49382279198b796663f0a88dc9e634df
SHA1 hash:
bd8caea98e1c4e200feeb144497a64dc2131bfb8
Link:
https://www.unpac.me/results/86b8cfcc-c515-43a8-afaa-f9829700eb8c/
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/86b8cfcc-c515-43a8-afaa-f9829700eb8c/
SH256 hash:
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188
MD5 hash:
ec9640b70e07141febbe2cd4cc42510f
SHA1 hash:
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306
Link:
https://www.unpac.me/results/86b8cfcc-c515-43a8-afaa-f9829700eb8c/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa83fdb373d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

rar 65ce0178ab30e4a96ce574b7559ca01bd9f114f0605a5be6e0284256f88d83e5

PureLogsStealer

Executable exe fa83fdb373d067023293567d76ee94ce0a4b592e6193c58025b7725dda06fc60

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 65ce0178ab30e4a96ce574b7559ca01bd9f114f0605a5be6e0284256f88d83e5
  
Dropped by
MD5 6c765f0ac9b22e095aec0c5a23d4c6c2
Cape
Cape
https://www.capesandbox.com/analysis/43968/

Comments