stealer_log (also observed as bot in some indices) represents a record of a compromised device whose credentials and browsing data were harvested by an information stealer malware (such as RedLine, Raccoon, or Vidar).These entries originate from dark-web marketplaces (for example, “Russian Market”) where attackers sell logs containing cookies, saved passwords, and session tokens from infected machines.
Each document corresponds to a single device or “bot,” with metadata describing where and when it was first seen, its environment (OS, IP, ISP), and the websites and services discovered in its data.
Example Content
{
"activity": {
"data": {
"es_id": "stealer_logs/sample_log_doc_000002",
"es_score": 1.0,
"highlights": {},
"id": "sample_log_doc_000002",
"index": "stealer_log",
"metadata": {
"estimated_created_at": "2025-10-24T03:51:00+00:00",
"event_id": null,
"first_crawled_at": "2025-10-28T18:35:15.095033+00:00",
"last_crawled_at": "2025-10-28T18:35:15.095033+00:00",
"payload_digest": "f8fbcbf034e346eedf2a8abed80b883433ddccaf",
"scraped_at": "2025-10-28T18:35:17.333487+00:00",
"source": "stealer_logs",
"crawled_by": null,
"flare_url": "https://app.example.com/#/stealer_log/stealer_logs/sample_log_doc_000002"
},
"uid": "stealer_log/stealer_logs/sample_log_doc_000002",
"url": null,
"browser_url": null,
"name": null,
"installed_at": "2025-10-24T03:51:00+00:00",
"updated_at": null,
"seller_id": null,
"isp": null,
"information": null,
"credentials": [
{
"url": "https://www.epicgames.com/id/login",
"username": "user1@example.com",
"password": "raf*********",
"application": "Browser/Logins/Edge_Default[edeafc70].txt"
}
],
"cookies": [
{
"host_key": ".instagram.com",
"path": "/",
"expires_utc": "2026-03-04T02:22:08",
"name": "datr",
"value": "REDACTED"
},
{
"host_key": ".mediafire.com",
"path": "/",
"expires_utc": "2026-03-04T12:54:47",
"name": "ukey",
"value": "REDACTED"
}
],
"user_information": {
"ip_address": "198.51.100.1",
"ip_network": null,
"username": "user_display_name",
"country_code": "BR",
"zip_code": "",
"location": "",
"hwid": "HWID-REDACTED-0001",
"current_language": "",
"screensize_width": 1920,
"screensize_height": 1080,
"timezone": "UTC-3",
"os": "Windows 11 24H2 build 26200 (64 Bit)",
"uac": "",
"process_elevation": null,
"available_keyboards": [
"Portuguese"
],
"hardware": [
"CPU: AMD Ryzen 5 5500",
"RAM: 16278 MB",
"HOSTNAME: HOST-XXXX"
],
"anti_viruses": null
},
"malware_information": {
"malware_family": "unknown",
"build_id": "",
"file_location": "",
"infection_date": "2025-10-24T03:51:00+00:00"
},
"files": [
"Browser/Autofill/Blink_Default[99168010].txt",
"Browser/Autofill/Blink_Default[9cf42651].txt",
"Browser/Autofill/Blink_Default[edeafc70].txt",
"Browser/Autofill/Blink_Default[f4116c65].txt"
],
"price": null,
"currency": null,
"features": {
"domains": [
"account.educacross.com.br",
"accounts.google.com",
"bitly.com",
"connect.ubisoft.com",
"discord.com",
"gmail.com",
"hotmail.com",
"myaccount.google.com",
"saladofuturo.educacao.sp.gov.br",
"store.steampowered.com",
"www.epicgames.com",
"www.fortnite.com",
"www.roblox.com"
],
"emails": [
"user1@example.com",
"user2@example.com"
],
"ip_addresses": [
"198.51.100.1"
],
"ip_addresses_cidr": [
"198.51.100.1"
],
"reversed_domains": [
"br.com.educacross.account",
"br.gov.sp.educacao.saladofuturo",
"com.bitly",
"com.discord",
"com.epicgames.www",
"com.fortnite.www",
"com.gmail",
"com.google.accounts",
"com.google.myaccount",
"com.hotmail",
"com.roblox.www",
"com.steampowered.store",
"com.ubisoft.connect"
],
"urls": [
"https://account.educacross.com.br/login",
"https://accounts.google.com/v3/signin/challenge/pwd",
"https://bitly.com/a/sign_up",
"https://connect.ubisoft.com/login",
"https://connect.ubisoft.com/oauth/create",
"https://discord.com/channels/@me",
"https://myaccount.google.com/signinoptions/password",
"https://saladofuturo.educacao.sp.gov.br/login-alunos",
"https://store.steampowered.com/join/completesignup",
"https://www.epicgames.com/id/login",
"https://www.fortnite.com/id/login/customized",
"https://www.roblox.com/login"
],
"usernames": [
"user120063621",
"user_display_name",
"user_display_2",
"user_display_3",
"user_display_4",
"user_display_5",
"user1@example.com",
"user2@example.com",
"user_display_6"
],
"vulnerabilities": null
},
"sources": [
"stealer_logs_private"
]
},
"duplicates": [],
"header": {
"actor": null,
"actor_id": null,
"bank": null,
"bin": null,
"brand": null,
"credential_count": 17,
"category_name": "Infected Device",
"content_hash": "f8fbcbf034e346eedf2a8abed80b883433ddccaf",
"content_preview": "17 credentials",
"country": null,
"duplicates": [],
"es_score": 1.0,
"expiration": null,
"highlights": {},
"host": null,
"id": "sample_log_doc_000002",
"infection_date": "2025-10-24T03:51:00+00:00",
"parent_id": null,
"parent_title": null,
"parent_title_en": null,
"parent_uid": null,
"parent_uids": [
"chat_message/telegram/0000000000/00000000000"
],
"risk": {
"score": 3
},
"similar_items_count": 0,
"source": "stealer_logs",
"source_name": "Stealer Logs",
"target_name": "Stealer Logs",
"tags": [],
"notes": null,
"state_code": null,
"timestamp": "2025-10-24T03:51:00+00:00",
"title": "",
"type": "stealer_log",
"uid": "stealer_log/stealer_logs/sample_log_doc_000002",
"user_risk_score": null,
"user_notes": null,
"ignored_at": null,
"remediated_at": null,
"verb": "sold",
"external_url": "s3://example-bucket/0000000000/00000000000000000000000000000000000000",
"external_netloc": "example-bucket",
"can_have_duplicates": true,
"priority_action_uuid_related": false,
"analyzers_items_uids": [],
"victim_name": null,
"contains_secrets": null,
"secrets_metadata": null
},
"history_logs": null,
"metadata": {
"estimated_created_at": "2025-10-24T03:51:00+00:00",
"event_id": null,
"first_crawled_at": "2025-10-28T18:35:15.095033+00:00",
"last_crawled_at": "2025-10-28T18:35:15.095033+00:00",
"payload_digest": "f8fbcbf034e346eedf2a8abed80b883433ddccaf",
"scraped_at": "2025-10-28T18:35:17.333487+00:00",
"source": "stealer_logs",
"crawled_by": null,
"flare_url": "https://app.example.com/#/stealer_log/stealer_logs/sample_log_doc_000002"
},
"similar_items": []
}
}