MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fe03d6416056b84fd119eb8e950a0c23c59486981377435b0a3125f9e843fc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PXRECVOWEIWOEI


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fe03d6416056b84fd119eb8e950a0c23c59486981377435b0a3125f9e843fc0
SHA3-384 hash: 7c73b32d5962601be748a43de2c1c7f225cb471a2b16c9ebed7a20134776ede5ac2ec810e8e4050015b1f850cab1169d
SHA1 hash: 3cfe00ce2b251eb8157a1b2fc5acf0716b940de6
MD5 hash: bc670e73ebd0f3712bdc7474a7f960bb
humanhash: jig-bakerloo-princess-robin
File name:Purchase-Enquiry.js
Download: download sample
Signature PXRECVOWEIWOEI
Create hunting rule
File size:131'290 bytes
First seen:2025-05-13 20:04:27 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:g2083sn05wz36E7fpv0FjdQkgH0Bp3SAK6DbU3KYKR/4JfsngqnN2VrmAutb26lW:O
Threatray 49 similar samples on MalwareBazaar
TLSH T198D339D196FFC94820C6F04D9254393B8AF26F335DF27F9AA1506BC499B70D0F928962
Magika javascript
Reporter Anonymous
Tags:js PXRECVOWEIWOEI

Intelligence

File Origin
# of uploads :
1
# of downloads :
506
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.9631.20481.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6823a7efe16384d6a7042bf4
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated overlay powershell
Link:
https://www.filescan.io/uploads/6823a5ff8bd61140fb6eaef4/reports/ac814bc9-2113-4595-9d53-31bf9e789ac3/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Link:
https://www.hybrid-analysis.com/sample/2fe03d6416056b84fd119eb8e950a0c23c59486981377435b0a3125f9e843fc0
Result
Threat name:
PXRECVOWEIWOEI Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1689401
Signature
Antivirus detection for URL or domain
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Capture Wi-Fi password
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PXRECVOWEIWOEI Stealer
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1689401 Sample: Purchase-Enquiry.js Startdate: 13/05/2025 Architecture: WINDOWS Score: 100 38 api.telegram.org 2->38 40 pub-8dfc53689d2141dd8655689c85a38c6c.r2.dev 2->40 42 7 other IPs or domains 2->42 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 16 other signatures 2->72 10 wscript.exe 1 1 2->10         started        13 msiexec.exe 2->13         started        signatures3 70 Uses the Telegram API (likely for C&C communication) 38->70 process4 signatures5 88 JScript performs obfuscated calls to suspicious functions 10->88 90 Suspicious powershell command line found 10->90 92 Wscript starts Powershell (via cmd or directly) 10->92 94 2 other signatures 10->94 15 powershell.exe 14 15 10->15         started        process6 dnsIp7 50 pub-8dfc53689d2141dd8655689c85a38c6c.r2.dev 162.159.140.237, 443, 49689 CLOUDFLARENETUS United States 15->50 52 archive.org 207.241.224.2, 443, 49685 INTERNET-ARCHIVEUS United States 15->52 54 dn721808.ca.archive.org 204.62.247.90, 443, 49686 COGENT-174US United States 15->54 56 Found many strings related to Crypto-Wallets (likely being stolen) 15->56 58 Found Tor onion address 15->58 60 Writes to foreign memory regions 15->60 62 Injects a PE file into a foreign processes 15->62 19 MSBuild.exe 15 38 15->19         started        23 MSBuild.exe 15->23         started        25 conhost.exe 15->25         started        signatures8 process9 dnsIp10 44 ip-api.com 208.95.112.1, 49691, 80 TUT-ASUS United States 19->44 46 api.telegram.org 149.154.167.220, 443, 49692 TELEGRAMRU United Kingdom 19->46 48 icanhazip.com 104.16.185.241, 49690, 80 CLOUDFLARENETUS United States 19->48 74 Tries to steal Mail credentials (via file / registry access) 19->74 76 Found many strings related to Crypto-Wallets (likely being stolen) 19->76 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->78 80 Tries to harvest and steal browser information (history, passwords, etc) 19->80 27 cmd.exe 1 19->27         started        82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->82 84 Tries to harvest and steal WLAN passwords 23->84 86 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 23->86 signatures11 process12 signatures13 96 Uses netsh to modify the Windows network and firewall settings 27->96 98 Tries to harvest and steal WLAN passwords 27->98 30 netsh.exe 2 27->30         started        32 conhost.exe 27->32         started        34 findstr.exe 1 27->34         started        36 chcp.com 1 27->36         started        process14
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2fe03d6416056b84fd119eb8e950a0c23c59486981377435b0a3125f9e843fc0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fe03d6416056b84fd119eb8e950a0c23c59486981377435b0a3125f9e843fc0/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-05-13 02:21:00 UTC
File Type:
Binary
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7qd2zawavvyj7irt24osufayi6fssdjqe3xinnqumjf7hueh7aa._file
Verdict:
malicious
Label(s):
0bj3ctivitystealer
Create hunting rule
Similar samples:
082d87b0c9b2e71a9351a780f1b7ace0ae603908e23390de3771eb9faa4f7c51
PXRECVOWEIWOEI
46bd635e26e21146d449e2032e7771614808a77c315c5d9478067ed9d6d6af2a
PXRECVOWEIWOEI
4bb1c774d92416f89b1efabbe3e96ce92343942c399b41945c0d5f5fcd0a2f64
PXRECVOWEIWOEI
7431c1aba1c01818fdeb98be54f3899329e3b72f6c384cf3c5a01ac12108dc84
PXRECVOWEIWOEI
a2c86572d47ba0a2fe4dc812a1ea063784f59b2cc3563f0ca8e7f3d570df6aba
PXRECVOWEIWOEI
abe9f5a753ad556b14feac51a67e6cfca4401c217d82b5520e3bc37751d31e99
PXRECVOWEIWOEI
b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84
PXRECVOWEIWOEI
cb859f68816f0ced3b81286af4c046aee24df83455e5bccef39d6d1f818cf95f
PXRECVOWEIWOEI
cda178767af65f18a4cca8c662edf67f46a7acb018479cb5dc378194a3300148
PXRECVOWEIWOEI
error
PXRECVOWEIWOEI
+ 39 additional samples on MalwareBazaar
Result
Malware family:
obj3ctivity
Create hunting rule
Score:
  10/10
Tags:
family:obj3ctivity collection discovery execution persistence privilege_escalation stealer
Link:
https://tria.ge/reports/250513-ytyzragm9x/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects Obj3ctivity Stage1
Obj3ctivity family
Obj3ctivity, PXRECVOWEIWOEI
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fe03d6416056b84fd119eb8e950a0c23c59486981377435b0a3125f9e843fc0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments