MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 761745042e6ba4fadd0bf1ef4a28df72d34caefddd294cd022a37cd6e282faea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 761745042e6ba4fadd0bf1ef4a28df72d34caefddd294cd022a37cd6e282faea
SHA3-384 hash: c175609f119cce47d2ebd444ec640f89f20e6c0af096a6c1854df7428cb2ceec98d849f9906b38baddff650a6826be26
SHA1 hash: 111cdc61df052148e56dcc8a2c860edd3250d544
MD5 hash: 9993b55462dd165865136ed8ded49e24
humanhash: eight-april-one-hawaii
File name:Payment_Advice.js
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:781'828 bytes
First seen:2026-06-10 16:26:46 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:a2/rdrQ0IsihywnjDgRJyxfpPvES1kx/Ysx8edhSgqU++QnOB/uupPalNXfWx+Fo:ToDM
Threatray 85 similar samples on MalwareBazaar
TLSH T129F4F63DCD14013EE972C629C89A096FF4921A5B222CEA4750D73B5FAF73442B3D625E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter abuse_ch
Tags:js PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2990f734eaf30d8ce49100
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
conhost masquerade powershell repaired
Link:
https://www.filescan.io/uploads/6a2990a40bddd27b6e063fc8/reports/b9366efd-104a-44c0-b883-e15b752f9c95/overview
Verdict:
Malicious
Labled as:
JS/Agent.URY trojan
Link:
https://www.hybrid-analysis.com/sample/761745042e6ba4fadd0bf1ef4a28df72d34caefddd294cd022a37cd6e282faea
Verdict:
Malicious
File Type:
js
First seen:
2026-06-10T08:09:00Z UTC
Last seen:
2026-06-10T12:26:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/761745042e6ba4fadd0bf1ef4a28df72d34caefddd294cd022a37cd6e282faea/results?tab=lookup
Result
Threat name:
PureLogs Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1926069
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Powershell scriptblock execution from environment variable
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected MSIL Injector
Yara detected PureLogs Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1926069 Sample: Payment_Advice.js Startdate: 10/06/2026 Architecture: WINDOWS Score: 100 41 bunnellmc.com 2->41 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected PureLogs Stealer 2->59 61 Yara detected MSIL Injector 2->61 63 4 other signatures 2->63 10 wscript.exe 1 1 2->10         started        13 powershell.exe 29 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 73 JScript performs obfuscated calls to suspicious functions 10->73 75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->75 77 Suspicious execution chain found 10->77 79 2 other signatures 10->79 18 conhost.exe 10->18         started        20 conhost.exe 1 13->20         started        55 127.0.0.1 unknown unknown 15->55 signatures6 process7 process8 22 powershell.exe 15 22 18->22         started        dnsIp9 49 bunnellmc.com 206.168.149.18, 443, 49685 FIBERSTATE-FiberStateLLCUS United States 22->49 51 172.81.130.198, 49688, 49690, 49721 DATAWAGON-DataWagonLLCUS United States 22->51 39 C:\Users\user\AppData\...\powershell.lnk, MS 22->39 dropped 65 Creates an undocumented autostart registry key 22->65 67 Tries to steal Mail credentials (via file / registry access) 22->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 22->69 71 5 other signatures 22->71 27 chrome.exe 3 22->27         started        30 chrome.exe 2 22->30 injected 32 chrome.exe 2 22->32 injected 34 2 other processes 22->34 file10 signatures11 process12 dnsIp13 53 192.168.2.9, 138, 443, 49672 unknown unknown 27->53 36 chrome.exe 27->36         started        process14 dnsIp15 43 play.google.com 142.250.191.14, 443, 49715 GOOGLE-GoogleLLCUS United States 36->43 45 www.google.com 142.251.154.119, 443, 49701, 49705 GOOGLE-GoogleLLCUS United States 36->45 47 3 other IPs or domains 36->47
Score:
57%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/761745042e6ba4fadd0bf1ef4a28df72d34caefddd294cd022a37cd6e282faea
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/761745042e6ba4fadd0bf1ef4a28df72d34caefddd294cd022a37cd6e282faea/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oylukbbonospvxil6hxuukg7oljuzlx53uuuzubcun6nnyuc7lva._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
12d51bb5ed6b4db145af16f70b1f498c5757c7d2420bd25f7313f4cb092b0419
PureLogsStealer
6a640d2dfdef8984777bd2de97349349b4336b65183d35fbd83093fd930ced94
PureLogsStealer
7cc7c63542bfc39f82020d99cd5d84032ebcc85c3d941b1b9b2f74f52d529f20
PureLogsStealer
a5903b21a481d11fd8ac07ba5ec097c300f40e247906a0ce2f05f6edccb7630d
PureLogsStealer
aa00ee0b08aa375618c6ee930810dbb5ef92f35c1d6d07faeebfa027311c0acd
PureLogsStealer
df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022
PureLogsStealer
error
PureLogsStealer
f9aa29d9b2ba2551de3331bfd681b5a71af3c5d7f32badc68e5f8b96a5631841
PureLogsStealer
fe7e8c845a0dd067aede7ab14cb46a27a11967601bc65f00015a7e14449617c5
PureLogsStealer
+ 75 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence
Link:
https://tria.ge/reports/260610-tznczsdt5t/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops startup file
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments