MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79507c5ec1f7c1fa1b94cf8b5ce534fe1634b8c44f3ebee7e86e1da09ebf84f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	79507c5ec1f7c1fa1b94cf8b5ce534fe1634b8c44f3ebee7e86e1da09ebf84f0
SHA3-384 hash:	3fd763c8e90479e96049b5848cd0bc77115ac7a0d6c4c65d9c9d8972810021b99e6e7c15dfc5f1350b06db444b531f78
SHA1 hash:	9285103080dd2d7c1934e0457039f5c7d11b8caa
MD5 hash:	36d12fd64512e49ba6848028e54a21c8
humanhash:	apart-red-lamp-jupiter
File name:	RE-690215-374880 Rechnung DE4917602.vbs
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	15'581'290 bytes
First seen:	2026-06-25 11:34:15 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/csv
ssdeep	768:tCZ3QlPDPiKOjf+hG1ukvcq2RKUvxx3Op/qbA6qzu5Yt+Q6Ij+ch1JmIndliipim:M
TLSH	T1C0F6C525CBEE20E6D0973E0426DA132611317D589E38EC45B128B63F95DBC2E64FC7A7
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	vba
Reporter	abuse_ch
Tags:	CHE DEU geo PureLogsStealer vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/71926/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a3d124a1548daf709f9af89

Tags:

xtreme shell sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6a3d124368dc3ec3ea65385a/reports/e9359f0c-e7fa-4eb7-a372-42d07492029f/overview

Verdict:

Malicious

Labled as:

GT:VB.Heur2.ZBot.3

Link:

https://www.hybrid-analysis.com/sample/79507c5ec1f7c1fa1b94cf8b5ce534fe1634b8c44f3ebee7e86e1da09ebf84f0

Verdict:

Malicious

File Type:

text

Detections:

HEUR:Trojan.VBS.SAgent.gen

Link:

https://opentip.kaspersky.com/79507c5ec1f7c1fa1b94cf8b5ce534fe1634b8c44f3ebee7e86e1da09ebf84f0/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1933651

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates processes via WMI

Detected large data written to user environment variables, potentially indicating payload staging for fileless execution

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious Environment Variable Has Been Registered

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

WScript reads language and country specific registry keys (likely country aware script)

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Download SVG

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/79507c5ec1f7c1fa1b94cf8b5ce534fe1634b8c44f3ebee7e86e1da09ebf84f0/

Verdict:

Malicious

Threat:

Trojan.VBS.SAgent

Link:

https://tip.neiki.dev/file/79507c5ec1f7c1fa1b94cf8b5ce534fe1634b8c44f3ebee7e86e1da09ebf84f0

Threat name:

Binary.Infostealer.Zeus

Status:

Malicious

First seen:

2026-06-25 11:21:39 UTC

File Type:

Binary

AV detection:

3 of 36 (8.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pfihyxwb67a7ug4uz6fvzzju7yldjogej47l5z7inyo2bhv7qtya._file

Result

Malware family:

n/a

Score:

10/10

Tags:

collection discovery execution spyware stealer

Link:

https://tria.ge/reports/260625-npnccabt8j/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Process spawned unexpected child process

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.21

Link:

https://yomi.yoroi.company/submissions/79507c5ec1f7c1fa1b94cf8b5ce534fe1634b8c44f3ebee7e86e1da09ebf84f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)