MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd58ff0d92eea20452fe4be4e4714e35226a5184bcac5cd49439d927130017dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureLogsStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	cd58ff0d92eea20452fe4be4e4714e35226a5184bcac5cd49439d927130017dc
SHA3-384 hash:	fbcd41756b7664499c6f0ee4bab1e1840fbe86de114879da3c544968f0f9c8c7e0893d4e0032dbae84f8cb9e05f372de
SHA1 hash:	9f18541f5f339dd6d68b6f3e98f855c9e813a55b
MD5 hash:	89785a2ce26ebbb9b7336ee6e0325b99
humanhash:	rugby-victor-angel-minnesota
File name:	PURCHASE INQUIRY FOR G M VALVE PVT. LTD.js
Download:	download sample
Signature	PureLogsStealer Create hunting rule
File size:	111'513 bytes
First seen:	2026-01-15 07:10:15 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	1536:WniV3jT0jqWarR4E6lIcZ4iUK/mUJUbyzMNVp3xG51Sl2r4whuEmmzXphfj+9Ig3:WiVsT15t4XExkoVrUR
TLSH	T1E0B384C939CAF47343B935276D1BB05AF12F4D82760C80A4D2D766A8FE68708E635D2D
Magika	javascript
Reporter	abuse_ch
Tags:	js PureLogsStealer

abuse_ch

PureLogsStealer C2:
147.124.215.69:1991

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
147.124.215.69:1991	https://threatfox.abuse.ch/ioc/1732349/

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.32424.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696892f257243ef151cd3f2f

Tags:

ransomware shell hype

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

aspnet_compiler base64 evasive lolbin masquerade obfuscated obfuscated opendir reconnaissance repaired

Link:

https://www.filescan.io/uploads/696892e8ca195a53181bee12/reports/30bd95fc-611b-4edf-9a30-761deb42b014/overview

Verdict:

Malicious

Labled as:

SVM:TrojanDownloader/JS.Nemucod

Link:

https://www.hybrid-analysis.com/sample/cd58ff0d92eea20452fe4be4e4714e35226a5184bcac5cd49439d927130017dc

Verdict:

Malicious

File Type:

First seen:

2026-01-14T21:02:00Z UTC

Last seen:

2026-01-16T04:15:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan-Downloader.JS.SLoad.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic Trojan-Downloader.Agent.HTTP.C&C Trojan-PSW.PureLogs.TCP.C&C Trojan.Win32.InjectorNetT.s

Link:

https://opentip.kaspersky.com/cd58ff0d92eea20452fe4be4e4714e35226a5184bcac5cd49439d927130017dc/results?tab=lookup

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

evad.troj.spyw.expl

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1851069

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected malicious Powershell script

Allocates memory in foreign processes

Bypasses PowerShell execution policy

Creates a thread in another existing process (thread injection)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential obfuscated javascript found

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic JS Downloader

Yara detected Powershell decode and execute

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/cd58ff0d92eea20452fe4be4e4714e35226a5184bcac5cd49439d927130017dc

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd58ff0d92eea20452fe4be4e4714e35226a5184bcac5cd49439d927130017dc/

Verdict:

Malicious

Threat:

Family.PUREHVNC

Link:

https://tip.neiki.dev/file/cd58ff0d92eea20452fe4be4e4714e35226a5184bcac5cd49439d927130017dc

Threat name:

Script-JS.Trojan.Heuristic

Status:

Malicious

First seen:

2026-01-15 03:03:03 UTC

File Type:

Text (JavaScript)

AV detection:

5 of 36 (13.89%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zvmp6dms52raiux6jpsoi4kogurguumexswfzveuhhmsoeyac7oa._file

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery execution

Link:

https://tria.ge/reports/260115-hzm7fafx4f/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Badlisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd58ff0d92eea20452fe4be4e4714e35226a5184bcac5cd49439d927130017dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample