MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022
SHA3-384 hash: 74292fc4ca331698bf307ddecff2a36a52784d7cf526822c3e05b8374de7d5b38734527779db97b7efe7f47684b07aa3
SHA1 hash: f890a94b69b80dee010423ea959332894cb9c519
MD5 hash: cc615b9c3187ee765af0bdaf7f942bd8
humanhash: washington-burger-idaho-steak
File name:Urgent Request for Quote-87653234567765423455_pdf.js
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:831'844 bytes
First seen:2026-06-05 06:48:34 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:7PhG0gjme1una8vcl6QnSIYORZRYsCT5IXrKwSYOpJBnSSvR46QSTQKBPZecieob:M0gjme1uO
Threatray 25 similar samples on MalwareBazaar
TLSH T1BA05E93DD924422EF172C518C59A081FF8A6298B522CEA5721C3374F5EA384777D27AF
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter lowmal3
Tags:js PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a227174f8676ad4d361442b
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
conhost masquerade obfuscated powershell repaired
Link:
https://www.filescan.io/uploads/6a227178099ef368af210934/reports/ed070adb-fb14-4279-bd17-5be23c0dddfb/overview
Verdict:
Malicious
Labled as:
JS/Agent.URN trojan
Link:
https://www.hybrid-analysis.com/sample/df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022
Verdict:
Malicious
File Type:
js
First seen:
2026-06-04T01:18:00Z UTC
Last seen:
2026-06-07T03:26:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022/results?tab=lookup
Result
Threat name:
PureLogs Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1923417
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
JScript performs obfuscated calls to suspicious functions
Powershell scriptblock execution from environment variable
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected MSIL Injector
Yara detected PureLogs Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923417 Sample: Urgent Request for Quote-87... Startdate: 05/06/2026 Architecture: WINDOWS Score: 100 31 vrdccbank.com 2->31 53 Yara detected PureLogs Stealer 2->53 55 Yara detected MSIL Injector 2->55 57 Yara detected AntiVM3 2->57 59 3 other signatures 2->59 10 wscript.exe 1 1 2->10         started        signatures3 process4 signatures5 61 JScript performs obfuscated calls to suspicious functions 10->61 63 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->63 65 Suspicious execution chain found 10->65 67 2 other signatures 10->67 13 conhost.exe 10->13         started        process6 process7 15 powershell.exe 15 20 13->15         started        dnsIp8 41 vrdccbank.com 103.174.10.44, 443, 49693 BROWNARC-AS-APBrownArcEnterprisesPrivateLimitedIN India 15->41 43 193.93.193.93, 49695, 49698, 49727 AS-GLOBALTELEHOST-GTHostUS Czechia 15->43 45 Creates an undocumented autostart registry key 15->45 47 Tries to steal Mail credentials (via file / registry access) 15->47 49 Found many strings related to Crypto-Wallets (likely being stolen) 15->49 51 5 other signatures 15->51 19 chrome.exe 3 15->19         started        22 chrome.exe 2 15->22 injected 24 chrome.exe 2 15->24 injected 26 2 other processes 15->26 signatures9 process10 dnsIp11 33 192.168.2.5, 138, 443, 49693 unknown unknown 19->33 28 chrome.exe 2 19->28         started        process12 dnsIp13 35 googlehosted.l.googleusercontent.com 142.250.217.1, 443, 49715 GOOGLE-GoogleLLCUS United States 28->35 37 www.google.com 142.251.151.119, 443, 49704, 49708 GOOGLE-GoogleLLCUS United States 28->37 39 3 other IPs or domains 28->39
Score:
72%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022/
Verdict:
Malicious
Threat:
Trojan.Win32
Link:
https://tip.neiki.dev/file/df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36iv75fikym7g56dehrkft6t2uyfcoals4ked4ix3xywzb4guara._file
Verdict:
malicious
Label(s):
stubrunner
Create hunting rule
purecrypter
Create hunting rule
Similar samples:
4334b32b02f055ad7553e21cf13b1706b892a648fadb4584cafb3283245f6389
PureLogsStealer
8918151f86687bf6dcd6962b05fe94d4a48c400d89cfdee172d8ee70f06c3403
PureLogsStealer
96a66d9477bd32693422ae6aefd7dbefc1d52c2e2e510bd29d3f34f910e6ff7e
PureLogsStealer
a792120feec7e2c2f6e68f7d267826b559e8eb8a277c4966d7beb7ca3a8eb1e4
PureLogsStealer
b6a4ce1b28a8c0754b1ce5d4832644ca3c0e4571556e9c5bfe3ae9da97589366
PureLogsStealer
b95012a5ed4784b632680ca3291db8dd17908c5137279e190a06563cd111665f
PureLogsStealer
db4c234a950279b3fee6e07157fd6c6e9ff082f8a72211749a0a3eb84a3bc0f5
PureLogsStealer
error
PureLogsStealer
f272a51c813b2d3c3748457bd842ae2125596dc6786e1a326bac2479b01273cf
PureLogsStealer
f8ef2e6276195d1ee28eacdf26e9c5f4eac9a78c2a42f5896253749a7664944d
PureLogsStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260605-hljl4ac17n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Checks computer location settings
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

Java Script (JS) js df915ff4a85619f377c321e2a2cfd3d53051380b971441f117ddf16c8786a022

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments