MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe
SHA3-384 hash: 17edf947ceb045e76d22b950d18f5549f50c59bff3154e56088eb4613fbdbe493be2b8df2a67e3c33479ba9d236b2c9a
SHA1 hash: 40e997cc38f42c6a6fad5af0035483e520407340
MD5 hash: 4718dafba715152e862c513ac7d66ed9
humanhash: solar-sixteen-autumn-skylark
File name:PO No 602450.js
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:4'377'875 bytes
First seen:2025-12-09 08:23:31 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:dSz+dSR06JFSsSUnr0S9lySuSnHGUsSP+So0/yx1mKppsW3ppmIppRM:XCp8PbfzI
TLSH T14616F29A035AA53CB1A712358E7C77C0F9E8956BB8620816B1171BC5DFE43B05FA4FB0
Magika javascript
Reporter lowmal3
Tags:js PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6937dcb1881313558a2bab45
Tags:
ransomware xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 fingerprint obfuscated obfuscated opendir overlay powershell repaired
Link:
https://www.filescan.io/uploads/6937dcafbba50eaf042907f6/reports/356f2715-0005-416d-b2e0-b27dce554c3d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe
Verdict:
Malicious
File Type:
js
First seen:
2025-12-09T02:06:00Z UTC
Last seen:
2025-12-11T06:10:00Z UTC
Hits:
~1000
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe/results?tab=lookup
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1829321
Signature
Creates processes via WMI
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1829321 Sample: PO No 602450.js Startdate: 09/12/2025 Architecture: WINDOWS Score: 100 31 pixeldrain.com 2->31 33 ia801706.us.archive.org 2->33 41 Malicious sample detected (through community Yara rule) 2->41 43 Yara detected PureLog Stealer 2->43 45 Yara detected Powershell download and execute 2->45 47 8 other signatures 2->47 8 wscript.exe 1 2->8         started        11 powershell.exe 14 16 2->11         started        14 wscript.exe 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 49 Suspicious powershell command line found 8->49 51 Wscript starts Powershell (via cmd or directly) 8->51 53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->53 55 2 other signatures 8->55 35 ia801706.us.archive.org 207.241.233.36, 443, 49683, 49690 INTERNET-ARCHIVEUS United States 11->35 37 pixeldrain.com 160.202.167.163, 443, 49687, 49694 DEDICATEDUS New Zealand 11->37 18 cmd.exe 2 11->18         started        21 conhost.exe 11->21         started        23 powershell.exe 14->23         started        39 127.0.0.1 unknown unknown 16->39 signatures6 process7 file8 29 C:\Users\...\Windows....Updates......js, Unicode 18->29 dropped 25 conhost.exe 18->25         started        27 conhost.exe 23->27         started        process9
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/4718dafba715152e862c513ac7d66ed9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe
Threat name:
Script-JS.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-09 06:10:44 UTC
File Type:
Binary
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dt7p7walq6wcktyidgvlqkozt5hdltbkrrdgt2obesrvekct77a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/251209-kasrqswlgn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://ia801706.us.archive.org/25/items/msi-pro-with-b-64_20251208/MSI_PRO_with_b64.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureLogsStealer

Java Script (JS) js e0e7f7fec05c3d612a7840cd55c14eccfa71ae615462334f4e09251a91429ffe

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments