MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc3d6f7101b7dbcee00c9511a2dc2435d4b2a5b27b312a4128c200eef4b89249. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureLogsStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc3d6f7101b7dbcee00c9511a2dc2435d4b2a5b27b312a4128c200eef4b89249
SHA3-384 hash: 7c1050adf80699b91f6bd61e4776a4ceffe5bd3a4b470802170e8c8ab369ca3dac872e9e4d5d8e9a0cca337a9d99d923
SHA1 hash: 665cbdf56631ca8399f50178f0ca1d7d55042625
MD5 hash: eb3e0281a2cbaa8d0da58c751f9f7aa4
humanhash: london-april-friend-moon
File name:EUR 812,340.js
Download: download sample
Signature PureLogsStealer
Create hunting rule
File size:3'888'927 bytes
First seen:2026-02-26 06:56:18 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24576:2n2Xm+w0TeQOFmaloVlKAc51alq2qHiZ+2SMLMfMmL5Y3EP8lRv5wvWhqhpz1tQ3:2PKPBlg8ZA4oW0m
Threatray 90 similar samples on MalwareBazaar
TLSH T17606C1E1E9E1776CDA506E1C70FA03CAD7F80D690457B589C81BBE83EE5A380971B076
Magika javascript
Reporter abuse_ch
Tags:js PureLogsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Other.Malware-gen.46354446.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699fee99c950ab5d9ab1c29c
Tags:
ransomware shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated repaired
Link:
https://www.filescan.io/uploads/699feed210e80629d4f34cfe/reports/0dcc36e4-f38a-428d-85d2-280a66edb15e/overview
Verdict:
Malicious
Labled as:
Trojan_Script_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/fc3d6f7101b7dbcee00c9511a2dc2435d4b2a5b27b312a4128c200eef4b89249
Verdict:
Malicious
File Type:
js
Detections:
Trojan.Win32.InjectorNetT.s PDM:Trojan.Win32.Generic HEUR:Trojan.Script.SAgent.gen Trojan.PowerShell.Cobalt.sb Trojan.MSIL.DOTHETUK.sb Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/fc3d6f7101b7dbcee00c9511a2dc2435d4b2a5b27b312a4128c200eef4b89249/results?tab=lookup
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
evad.troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875160
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1875160 Sample: EUR 812,340.js Startdate: 26/02/2026 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected PureLog Stealer 2->33 35 4 other signatures 2->35 7 wscript.exe 3 2->7         started        process3 file4 25 C:\Temp\ps_zlayeNreiRrh_1772090454350.ps1, ASCII 7->25 dropped 37 Suspicious powershell command line found 7->37 39 Wscript starts Powershell (via cmd or directly) 7->39 41 Bypasses PowerShell execution policy 7->41 43 3 other signatures 7->43 11 powershell.exe 16 7->11         started        14 taskkill.exe 1 7->14         started        signatures5 process6 signatures7 45 Writes to foreign memory regions 11->45 47 Injects a PE file into a foreign processes 11->47 16 aspnet_compiler.exe 15 2 11->16         started        19 conhost.exe 11->19         started        21 aspnet_compiler.exe 11->21         started        23 conhost.exe 14->23         started        process8 dnsIp9 27 198.46.178.137, 49728, 49729, 49730 AS-COLOCROSSINGUS United States 16->27
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fc3d6f7101b7dbcee00c9511a2dc2435d4b2a5b27b312a4128c200eef4b89249
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc3d6f7101b7dbcee00c9511a2dc2435d4b2a5b27b312a4128c200eef4b89249/
Verdict:
Malicious
Threat:
Family.PUREHVNC
Link:
https://tip.neiki.dev/file/fc3d6f7101b7dbcee00c9511a2dc2435d4b2a5b27b312a4128c200eef4b89249
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-25 13:04:21 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7q6w64ibw7n45yamsui2fxbegxklfjnspmysuqjiyiao55fysjeq._file
Verdict:
malicious
Label(s):
fantomcrypt
Create hunting rule
Similar samples:
33fd8c047261a8fe39b457de606091a542fdb2558f9fe2a1dd847b0cb349fcd7
PureLogsStealer
7700a90cf3358872441c3ab23f9e05457b92ee8c7d522749b173a6470b9574ef
PureLogsStealer
9f60f244e5c10d02100884aa438b2d44ef7d81b4dc34e41df092af464f831bad
PureLogsStealer
c0dd3a22d9b21d709b54655208ad5a9b67de2cab836181251cedd06fcda280f9
PureLogsStealer
c230ee6038bf851cc5d5fb561052682269d70cd99929c3794cba09c260379c0a
PureLogsStealer
c728f04df01398027a86cd013ccdcb4090949cb1478a8e08ed8e00de7cb6d48a
PureLogsStealer
ed505728b2762f5100e13a8a24c3506d807873dc52135d96f787b4063f30abec
PureLogsStealer
error
PureLogsStealer
+ 80 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/260226-hqjgwsew7h/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc3d6f7101b7dbcee00c9511a2dc2435d4b2a5b27b312a4128c200eef4b89249

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments