MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c6065ee56894e8ee36caa30ef9c5cbf11547ce6e6e6a83419e4e146d84baee1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c6065ee56894e8ee36caa30ef9c5cbf11547ce6e6e6a83419e4e146d84baee1
SHA3-384 hash: e3059cb77993868330cc580405b939550ccfabe1487cbeca46e4562423a26dcc2b2facd5ba8771573c5e871926e5909b
SHA1 hash: af5b46e122312221bb9a3f91e860435043a812fc
MD5 hash: ee38a238bd70719bebb2b8bdcdde22d0
humanhash: wisconsin-maryland-fifteen-massachusetts
File name:DHL On Demand Delivery.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:8'192 bytes
First seen:2023-11-08 08:12:37 UTC
Last seen:2023-11-08 10:42:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:AESKXMKhwW9we3OloU7Z40EreOoDgb7ZP02:AESsbZ9w0dUO4YZs
Threatray 448 similar samples on MalwareBazaar
TLSH T1DEF1C615EBB84333EA3F0779D87343420778E696CC46DF5F288C664A6D02A414DA73AA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DHL exe purecrypter

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.29668.11130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/654b43273dd412119bf161eb/reports/c18b280c-d2f1-4448-b373-2d95650d2d89/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/0c6065ee56894e8ee36caa30ef9c5cbf11547ce6e6e6a83419e4e146d84baee1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/23253b48-13fd-4708-ae61-cdbc42b21db0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338864
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338864 Sample: DHL_On_Demand_Delivery.exe Startdate: 08/11/2023 Architecture: WINDOWS Score: 100 26 www.viteview.com 2->26 28 www.tearsandrise.com 2->28 30 15 other IPs or domains 2->30 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 6 other signatures 2->52 10 DHL_On_Demand_Delivery.exe 15 3 2->10         started        signatures3 process4 signatures5 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->54 56 Writes to foreign memory regions 10->56 58 Allocates memory in foreign processes 10->58 60 Injects a PE file into a foreign processes 10->60 13 aspnet_compiler.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 HnvtqQYGNOAhVTuQegAwNo.exe 13->16 injected process8 process9 18 cmdl32.exe 13 16->18         started        signatures10 38 Tries to steal Mail credentials (via file / registry access) 18->38 40 Tries to harvest and steal browser information (history, passwords, etc) 18->40 42 Writes to foreign memory regions 18->42 44 3 other signatures 18->44 21 HnvtqQYGNOAhVTuQegAwNo.exe 18->21 injected 24 firefox.exe 18->24         started        process11 dnsIp12 32 www.nkdgx.xyz 206.238.20.157, 80 COGENT-174US United States 21->32 34 www.dolic.xyz 162.0.214.89, 49758, 49759, 49760 ACPCA Canada 21->34 36 6 other IPs or domains 21->36
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0c6065ee56894e8ee36caa30ef9c5cbf11547ce6e6e6a83419e4e146d84baee1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c6065ee56894e8ee36caa30ef9c5cbf11547ce6e6e6a83419e4e146d84baee1/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-11-07 01:17:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=brqgl3swrfhi5y3mviyo7hc4x4ivi7hg43tkqnaz4tqunwclv3qq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3e9471385936da8656e7a1bc53d44271ec437d1399cd33ad91091b1f286c878b
PureCrypter
52314c509cc39d57832c2efc2782ac7fc74448e56a2771989d877d4f9f6adc85
PureCrypter
5d23eb13f7673c76e4a1c301f2f0b2b30ea6a758620e7fc5c2a8e6f16b097b65
PureCrypter
a5bea05a2f6c78eef246760dc715dd3fe10b0615ac161efbeb8a2cf6c9836499
PureCrypter
a683413d05731a6b164b6d9d0bfd9b53b64ab47c0124a4f8047e1f6206e981e1
PureCrypter
b5081a6bb5cd550a99f314c6dd7e76cd217473ddfec2f65c1b5ec13a000680b7
PureCrypter
c5bf13f324052f8e3240024494c7c4bf809e3c423a59fabd0cd067e01a990ee6
PureCrypter
da92f3184a36b6b1be15d1e93be7c31d173769241d1f3dd98bcfc22796fd9e69
PureCrypter
+ 438 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231108-j4e73agb5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
0c6065ee56894e8ee36caa30ef9c5cbf11547ce6e6e6a83419e4e146d84baee1
MD5 hash:
ee38a238bd70719bebb2b8bdcdde22d0
SHA1 hash:
af5b46e122312221bb9a3f91e860435043a812fc
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/740d7e06-6cbf-48b5-9aec-ad283c77ae24/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c6065ee5689/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c6065ee56894e8ee36caa30ef9c5cbf11547ce6e6e6a83419e4e146d84baee1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureCrypter

Executable exe 0c6065ee56894e8ee36caa30ef9c5cbf11547ce6e6e6a83419e4e146d84baee1

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments