MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 127eb55e9031dc443d40cfb3a6be1456adc36743f034d6c74e88cde66af8b6ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureCrypter

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	127eb55e9031dc443d40cfb3a6be1456adc36743f034d6c74e88cde66af8b6ec
SHA3-384 hash:	5be2d1bc9d22e0e45b85fde07eb0a5d385b92b6c103ef6861fbf202bf34f2b9ae77b2a631daee3ac538bf032a44c70dd
SHA1 hash:	92a7d98236c9fea1b7278180bf7d4f0db71645c8
MD5 hash:	42bfc3305df601d02e2748e877f4abfe
humanhash:	sad-hawaii-november-charlie
File name:	KUZ000199323.bin
Download:	download sample
Signature	PureCrypter Create hunting rule
File size:	64'512 bytes
First seen:	2023-05-17 09:30:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	1536:mcnPSfMAzUgbSHrmHIRLyV9MR5Y/dPK14ro9CFAO4YQ2FP0IUdvq:bEymoVbS+CP7Uq
Threatray	140 similar samples on MalwareBazaar
TLSH	T1875309395F9A6F27F4E86F7AB8A100E4B779E10A9C03FF0E4A4424560F5B3C559623D2
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	JAMESWT_WT
Tags:	architettura exe purecrypter

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Rechnung (Nr. 94099133).bat

Verdict:

Malicious activity

Analysis date:

2023-05-17 07:06:20 UTC

Tags:

stealer blackguard

Link:

https://app.any.run/tasks/2e1fa061-4862-4a0c-99f1-c34d8904a14e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/390644/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.83444.15612.13256.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware stealer

Link:

https://www.filescan.io/uploads/64649ed9f1dbf8a7cc9d278b/reports/262f38fc-9a0c-4c85-96e9-faace0a6597b/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/127eb55e9031dc443d40cfb3a6be1456adc36743f034d6c74e88cde66af8b6ec

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4f791e13-eda9-4b30-bd77-3bb7fe343127

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1235092

Signature

.NET source code contains potential unpacker

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/127eb55e9031dc443d40cfb3a6be1456adc36743f034d6c74e88cde66af8b6ec/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2023-05-17 08:18:17 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

12 of 37 (32.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cj7lkxuqghoeipkaz6z2npquk2w4gz2d6a2nnr2ordg6m2xyw3wa._file

Verdict:

malicious

PureCrypter

6b0ef726a01c2f7b18ce4409dcce197cdbfeba8ac17948488a0a17c2c09c9aba

PureCrypter

6b58715b6f88fa91e2fb481b8640ff8579023e5d586b2964fbeac6f5ec63d5f8

PureCrypter

6e0a7c7256246dfec4aeeebbfe2e1bf9d1a677a8688017fcf08748aee3ed52b3

PureCrypter

879b5fef5bd8bbd8a81ae74de86e38f88f60e4da9aa35941ee3e676ebc386718

PureCrypter

9142931e43055d6363ee826270edf47ada8acc56ebca1084ca9ee2fcca579536

PureCrypter

a8d22d7ca681510340d5b23b4d2bba492622bdf3052a3cb0a996f1e2e25436aa

PureCrypter

cdda25e04fe115e6096cda6bcd6c8d9176ef5e6b6a7a52019aa58e938493413e

PureCrypter

ef99b50ff04775515690718cf8e37ab4ef0c2ffebac4394b0cb7e8dc9e959175

PureCrypter

ffa10f4c5af37a14534e6ec54252515c98cc03b114df0ad55b9c84e343aa5ab4

PureCrypter

+ 130 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230517-lg2hwsde7w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

127eb55e9031dc443d40cfb3a6be1456adc36743f034d6c74e88cde66af8b6ec

MD5 hash:

42bfc3305df601d02e2748e877f4abfe

SHA1 hash:

92a7d98236c9fea1b7278180bf7d4f0db71645c8

Detections:

PureCrypter_Stage1

Link:

https://www.unpac.me/results/9fbf6725-e14c-429d-914d-a66a410651f5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/127eb55e9031/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/390644/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample