MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15144f4c94fcf98feb2f6316930c474710783c27acb9a030ecd78ee440f035a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15144f4c94fcf98feb2f6316930c474710783c27acb9a030ecd78ee440f035a6
SHA3-384 hash: 0e0edf627396bd9dc51833fdc0442a61f9ec94d25cb3ff34b5619c268804ee55b7483d13e146233e3c526f8739e1b75c
SHA1 hash: 0ffb01836e0242028b83ff24355b4347badfce7e
MD5 hash: 7645321be99ddb26fa2ac770b5767368
humanhash: burger-cup-winner-king
File name:IMG-20230608-WA000543845821555000483.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:14'848 bytes
First seen:2023-06-12 12:29:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 192:83GTGf4LBUO93t8OmihnnBVZcsa2pC/rkQJqauiw0/4VokwTcE/stWzSXgcCpBbs:Qf4pnnBVqsa2pCbGw4mklZUzm4LxO
Threatray 1'584 similar samples on MalwareBazaar
TLSH T19B621824A3ECE2BDE8BB42778DB3D6944734B6935407CB6E19E010679C836948F513B6
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:exe purecrypter

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
PL PL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397984/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2073.5983.12857.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin
Link:
https://www.filescan.io/uploads/64870fcbc6414862d2069536/reports/5a22367c-4aea-4633-a4e8-f0d331f975c9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/15144f4c94fcf98feb2f6316930c474710783c27acb9a030ecd78ee440f035a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d930fd3-7aeb-4bf9-849d-09997810cb96
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1247539
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 880559 Sample: IMG-20230529-WA000447000000... Startdate: 02/06/2023 Architecture: WINDOWS Score: 100 33 www.zservers.xyz 2->33 35 www.howtrue.info 2->35 37 2 other IPs or domains 2->37 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 7 other signatures 2->51 10 IMG-20230529-WA0004470000000400000000002023.exe 14 3 2->10         started        signatures3 process4 dnsIp5 43 5.42.94.169, 50132, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 10->43 31 IMG-20230529-WA000...00000002023.exe.log, ASCII 10->31 dropped 63 Writes to foreign memory regions 10->63 65 Injects a PE file into a foreign processes 10->65 15 AddInProcess32.exe 10->15         started        18 ngen.exe 10->18         started        file6 signatures7 process8 signatures9 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 RAVCpl64.exe 15->20 injected process10 process11 22 cmd.exe 13 20->22         started        signatures12 53 Tries to steal Mail credentials (via file / registry access) 22->53 55 Tries to harvest and steal browser information (history, passwords, etc) 22->55 57 Writes to foreign memory regions 22->57 59 3 other signatures 22->59 25 explorer.exe 3 1 22->25 injected 29 firefox.exe 22->29         started        process13 dnsIp14 39 www.zservers.xyz 103.42.108.46, 50135, 50136, 50137 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 25->39 41 www.amateurshow.online 37.220.1.68, 50133, 80 IOMART-ASGB United Kingdom 25->41 61 System process connects to network (likely due to code injection or exploit) 25->61 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15144f4c94fcf98feb2f6316930c474710783c27acb9a030ecd78ee440f035a6/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-06-02 05:45:40 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cuke6teu7t4y72zpmmljgdchi4ihqpbhvs42amhm26hoiqhqgwta._file
Verdict:
malicious
Similar samples:
304ef4ff142ff8e1279ba17e3972f848cf61fb3f22c7f640882a85bf6e92c003
PureCrypter
326745ba0eb9019ac4d6cf06cb5667b3237fe185b096aff60d44f19ebd794340
PureCrypter
68e5677a864f229ef02194052ef540cd7b80695b10e5493edfc0d51a8d87874a
PureCrypter
9574b45455bb27349128ee7a86c1141edf3244f0600137456868b77dcfa0cf17
PureCrypter
a0ed680e73b4abeacc64c2ec1d40129614e174b527ae1cc5172f98ccc227ac24
PureCrypter
a20a220725445c851fc3e2af8b37c363bd0c1f4fd30b84993ff7a838727156b4
PureCrypter
b449162d45cad31e03d113e02a10200b42b817f3612cef0e3f6aaebe6a3dbb2d
PureCrypter
c9246d579543364a991ae4fa9429e8c017da1ace8883e75072771602fab69205
PureCrypter
f0b70e863934b97afb3b2bf0cac0a2d5617cfedf430c2466968e29b462b92fd7
PureCrypter
fd5e477a5ef24773b8ed6e2acce77583e557a7def1eaf3ac6e51b71e4d599a65
PureCrypter
+ 1'574 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230612-ppgegacb95/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
15144f4c94fcf98feb2f6316930c474710783c27acb9a030ecd78ee440f035a6
MD5 hash:
7645321be99ddb26fa2ac770b5767368
SHA1 hash:
0ffb01836e0242028b83ff24355b4347badfce7e
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/fb532ca8-d532-4e58-a473-4b90338467b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15144f4c94fcf98feb2f6316930c474710783c27acb9a030ecd78ee440f035a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/397984/

Comments