MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c1198c6de9cf636d4dc103add73a59ba3101ae38954f20f0ec6ed9b8c563dbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureCrypter

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	1c1198c6de9cf636d4dc103add73a59ba3101ae38954f20f0ec6ed9b8c563dbd
SHA3-384 hash:	e9c415634a9d03b20349a6b5f422d50d525ee22885ab61dc7f67162b90eff59f61fd04ad7ee55811120115570bdad028
SHA1 hash:	6737cd48c485ed00f64d56f2996cb0a4b3e16db8
MD5 hash:	5828f5213c4721e4118b3e57388ff2a5
humanhash:	speaker-potato-jig-two
File name:	Acwpn.exe
Download:	download sample
Signature	PureCrypter Create hunting rule
File size:	7'168 bytes
First seen:	2023-02-01 14:29:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	96:wUUIQg0soU3QSQKCJdsYB3TtmXdtEkdpBxNbFnU:wUUIPDQdsYF0tzbHk
Threatray	13'405 similar samples on MalwareBazaar
TLSH	T19FE1D711D39C8377D9F64BB6DCB26392863CE7239D539B9D1880C60EAC56B988660F60
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe purecrypter

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Acwpn.exe

Verdict:

Malicious activity

Analysis date:

2023-02-01 14:44:47 UTC

Tags:

zgrat evasion trojan snake keylogger

Link:

https://app.any.run/tasks/037fe083-0e69-430a-ab25-8d017b17de4c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/359033/

Detection(s):

SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Creating a file

Creating a window

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Link:

https://www.filescan.io/uploads/63da77771c9cbf7d62552356/reports/d103a496-b8ae-41fc-8fe0-356a30cf2acc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ac8159dd-dd30-4523-9c2c-975232dfb0cd

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1163854

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c1198c6de9cf636d4dc103add73a59ba3101ae38954f20f0ec6ed9b8c563dbd/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-02-01 14:30:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dqizrrw6tt3dnvg4ca5n245ftorragxdrfkpedyoy3wzxdcwhw6q._file

Verdict:

malicious

PureCrypter

64a050fdf78525e6d76e2349a1ccc58724bf77b6e3351e364c54f9235fa57d75

PureCrypter

850f818aca36188fff35a492275cd63ba81f6e48263faa669fb5e192165f2f92

PureCrypter

8859b96bd2904790784dd687e0b58f60dc3b7f12d0ad88e6723a7c56a25c41c7

PureCrypter

93b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e

PureCrypter

d100473e1baaf8c66e872b8536306db55d4d237106cdfc329f22b477dd94c379

PureCrypter

e691ec947eca2d0cceec93a841a639238c1a69f96860fcbcd864c59a36dfac58

PureCrypter

+ 13'395 additional samples on MalwareBazaar

Result

Malware family:

purecrypter

Score:

10/10

Tags:

family:purecrypter collection downloader loader

Link:

https://tria.ge/reports/230201-rt6w2abh9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Detect PureCrypter injector

PureCrypter

Unpacked files

SH256 hash:

1c1198c6de9cf636d4dc103add73a59ba3101ae38954f20f0ec6ed9b8c563dbd

MD5 hash:

5828f5213c4721e4118b3e57388ff2a5

SHA1 hash:

6737cd48c485ed00f64d56f2996cb0a4b3e16db8

Link:

https://www.unpac.me/results/e374302b-2354-4bc1-baa5-8a5f29088475/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1c1198c6de9c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/1c1198c6de9cf636d4dc103add73a59ba3101ae38954f20f0ec6ed9b8c563dbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Discord_Attachments_URL Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/359033/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample