MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3
SHA3-384 hash: c8a28c1dd05df542ce3a087075627ca7eaac7d935224a5799adfe2780497ea9c5f57878f690d761fe060bbaf02f94863
SHA1 hash: c3d796487af6ad8df5254ae0b55c51f812b323ab
MD5 hash: 2a6eb1fef1f754e0217d78047219553e
humanhash: nineteen-eleven-beer-rugby
File name:Installer_v49107_x64.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:5'046'272 bytes
First seen:2025-11-08 13:01:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 48 x PureHVNC, 33 x CoinMiner)
ssdeep 98304:pC0qREb95MSLUtRaDIN5gBC00SCc09ujXmBiA7i3yuWUxLh:1qRaPcNBZK09uj2gxyuWUxL
TLSH T1BC3633B0FDC98807EF88D1F967D0CA9D05D3767ECB5342B87A4A544FA4B9183E129B60
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:exe purecrypter PureHVNC winautordr-hopto-org


Avatar
iamaachum
https://dl777filesbase.top/0nj84gjs2ma0gjemfwdc4i-installer00731578ghsvbetischgh3dlpabwj3vn5rusjcb50swcg00

PureHVNC C2: winautordr.hopto.org

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer_v49107_x64.exe
Verdict:
Malicious activity
Analysis date:
2025-11-08 13:01:51 UTC
Tags:
themida netreactor purecrypter loader auto-sch-xml purehvnc
Link:
https://app.any.run/tasks/abf5b074-8deb-49ee-b3da-11fbe2215d29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36522/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690f3f3e30bacec888c9ce14
Tags:
obfuscate xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the %temp% directory
Launching a process
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a process with a hidden window
Forced system process termination
Creating a file
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-07T21:14:00Z UTC
Last seen:
2025-11-10T06:52:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Agent.pef
Link:
https://opentip.kaspersky.com/2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d8b8bc51-3260-421d-8a2c-1e3e8298c48f
Result
Threat name:
Purecrypter
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1810540
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected Purecrypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1810540 Sample: Installer_v49107_x64.exe Startdate: 08/11/2025 Architecture: WINDOWS Score: 100 71 wndlogon.hopto.org 2->71 73 winautordr.hopto.org 2->73 75 2 other IPs or domains 2->75 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected Purecrypter 2->87 89 15 other signatures 2->89 10 Installer_v49107_x64.exe 2 2->10         started        14 Keywords.exe 2->14         started        16 Value.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 file5 63 C:\Users\user\AppData\...\v_tmp_7391.exe, PE32+ 10->63 dropped 65 C:\Users\...\Installer_v49107_x64.exe.log, CSV 10->65 dropped 103 Detected unpacking (changes PE section rights) 10->103 105 Suspicious powershell command line found 10->105 107 Query firmware table information (likely to detect VMs) 10->107 125 6 other signatures 10->125 20 powershell.exe 12 10->20         started        22 powershell.exe 23 10->22         started        109 Antivirus detection for dropped file 14->109 111 Multi AV Scanner detection for dropped file 14->111 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->113 25 InstallUtil.exe 14->25         started        115 Writes to foreign memory regions 16->115 117 Modifies the context of a thread in another process (thread injection) 16->117 119 Sample uses process hollowing technique 16->119 29 aspnet_compiler.exe 16->29         started        67 C:\Users\user\AppData\Roaming\...\Value.exe, PE32+ 18->67 dropped 121 Injects a PE file into a foreign processes 18->121 123 Loading BitLocker PowerShell Module 18->123 31 MSBuild.exe 18->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        37 2 other processes 18->37 signatures6 process7 dnsIp8 39 v_tmp_7391.exe 9 20->39         started        43 conhost.exe 20->43         started        91 Loading BitLocker PowerShell Module 22->91 45 conhost.exe 22->45         started        77 winautordr.hopto.org 45.153.34.13, 39007, 39008, 39009 SKYLINKNL Germany 25->77 79 github.com 140.82.114.3, 443, 49691, 49697 GITHUBUS United States 25->79 81 raw.githubusercontent.com 185.199.110.133, 443, 49692, 49699 FASTLYUS Netherlands 25->81 69 C:\Users\user\AppData\Local\...\wvrnkrwus.exe, PE32+ 25->69 dropped 93 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->93 47 schtasks.exe 25->47         started        file9 signatures10 process11 file12 59 C:\Users\user\AppData\Local\...\Keywords.exe, PE32+ 39->59 dropped 61 C:\...\96914dfbcd544969b270c9cc6b46459b.xml, XML 39->61 dropped 95 Antivirus detection for dropped file 39->95 97 Multi AV Scanner detection for dropped file 39->97 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->99 101 Uses schtasks.exe or at.exe to add and modify task schedules 39->101 49 schtasks.exe 1 39->49         started        51 schtasks.exe 1 39->51         started        53 conhost.exe 47->53         started        signatures13 process14 process15 55 conhost.exe 49->55         started        57 conhost.exe 51->57         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-08 13:01:52 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=en22mse7yogpjtdrzvgiwr3fvdu2cpdd6fqrnat4u3xwwvklh3bq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
error
PureCrypter
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution persistence themida trojan
Link:
https://tria.ge/reports/251108-p9mf8ayrdl/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Themida packer
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57e85cd5-becf-4951-bd4c-d607560d87bc
Unpacked files
SH256 hash:
2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3
MD5 hash:
2a6eb1fef1f754e0217d78047219553e
SHA1 hash:
c3d796487af6ad8df5254ae0b55c51f812b323ab
Link:
https://www.unpac.me/results/6cd67dff-0f74-4fe6-9f53-57d09ec9dec5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2375a6489fc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

iso e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2

PureCrypter

Executable exe 2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3

(this sample)

  
Link
https://tria.ge/251108-ppqm5sypck/behavioral2
  
Dropped by
SHA256 e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/36522/
  
Dropped by
MD5 cbf43170a90365375acdf35dc8035a19

Comments