MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ca156b0edea7b919b4c5e87ea24609b57c730b16a4303baf8946ebc02f7edaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureCrypter

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	2ca156b0edea7b919b4c5e87ea24609b57c730b16a4303baf8946ebc02f7edaa
SHA3-384 hash:	da20b367c278ed3490568c81bcb7724766562da4fb6bd72d9cab020c5e682b956fd77156defdf9bed6de3fbdbef88547
SHA1 hash:	77045ee16f7e86660b33551ae5c555c2837d0270
MD5 hash:	fdd2f22f85ac82786f7614f0f9bda182
humanhash:	massachusetts-eight-maine-aspen
File name:	41ae5c5fe7e4c5f343be8badbd4d79ae
Download:	download sample
Signature	PureCrypter Create hunting rule
File size:	2'597'376 bytes
First seen:	2023-02-03 19:59:21 UTC
Last seen:	2023-02-03 21:41:33 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	49152:35cnHhlTkbp/673C21/ibgEFgGlzQfQiyqCTyDbsUei:35cnHhlTkbp/673C21/+uki2obsUB
Threatray	13'681 similar samples on MalwareBazaar
TLSH	T1ABC5188672D3CEB0D2045737D49A58240B74C7526313F30B39AA132DBC937E96A696EF
TrID	83.1% (.DLL) Generic .NET DLL/Assembly (236632/4/32) 4.6% (.SCR) Windows screen saver (13097/50/3) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	41ae5c5fe7e4c5f343be8badbd4d79ae dll purecrypter

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360076/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.63551.2939.26978.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Tags:

black warp

Link:

https://www.filescan.io/uploads/63dd67c3416d38777a7a7f31/reports/d62f0235-94bd-48a4-b467-3daac042f407/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/2ca156b0edea7b919b4c5e87ea24609b57c730b16a4303baf8946ebc02f7edaa

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95bd4d7b-42c7-4f83-a0ee-fc9e7d5fd35c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1165438

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ca156b0edea7b919b4c5e87ea24609b57c730b16a4303baf8946ebc02f7edaa/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2023-02-03 16:42:09 UTC

File Type:

PE (.Net Dll)

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fsqvnmhn5j5zdg2ml2d6ujdatnl4omfrnjbqhoxysrxlyaxx5wva._file

Verdict:

malicious

PureCrypter

46962910101f24cea5430b64f9ff9830585a94824b8835c452c36e2db74ed033

PureCrypter

4a8ed695823b0c7c473df40cb7e899932adb87083cab679c1f5e488fa62a7ab1

PureCrypter

7aa87e5a183c7aee29c378225f7ea9d8ace5ff461badde840a963cb2f4c9c929

PureCrypter

866940bb59a32647c96466349066246b172adb7a5010678241be3e9663b1d637

PureCrypter

a05759a606f754ea7315225ccd542774734962fc343d43cc9607db110e7956ee

PureCrypter

cda5ced44ec0c2e58d0f38f9fa63a87364cf9cebcd2d0e1a11626a8bb694703a

PureCrypter

d17c68f6ddd3737493404e4b89ca8782d11c2178f85fef8b8e123f546b684fbf

PureCrypter

+ 13'671 additional samples on MalwareBazaar

Result

Malware family:

purecrypter

Score:

10/10

Tags:

family:purecrypter loader

Link:

https://tria.ge/reports/230203-yq1n6sed2y/

Unpacked files

SH256 hash:

2ca156b0edea7b919b4c5e87ea24609b57c730b16a4303baf8946ebc02f7edaa

MD5 hash:

fdd2f22f85ac82786f7614f0f9bda182

SHA1 hash:

77045ee16f7e86660b33551ae5c555c2837d0270

Link:

https://www.unpac.me/results/28377d6f-14fa-4a7d-a00b-cabfecd54ad2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2ca156b0edea7b919b4c5e87ea24609b57c730b16a4303baf8946ebc02f7edaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/360076/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample