MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 320c842b7668314d60fe11232d050805503a1df1c8c40005efa1759aeecdadab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 320c842b7668314d60fe11232d050805503a1df1c8c40005efa1759aeecdadab
SHA3-384 hash: 72f8a8ea85236754aabd2418f7ee9b111746e3d4dc87a31b97be55a8ed0807d1830cc0fe0dbbf05fccb52bc04c3e72f8
SHA1 hash: 4f34594c5afa51faba82c9c0615ae776914bb217
MD5 hash: 597b373d9774804b932f3470f6206429
humanhash: whiskey-michigan-mobile-mars
File name:597b373d9774804b932f3470f6206429
Download: download sample
Signature PureCrypter
Create hunting rule
File size:28'072 bytes
First seen:2023-02-26 07:09:19 UTC
Last seen:2023-02-26 11:59:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 384:OMtXm0ZQVvS8QyRB7HPGscO92xkBE0kb7s4/LGf8JN77hhtS:OMt6VzB7HCPkB+6k3hXS
Threatray 130 similar samples on MalwareBazaar
TLSH T120C2292177C14E63CE4B4F3A98E3A3513338DA908B93C74F2498A26BBE277D50F12194
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00ba92b2babac4c0 (2 x PureCrypter, 1 x CoinMiner, 1 x zgRAT)
Reporter zbetcheckin
Tags:32 exe purecrypter

Intelligence

File Origin
# of uploads :
3
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
597b373d9774804b932f3470f6206429
Verdict:
Malicious activity
Analysis date:
2023-02-26 07:10:15 UTC
Tags:
loader
Link:
https://app.any.run/tasks/ab3e64da-e5b0-49aa-b823-2863a4bd8f49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369778/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65662611.27849.9229.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/63fb05cd81c7f31327fa0b88/reports/3275ec59-e73c-47ef-a438-66cbeeda3412/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/320c842b7668314d60fe11232d050805503a1df1c8c40005efa1759aeecdadab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5048f852-d4e3-49f7-9a90-10896a47271c
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182532
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates multiple autostart registry keys
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 815363 Sample: 2AAQdt2QnB.exe Startdate: 26/02/2023 Architecture: WINDOWS Score: 100 96 xiaoxiaojue.duckdns.org 2->96 110 Snort IDS alert for network traffic 2->110 112 Sigma detected: Xmrig 2->112 114 Multi AV Scanner detection for domain / URL 2->114 116 8 other signatures 2->116 12 2AAQdt2QnB.exe 16 7 2->12         started        17 Smirlqaugdc.exe 14 4 2->17         started        19 Smirlqaugdc.exe 2->19         started        21 13 other processes 2->21 signatures3 process4 dnsIp5 104 77.91.78.66, 49701, 49704, 49705 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 12->104 90 C:\Users\user\AppData\...\Smirlqaugdc.exe, PE32 12->90 dropped 92 C:\Users\...\Smirlqaugdc.exe:Zone.Identifier, ASCII 12->92 dropped 94 C:\Users\user\AppData\...\2AAQdt2QnB.exe.log, ASCII 12->94 dropped 138 Encrypted powershell cmdline option found 12->138 140 Creates multiple autostart registry keys 12->140 142 Injects a PE file into a foreign processes 12->142 23 2AAQdt2QnB.exe 5 12->23         started        27 powershell.exe 16 12->27         started        106 192.168.2.1 unknown unknown 17->106 144 Multi AV Scanner detection for dropped file 17->144 146 Machine Learning detection for dropped file 17->146 29 Smirlqaugdc.exe 17->29         started        31 powershell.exe 17->31         started        33 Smirlqaugdc.exe 17->33         started        35 Smirlqaugdc.exe 19->35         started        37 powershell.exe 19->37         started        39 Smirlqaugdc.exe 19->39         started        148 Antivirus detection for dropped file 21->148 150 Query firmware table information (likely to detect VMs) 21->150 152 Changes security center settings (notifications, updates, antivirus, firewall) 21->152 41 MpCmdRun.exe 21->41         started        file6 signatures7 process8 dnsIp9 98 45.15.159.15, 49706, 49727, 49742 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 23->98 80 C:\Users\user\AppData\...\tmp7759.tmp.exe, PE32+ 23->80 dropped 43 tmp7759.tmp.exe 23->43         started        48 conhost.exe 27->48         started        82 C:\Users\user\AppData\...\tmp1629.tmp.exe, PE32+ 29->82 dropped 50 tmp1629.tmp.exe 29->50         started        52 conhost.exe 31->52         started        84 C:\Users\user\AppData\...\tmp3F0E.tmp.exe, PE32+ 35->84 dropped 54 tmp3F0E.tmp.exe 35->54         started        56 conhost.exe 37->56         started        58 conhost.exe 41->58         started        file10 process11 dnsIp12 100 xiaoxiaojue.duckdns.org 212.87.204.245, 49707, 49708, 49709 GEMENIIGEMENIINETWORKRO Germany 43->100 102 transfer.sh 144.76.136.153, 443, 49711, 49729 HETZNER-ASDE Germany 43->102 86 C:\Users\user\AppData\...\tmp7759.tmp.exe, PE32+ 43->86 dropped 88 C:\Users\user\AppData\Local\...\Huyvzba.exe, PE32+ 43->88 dropped 126 Antivirus detection for dropped file 43->126 128 Multi AV Scanner detection for dropped file 43->128 130 Suspicious powershell command line found 43->130 136 6 other signatures 43->136 60 powershell.exe 43->60         started        62 AddInProcess.exe 43->62         started        132 Machine Learning detection for dropped file 50->132 file13 134 Detected Stratum mining protocol 100->134 signatures14 process15 dnsIp16 66 Huyvzba.exe 60->66         started        70 conhost.exe 60->70         started        108 xmr.2miners.com 162.19.139.184, 2222, 49749 CENTURYLINK-US-LEGACY-QWESTUS United States 62->108 154 Query firmware table information (likely to detect VMs) 62->154 signatures17 process18 file19 78 C:\Users\user\AppData\...behaviorgraphevokbsybda.exe, PE32+ 66->78 dropped 118 Machine Learning detection for dropped file 66->118 120 Encrypted powershell cmdline option found 66->120 122 Creates multiple autostart registry keys 66->122 124 2 other signatures 66->124 72 powershell.exe 66->72         started        74 Huyvzba.exe 66->74         started        signatures20 process21 process22 76 conhost.exe 72->76         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/320c842b7668314d60fe11232d050805503a1df1c8c40005efa1759aeecdadab/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2023-02-24 17:10:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gigiik3wnayu2yh6cers2biiaviduhprzdcaabppuf2zv3wnvwvq._file
Verdict:
malicious
Similar samples:
15c1c848addff1a5b41fad69f1a8a2177d14e592bf2584639aea2e5cbbbbe388
PureCrypter
26b9cdc2b963ebb36d2a5c4ff6dc5e1ba49ff150fc0f179c92d71d22d275ee7f
PureCrypter
30afc0e58f7baf65a4e29aa3d556f7f3544542af0beadc5e670f8ce413dc682b
PureCrypter
6b5507201747da116e679511aa351ca64779d04dd4e406feab58e17cee3c86f8
PureCrypter
922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
PureCrypter
aff4528d78481eab74e742dd336b353115ca51f9180a539916d4bea14cbfece0
PureCrypter
d7c42165fa7492a009949e9215003a22792aa8a1483ec9d4f82d6b288a2bf610
PureCrypter
da54cbd59bc6268b9ddbe06e100d0e7d0d9c467070ee0405eb66e896e4ebac3f
PureCrypter
+ 120 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/230226-hzcqpsga3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
320c842b7668314d60fe11232d050805503a1df1c8c40005efa1759aeecdadab
MD5 hash:
597b373d9774804b932f3470f6206429
SHA1 hash:
4f34594c5afa51faba82c9c0615ae776914bb217
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/f044cec3-2f63-4162-9aa1-581ddbb7b9d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/320c842b7668314d60fe11232d050805503a1df1c8c40005efa1759aeecdadab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

Executable exe 320c842b7668314d60fe11232d050805503a1df1c8c40005efa1759aeecdadab

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/369778/
  
URLhaus
https://urlhaus.abuse.ch/url/2550905/

Comments


Avatar
zbet commented on 2023-02-26 07:09:21 UTC

url : hxxp://45.15.159.15/rizzler.exe