MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 13


Intelligence 13 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608
SHA3-384 hash: 9a0ffb7b514bb4f8e308b280c50d377018669d27420b578112840acd198e9407662e9ce474cc38db4b41238b3302a816
SHA1 hash: a5bd25e3c454ec99d686d0b725625e43ca5d4e2c
MD5 hash: 72d6c8da86bd30175f56b1199ff87af4
humanhash: pluto-echo-glucose-spaghetti
File name:statement.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:2'279'976 bytes
First seen:2025-04-22 12:38:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash de74e43788a8a76ae683dbf7add004fb (1 x PureCrypter)
ssdeep 24576:2m65Bu5AmdT2E6by/Rhensmbj1U2ThxnsqbHf1H2mQ+w5XOQXYAE2VyDpFOgPTc9:R65BG3T2E+wRhMNVQleTzHB1skQ1hNs4
Threatray 329 similar samples on MalwareBazaar
TLSH T1DAB5BE15E3E811B8D87BD674CA559333E7B078560730E58F0699D6452FB3AA2AB3F302
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 48d4f4f0f0f0d8c0 (37 x RedLineStealer, 18 x AgentTesla, 9 x SnakeKeylogger)
Reporter JAMESWT_WT
Tags:exe MonniSoftwareOy purecrypter signed

Code Signing Certificate

Organisation:Monni Software Oy
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2025-02-07T17:37:35Z
Valid to:2026-02-07T17:37:35Z
Serial number: 46e097ebe44bf0363e5830369d708b81
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 88de188144f0fc056a79889463306c22f1fce4e97c234cf2b76c260ce8b17d6e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
statement.exe
Verdict:
Malicious activity
Analysis date:
2025-04-22 13:18:16 UTC
Tags:
stealer rat asyncrat remote purehvnc
Link:
https://app.any.run/tasks/451ce57f-cef0-4106-895d-1d3f250f83ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3414/
Detection(s):
Win.Packed.Boxter-10005643-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68078e5b209c4a5e907abb09
Tags:
gensteal virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20b0ba82-7523-40a5-b058-525421ef1ed2
Result
Threat name:
PureCrypter
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1671035
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608/
Threat name:
Win64.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 13:32:12 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g5gcodfkikz3ugqlghbtur76legdr34js6cf2sfoh64kk5px2yea._file
Verdict:
malicious
Label(s):
unc_loader_044
Create hunting rule
resolverrat
Create hunting rule
Similar samples:
1a662bfa91c2a2baa4156cf93f2a7557710dce1dd2074f1bc8d4264d01841276
PureCrypter
374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608
PureCrypter
7977ce0e5277b4e5e028bbded8d565c83e6e9331771b325cc1d6915e599b7aef
PureCrypter
9ae0181d52bb1f6fbd4143e7aa6aa4d1f0ded970397dae076ba6a5fc4cd9ebf9
PureCrypter
a41bf7d87976adc297aa44703f31eab78be9c3ac80c0d10d621c603b68963c36
PureCrypter
d539d8a4e3ca4d3b94d072bdf9638ef870f3a77967ea1c9bdf606b892bcb016d
PureCrypter
edddaad7146bb1ad8dcf41f8a2d257546339b4e0f68e6eb4bebda615742feaba
PureCrypter
error
PureCrypter
+ 319 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250422-pt7gfsvygw/
Behaviour
Suspicious use of WriteProcessMemory
Verdict:
Malicious
Tags:
Win.Packed.Boxter-10005643-0
YARA:
n/a
Link:
https://app.threat.zone/submission/d27f6033-c6d3-4ae5-b6c4-8500768fb1cc
Unpacked files
SH256 hash:
374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608
MD5 hash:
72d6c8da86bd30175f56b1199ff87af4
SHA1 hash:
a5bd25e3c454ec99d686d0b725625e43ca5d4e2c
Link:
https://www.unpac.me/results/4965896f-2cf9-4ac5-a911-99e86cc84f8e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/374c270caa42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

Executable exe 374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/3414/
  
URLhaus
https://urlhaus.abuse.ch/url/3521875/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW

Comments