MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e62c839ff25262272f603a089ecccf728a43183bf31459c834f36c71ab8b0cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash: 3e62c839ff25262272f603a089ecccf728a43183bf31459c834f36c71ab8b0cc
SHA3-384 hash: 213b9fe5d3d1ccca24128a2d3ab00d13e454ce36799a58836a2fb85dd66e2bc9077655ed6f5d1a0191aa4cc34db3d2f3
SHA1 hash: 2f1d4c9d777d0bf8d120a18f371f28b63a1d7567
MD5 hash: 1c6f03e29e760214807593a7748c7ed4
humanhash: kitten-lima-jersey-twenty
File name:SecuriteInfo.com.Win32.MalwareX-gen.47757812
Download: download sample
File size:1'717'248 bytes
First seen:2025-08-24 07:23:13 UTC
Last seen:2025-08-24 08:23:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'115 x AgentTesla, 20'117 x Formbook, 12'357 x SnakeKeylogger)
ssdeep 24576:vELuyzcuJApP0XEk9FfdBb+ZRkrRYYm7RkcdxdQ362LslptlrfKb9qLlmIAKUdw:MLuyJAdeDFjKRkVYF71gsftBfO9qhFU
TLSH T1A885331853DA11F5CA75ACF70133F1089576D93ADAC6F927966A20544FF83E03E38BA2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
57
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.47757812
Verdict:
Malicious activity
Analysis date:
2025-08-24 07:26:05 UTC
Tags:
auto-startup netreactor zgrat purehvnc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
obfuscate autorun xtreme spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Connection attempt
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated obfuscated packed packed packer_detected
Verdict:
Malicious
Labled as:
Trojan_MSIL_PureLogStealer_SPFT_MTB
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-23T14:16:00Z UTC
Last seen:
2025-08-23T14:16:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Status:
Malicious
First seen:
2025-08-23 17:22:05 UTC
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Modifies trusted root certificate store through registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
3e62c839ff25262272f603a089ecccf728a43183bf31459c834f36c71ab8b0cc
MD5 hash:
1c6f03e29e760214807593a7748c7ed4
SHA1 hash:
2f1d4c9d777d0bf8d120a18f371f28b63a1d7567
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Lumma_Stealer_Detection
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3e62c839ff25262272f603a089ecccf728a43183bf31459c834f36c71ab8b0cc

(this sample)

  
Delivery method
Distributed via web download

Comments