MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54
SHA3-384 hash: 11ae0a377f856a9f1fe8ada23f4fc9c6783d27a0da4268149927856adb3bb0811bf3558bd93c68d337f25d75879f5c06
SHA1 hash: a5195fb9d2b72101e041cbc592ef1497b5e2e165
MD5 hash: bd767aaad67134a3dfb38e4c708f9927
humanhash: six-friend-oven-montana
File name:txsnd.bat
Download: download sample
Signature PureRAT
Create hunting rule
File size:10'283 bytes
First seen:2025-12-23 18:14:00 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 192:fzdDqyJLxR61rxTAPzNVw9XSafBtkUHD41tcY+OferUIVfrtXcyQcT1vDht:fp3xR2tTAPJmhSaptkUHAtcYPluf5TQI
TLSH T1082200BCC5E1FDC04B5F31E275DAFAD2129BCB13BD7A1968E98844940B80714EBE954C
Magika batch
Reporter aachum
Tags:bat lastmin1917-dynuddns-com PureRAT ReverseLoader


Avatar
iamaachum
https://downloadtorrentfile.com/hash/3081c921b5c9b2ecbd7dd593c529bb392e27ed4d?name=Predator%20Badlands%202025%201080p%20HDRip%20HEVC%20x265.iso

IOCs:
vvvpmscvtlhcjbybrwjg.supabase.co
xkdrz4tn6l.ufs.sh
https://xkdrz4tn6l.ufs.sh/f/Byenrkx7DKMySGg3FeDn36N2em9fVg7wxUTzA1BHjMIZ5XtY?12711343
https://raw.githubusercontent.com/xxWorker/xWork/refs/heads/main/Vdqxyjz2222purupload.txt
lastmin1917.dynuddns.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
txsnd.bat
Verdict:
Malicious activity
Analysis date:
2025-12-23 18:15:20 UTC
Tags:
stego payload ta558 apt stegocampaign loader reverseloader github susp-powershell rat stealer purehvnc netreactor
Link:
https://app.any.run/tasks/ba1e1ca4-6a9f-4c64-9ad8-396063d8c266

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45921/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694adbc501c7b4a8fe552a4d
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/694adbffe126b9ff438ec08f/reports/2f655e97-a2c0-40f6-89b1-e6e1239e5b34/overview
Verdict:
Malicious
Labled as:
PowerShell/Runner.U suspicious application
Link:
https://www.hybrid-analysis.com/sample/5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-23T15:29:00Z UTC
Last seen:
2025-12-23T16:15:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.PowerShell.NanoShield.sb HEUR:Trojan.Multi.Stego.gen PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Alien.gen
Link:
https://opentip.kaspersky.com/5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838379
Signature
Creates multiple autostart registry keys
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Uses powershell cmdlets to delay payload execution
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838379 Sample: txsnd.bat Startdate: 23/12/2025 Architecture: WINDOWS Score: 100 99 xkdrz4tn6l.ufs.sh 2->99 101 lastmin1917.dynuddns.com 2->101 103 7 other IPs or domains 2->103 111 Suricata IDS alerts for network traffic 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Yara detected Powershell download and execute 2->115 117 8 other signatures 2->117 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 signatures5 133 Suspicious powershell command line found 10->133 19 powershell.exe 12 10->19         started        22 conhost.exe 10->22         started        24 powershell.exe 13->24         started        26 conhost.exe 13->26         started        28 powershell.exe 15->28         started        30 conhost.exe 15->30         started        32 powershell.exe 17->32         started        34 powershell.exe 17->34         started        36 18 other processes 17->36 process6 signatures7 119 Suspicious powershell command line found 19->119 121 Uses powershell cmdlets to delay payload execution 19->121 123 Found suspicious powershell code related to unpacking or dynamic code loading 19->123 38 powershell.exe 15 16 19->38         started        42 powershell.exe 24->42         started        44 powershell.exe 28->44         started        46 powershell.exe 32->46         started        48 powershell.exe 34->48         started        50 powershell.exe 36->50         started        52 powershell.exe 36->52         started        54 powershell.exe 36->54         started        56 5 other processes 36->56 process8 dnsIp9 105 xkdrz4tn6l.ufs.sh 172.67.184.177, 443, 49687, 49696 CLOUDFLARENETUS United States 38->105 107 raw.githubusercontent.com 185.199.109.133, 443, 49690, 49697 FASTLYUS Netherlands 38->107 125 Suspicious powershell command line found 38->125 127 Creates multiple autostart registry keys 38->127 129 Writes to foreign memory regions 38->129 58 4 other processes 38->58 131 Injects a PE file into a foreign processes 42->131 63 5 other processes 42->63 65 5 other processes 44->65 67 5 other processes 46->67 69 3 other processes 48->69 71 3 other processes 50->71 73 3 other processes 52->73 75 3 other processes 54->75 77 11 other processes 56->77 signatures10 process11 dnsIp12 109 lastmin1917.dynuddns.com 157.20.182.25, 1917, 49694 FCNUniversityPublicCorporationOsakaJP unknown 58->109 97 C:\ProgramData\txsnd.bat, DOS 58->97 dropped 135 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 58->135 137 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->137 139 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 58->139 141 2 other signatures 58->141 87 2 other processes 58->87 89 2 other processes 63->89 91 2 other processes 65->91 93 2 other processes 67->93 79 conhost.exe 69->79         started        81 conhost.exe 71->81         started        83 conhost.exe 73->83         started        85 conhost.exe 75->85         started        95 3 other processes 77->95 file13 signatures14 process15
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.NanoShield
Link:
https://tip.neiki.dev/file/5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-23 18:13:24 UTC
File Type:
Text (Batch)
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=komn7knsduj4tca3q52tkmbccyfal4qdxgauglav2dl4uf7c5nka._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/251225-nyc8qsaq6z/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5398dfa9b21d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureRAT

tar 969d32afca0623f627cdff73d547934b5237b0a3c513bc058600899beccc5a14

PureRAT

Batch (bat) bat 5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54

(this sample)

  
Link
https://tria.ge/251223-wq5xsayphz/behavioral2
  
Dropped by
SHA256 969d32afca0623f627cdff73d547934b5237b0a3c513bc058600899beccc5a14
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45921/
  
Dropped by
MD5 167100db0d172822b3db978853e47d5d

Comments