MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5434da7afb3184752f084a543145ae5e2e7a84351380141aab5b7e6674f647a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5434da7afb3184752f084a543145ae5e2e7a84351380141aab5b7e6674f647a9
SHA3-384 hash: ff35c502f616ec2c44138c2bdb3d3a853b39045909d9dd256a359f43c7af44892d2cbd95940ac07b54d98e1803fe44e4
SHA1 hash: 6f3b792b7cdb726989e6bb572551d1c4aa6f30df
MD5 hash: 3b9b64755a441d013402beb06537823e
humanhash: xray-rugby-leopard-mars
File name:3b9b64755a441d013402beb06537823e
Download: download sample
Signature PureCrypter
Create hunting rule
File size:22'016 bytes
First seen:2022-09-18 14:09:43 UTC
Last seen:2022-09-18 15:14:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:loBHQXUMu3T/1nY6hw/kyRwLXfaqpAhUsUotj3e3k5SG2vHJ:6BHQFu3L5Zhw/k1XCYyGSj3e3i0p
Threatray 471 similar samples on MalwareBazaar
TLSH T136A2C56A764CDE1DE79D8A3EC447C7A40E60B9516D07CB8732F2630E1822B97FA13355
TrID 56.4% (.EXE) Win64 Executable (generic) (10523/12/4)
11.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
10.8% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d292b0b2da36bcbe (11 x AsyncRAT, 7 x Metasploit, 6 x CoinMiner)
Reporter zbetcheckin
Tags:exe purecrypter

Intelligence

File Origin
# of uploads :
2
# of downloads :
390
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b9b64755a441d013402beb06537823e
Verdict:
No threats detected
Analysis date:
2022-09-18 14:11:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc14a134-0a7e-460b-bab2-e3b904bd7cdc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311081/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.17083.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Searching for the window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/632726c21183046074b033a7/reports/d17f54a6-876f-48ee-964b-f7546a56b195/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8da4e7a6-730d-48c6-9104-c4045638563e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1072492
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5434da7afb3184752f084a543145ae5e2e7a84351380141aab5b7e6674f647a9/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-09-18 14:10:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
13
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kq2nu6x3ggchklyijjkdcrnolyxhvbbvcoabigvlln7gm5hwi6uq._file
Verdict:
malicious
Similar samples:
0a696cdecabbeb02700dfec14eaa5b165d17267f311ef7ddbb7264caddc551a3
PureCrypter
1628c7c85f687216c70bd768b4023e13693dfad1aef819de70d54cd82d39fe3a
PureCrypter
3d5381ffbeff5b5cd6a864cb3d15de8393ab4be8b1dfead3179a8079ebd68e05
PureCrypter
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
PureCrypter
3fba4c2bac1363433553b57b389916f759be99e350e8003bf3d2a5584ebe5f46
PureCrypter
4d915eafcc72cb1aae4a24dc59ebd8155698f0b0f452a871a682f3d69d434950
PureCrypter
8785300bc02bbf034417c477db91c121123b31b1eaf24fc0f74ee11e11ec058c
PureCrypter
cbab4cfcbca79f53ed3faf1ea4fc48270b44c50529a96698c3b5ab250e438454
PureCrypter
+ 461 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/220918-rgprzsfccp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2110a217-3629-4e20-8d02-8f24a51a9dc1
Unpacked files
SH256 hash:
5434da7afb3184752f084a543145ae5e2e7a84351380141aab5b7e6674f647a9
MD5 hash:
3b9b64755a441d013402beb06537823e
SHA1 hash:
6f3b792b7cdb726989e6bb572551d1c4aa6f30df
Link:
https://www.unpac.me/results/e5a0e13f-e14a-492b-9526-b7b732b08afb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5434da7afb31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/5434da7afb3184752f084a543145ae5e2e7a84351380141aab5b7e6674f647a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

Executable exe 5434da7afb3184752f084a543145ae5e2e7a84351380141aab5b7e6674f647a9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/311081/
  
URLhaus
https://urlhaus.abuse.ch/url/2306837/

Comments


Avatar
zbet commented on 2022-09-18 14:09:57 UTC

url : hxxp://194.38.23.170/loader/uploads/new.exe