MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureHVNC


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0
SHA3-384 hash: be895e18d24eb45f24071af5e79a2b5bc92e8b85c398e4d33cf323a1d0d04124ac2d2c6841b93f4673cf6504242f460f
SHA1 hash: 6ef0f1cad1574488418f6e1c91bbe7907531904c
MD5 hash: 00b8901aae0163dc99632eef2d4ab289
humanhash: neptune-crazy-foxtrot-kilo
File name:00b8901aae0163dc99632eef2d4ab289.exe
Download: download sample
Signature PureHVNC
Create hunting rule
File size:1'492'992 bytes
First seen:2026-04-06 07:18:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'003 x AgentTesla, 19'907 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:ArBHp7YP6hhV8bH7OqiYiLlqFLfriU71FQMpgVEJ9WzA9duBAZf4Jzuo7/gmt:0J46767BwLEZfD/QMupHSZauo7/gM
Threatray 232 similar samples on MalwareBazaar
TLSH T1BC65124466A9EF02E8AA6BF44C71E3B403F46DE92420D3175EF5ACEF7439750A809787
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe PureHVNC

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
SE SE
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
00b8901aae0163dc99632eef2d4ab289.exe
Verdict:
Malicious activity
Analysis date:
2026-04-06 07:21:01 UTC
Tags:
netreactor purehvnc
Link:
https://app.any.run/tasks/78adaff2-76c8-4f54-b4ab-9ac5a6dabc99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60574/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3491.30779.5659.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d35e6f6a61012f6acf4317
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt darkcloud lolbin packed tracker unsafe vbnet xworm
Link:
https://www.filescan.io/uploads/69d35e6c972c219c8d79ce81/reports/9e158c62-594c-47ec-a265-b9b8142710b1/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-30T05:42:00Z UTC
Last seen:
2026-04-02T12:50:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Crypt.vho HEUR:Backdoor.MSIL.XWorm.gen VHO:Trojan.MSIL.Crypt.gen PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b510bd58-fdba-478a-8d8a-ca79934fb341
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1893873
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1893873 Sample: vsRVZBua1l.exe Startdate: 06/04/2026 Architecture: WINDOWS Score: 100 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected MSIL Injector 2->31 33 5 other signatures 2->33 7 vsRVZBua1l.exe 4 2->7         started        process3 file4 23 C:\Users\user\AppData\...\vsRVZBua1l.exe.log, ASCII 7->23 dropped 35 Adds a directory exclusion to Windows Defender 7->35 11 powershell.exe 23 7->11         started        14 vsRVZBua1l.exe 15 2 7->14         started        17 vsRVZBua1l.exe 7->17         started        signatures5 process6 dnsIp7 37 Loading BitLocker PowerShell Module 11->37 19 WmiPrvSE.exe 11->19         started        21 conhost.exe 11->21         started        25 198.46.178.137, 3268 AS-COLOCROSSINGUS United States 14->25 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->39 signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/00b8901aae0163dc99632eef2d4ab289
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0/
Verdict:
Malicious
Threat:
Family.PUREHVNC
Link:
https://tip.neiki.dev/file/5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2026-03-30 09:18:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmcvebejiqsxrssx6ueudowjpzez4d6tuxo4d7ch67ct4l5ijxya._file
Verdict:
malicious
Label(s):
offloader
Create hunting rule
Similar samples:
1c42aa0cc6870aaf3e8d796423e00b2d0f60742674ffc3156d07957ed3dc7052
PureHVNC
5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0
PureHVNC
937dc703ff85e08f3cb6150015e9ab68e489c439a44eaf133f998b3c70175643
PureHVNC
d10d547745c83b4d633ee0acd3fbfab332bcdc273665f667fb164fa06d173945
PureHVNC
d75a8efd9ab6ce7f5e6fd25b6deab80cfcebef959ef45e639ce0f3090a838096
PureHVNC
e8082e3c0d63f83ad95af88f50e9ae26512e89113339b66b24068648363d676e
PureHVNC
error
PureHVNC
f1661078c6bc55634dfd47b0e0716312504665391491cf02b559e3d1ce3fe193
PureHVNC
+ 222 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260406-h5knhaf15s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
3a70084863d48a2b279192b4fd80baf26c620a6b1a2d9669231cb8aa9de9fcdf
MD5 hash:
e07857f9ede3e4165ade3665858df5f7
SHA1 hash:
526a5f2c6edb57e5c74bb49a07606d95fcd1913a
Link:
https://www.unpac.me/results/ad165f64-d59a-4e24-a210-45970a073021/
SH256 hash:
b324d5163449465df2fd2363ce2fbf6d09dd31fdab0f14de90f6db08d445e9de
MD5 hash:
36d313e3be9942ece1143d1ae1bd1da0
SHA1 hash:
bd3bba0a6635fb53bb0fb1ed348a99602d7b5daa
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ad165f64-d59a-4e24-a210-45970a073021/
SH256 hash:
7d01ec5f0d9396be2cb4585f9dce28d7305babd8cc2ce3b6fbc90c2631da898e
MD5 hash:
53ec5258243a0910b966bf27fac6010d
SHA1 hash:
efdff91c678e28b0c510c63f6ef20f44f191e62a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ad165f64-d59a-4e24-a210-45970a073021/
SH256 hash:
556b19efdc48fbec839376ab6728d300253ad9a4d622b4387e2f3f2a5e45009d
MD5 hash:
e00c12903d3ed45e7c5d91135a400f68
SHA1 hash:
80af5b74ffe274be54aa040ab09f787269972aa0
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ad165f64-d59a-4e24-a210-45970a073021/
SH256 hash:
5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0
MD5 hash:
00b8901aae0163dc99632eef2d4ab289
SHA1 hash:
6ef0f1cad1574488418f6e1c91bbe7907531904c
Link:
https://www.unpac.me/results/ad165f64-d59a-4e24-a210-45970a073021/
Malware family:
PureRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b0552048944/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b05520489442578ca57f50941bac97e499e0fd3a5ddc1fc47f7c53e2fa84df0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60574/

Comments