MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureHVNC


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5
SHA3-384 hash: 32443ff413c9c16ac736c6fa2d138a48c7cc90983011f93991d426234442f27ca3b2a8ba00a22226abadcf0f5e99d5d6
SHA1 hash: d5855f80a202b82e6374a372f30a152b46227909
MD5 hash: bbcb23acb89e803dd2146e94194ac8db
humanhash: twenty-purple-comet-uncle
File name:inv.bat
Download: download sample
Signature PureHVNC
Create hunting rule
File size:568'158 bytes
First seen:2026-03-31 13:17:48 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 12288:HUUUULUUUUoUUUUoUUUUoUUUU+UUUUlUUUU7UUUUyUUUULUUUUoUUUUfUUUUoUUR:HUUUULUUUUoUUUUoUUUUoUUUU+UUUUlY
TLSH T196C45C3195FB412238D6287E19CF9533B56AFB580E676B70B40115EF079EB063DE6B20
Magika batch
Reporter aachum
Tags:94-103-1-28 bat ClickFix dal-usa-com FakeCaptcha PureHVNC vault88x-secure-efficient2-su


Avatar
iamaachum
http://dal-usa.com/inv.bat

C2: 94.103.1.28:56001
Other IOCs:
https://vault88x.secure-efficient2.su/img_060515.png
https://vault88x.secure-efficient2.su/MSI_054600.png

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
inv.bat
Verdict:
No threats detected
Analysis date:
2026-03-31 13:19:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0be5f69c-6d08-45c4-8b0a-753859404f9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cbc9916363ca5d27f02f67
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 conhost evasive obfuscated overlay powershell
Link:
https://www.filescan.io/uploads/69cbc9922346b9da57b36ec6/reports/a8cc52bb-b711-49d5-a1c3-48823330df21/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.BDM
Link:
https://www.hybrid-analysis.com/sample/7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5
Result
Gathering data
Result
Threat name:
PureCrypter, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891457
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1891457 Sample: inv.bat Startdate: 31/03/2026 Architecture: WINDOWS Score: 100 39 vault88x.secure-efficient2.su 2->39 41 shed.dual-low.part-0012.t-0009.t-msedge.net 2->41 43 9 other IPs or domains 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Yara detected ResolverRAT 2->57 59 7 other signatures 2->59 10 cmd.exe 1 2->10         started        12 svchost.exe 1 1 2->12         started        15 wscript.exe 2->15         started        signatures3 process4 dnsIp5 17 conhost.exe 10->17         started        20 conhost.exe 10->20         started        22 chcp.com 1 10->22         started        47 127.0.0.1 unknown unknown 12->47 process6 signatures7 51 Suspicious powershell command line found 17->51 24 powershell.exe 15 16 17->24         started        process8 dnsIp9 45 vault88x.secure-efficient2.su 45.156.23.38, 443, 49692, 49693 CLOUDBACKBONERU Russian Federation 24->45 61 Found many strings related to Crypto-Wallets (likely being stolen) 24->61 63 Writes to foreign memory regions 24->63 65 Injects a PE file into a foreign processes 24->65 67 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 24->67 28 MSBuild.exe 2 24->28         started        32 cmd.exe 2 24->32         started        signatures10 process11 dnsIp12 49 94.103.1.28, 49697, 56001 LINKS-MD-ASMD Moldova Republic of 28->49 69 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 28->69 71 Found many strings related to Crypto-Wallets (likely being stolen) 28->71 73 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->73 75 4 other signatures 28->75 37 C:\Users\PublicKMYAKrCRJ.bat, Unicode 32->37 dropped 35 conhost.exe 32->35         started        file13 signatures14 process15
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=piwlomxfrzst5pajku4tbbq3ycgxnb24xdjndmgiovssqltu5ksq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260331-qj13csax9j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureHVNC

Batch (bat) bat 7a2cb732e58e653ebc09553930861bc08d76875cb8d2d1b0c87565282e74eaa5

(this sample)

  
Link
https://tria.ge/260331-p94eqsdx4y/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/59901/

Comments