MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81e6bc9a79e4234febec3a7aeea430d57c9edf46c670d26997e61bb3ef5aa32c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PureCrypter


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash: 81e6bc9a79e4234febec3a7aeea430d57c9edf46c670d26997e61bb3ef5aa32c
SHA3-384 hash: b3d147794ac38895cd29adefec0df8129bd6da9b07d177c9d96cdf59fcfb2c58adc4ca57e89f42309becd337efd34588
SHA1 hash: df2d9f832bf6759e9dbc1f77e613e32f968ba223
MD5 hash: 503eaa167b3c6888e99f28a94c04dcd3
humanhash: pizza-uranus-lamp-twenty
File name:ZA2A_DONE.ps1
Download: download sample
Signature PureCrypter
File size:1'314'627 bytes
First seen:2026-07-12 08:19:28 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:rgQE+hHihtzAKt1dmGbGhGTUfwY7XwwRRl6yXX8kYcQw1D2E9EEpEtR:UtG7hXy48GM
TLSH T1AB55BF932441A7E5B3BE4A6E322BCD8D257435BDBCC374C8C2B0DC4B6678A453617DA2
Magika powershell
Reporter smica83
Tags:ps1 purecrypter

Intelligence


File Origin
# of uploads :
1
# of downloads :
103
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Tags:
cobalt keylog sage word
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto fingerprint obfuscated
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-07-11T02:55:00Z UTC
Last seen:
2026-07-13T20:15:00Z UTC
Hits:
~10
Detections:
Trojan.PowerShell.Cobalt.sb
Result
Threat name:
PureCrypter, KeyLogger
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses netstat to query active network connections and open ports
Uses powercfg.exe to modify the power settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1941163 Sample: ZA2A_DONE.ps1 Startdate: 12/07/2026 Architecture: WINDOWS Score: 100 41 api.telegram.org 2->41 43 ip-info.ff.avast.com 2->43 45 ip-info-mci.svc.avast.com 2->45 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 63 12 other signatures 2->63 8 powershell.exe 16 27 2->8         started        12 cmd.exe 1 2->12         started        14 cmd.exe 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 61 Uses the Telegram API (likely for C&C communication) 41->61 process4 dnsIp5 49 api.telegram.org 149.154.166.110, 443, 49683, 49700 TELEGRAMVG United Kingdom 8->49 51 ip-info-mci.svc.avast.com 34.111.175.102, 443, 49684 GOOGLE-CLOUD-PLATFORM-GoogleLLCUS United States 8->51 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 8->79 81 Creates autostart registry keys with suspicious values (likely registry only malware) 8->81 85 9 other signatures 8->85 18 SyncHost.exe 2 8->18         started        22 conhost.exe 8->22         started        24 WmiPrvSE.exe 8->24         started        34 5 other processes 8->34 83 Bypasses PowerShell execution policy 12->83 26 powershell.exe 12 12->26         started        28 conhost.exe 12->28         started        30 powershell.exe 14->30         started        32 conhost.exe 14->32         started        53 127.0.0.1 unknown unknown 16->53 signatures6 process7 dnsIp8 47 95.181.173.101, 56001, 56002, 56003 AEZA-ASRU United States 18->47 65 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 18->65 67 Found many strings related to Crypto-Wallets (likely being stolen) 18->67 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->69 73 4 other signatures 18->73 71 Installs a global keyboard hook 22->71 36 conhost.exe 26->36         started        39 conhost.exe 30->39         started        signatures9 process10 signatures11 75 Installs a global keyboard hook 36->75
Verdict:
Malware
YARA:
2 match(es)
Tags:
CAB:COMPRESSION:NONE DeObfuscated PowerShell
Threat name:
Script-PowerShell.Trojan.PureCrypter
Status:
Malicious
First seen:
2026-07-11 12:32:46 UTC
AV detection:
6 of 36 (16.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
System Network Connections Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Power Settings
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments