MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureCrypter

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd
SHA3-384 hash:	3b5e8422472eb4fc774d0a0f6c0b905d1cdc192441645a2ac79cf29d6459bef6b28af1f1af94c8e8e5c8cc6d169233a9
SHA1 hash:	11f8037e019382be07f2c37210f388553b2a3760
MD5 hash:	0483a991fb043b8fddcf818ada08b3a1
humanhash:	charlie-river-kilo-quiet
File name:	invoices---DEC 2023.exe
Download:	download sample
Signature	PureCrypter Create hunting rule
File size:	36'864 bytes
First seen:	2023-12-20 08:11:30 UTC
Last seen:	2024-01-10 15:14:06 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	768:htVmat3GmDCR53ownkhDUTVQxbbw0YkBTd7qvBMi9nY7+M64TX3SeEulPzYipWLI:ka9fsHk9URQxbcSd5aMNSeEulMi4sL
Threatray	4'347 similar samples on MalwareBazaar
TLSH	T135F21A23B65A96B1D276873AC5679F003378EE81B553CB1D795E130A08333EEDD0568B
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	lowmal3
Tags:	exe purecrypter

Intelligence

File Origin

# of uploads :

# of downloads :

359

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

invoices---DEC 2023.exe

Verdict:

Malicious activity

Analysis date:

2023-12-20 08:12:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/45bbd9a2-8f56-4aa2-bd6d-aa46b818862a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468605/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Trojan.MSIL.Agent.7794.23672.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade

Link:

https://www.filescan.io/uploads/6582a1d4ffafd83ebc95a653/reports/3b8531b1-b869-4f9a-b14f-c6e9052811fd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cb6adb6c-43e6-4d0b-b01f-c17ec2d6a8fc

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364951

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample has a suspicious name (potential lure to open the executable)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2023-12-20 03:03:55 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

12 of 36 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=quavvvv2dxrgrju4codxnqr6tundtjuqmpksl52ld3zutoidd76q._file

Verdict:

malicious

PureCrypter

44a7c97a6329413816ca06839f6bd2aa29e5e45a5e0dc6d36fd491e8f056d661

PureCrypter

6fd6b5e4b0adfb00bd436ad0916b5d4ff6178aa78e28d22c81b6fcd159f19236

PureCrypter

9331f9970a83bda8893c6ace5048f736426c8cbddbd7cc0857a7a7306efa9ff0

PureCrypter

b7f3d85fc66f301be89b8df9ea44f53ddbd498e8806b576ccba3575c53a29304

PureCrypter

dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171

PureCrypter

e54a10d5f2679cf96e33d264734763b1864c859cd2fe666e9d803a081d521bcd

PureCrypter

+ 4'337 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat persistence rat

Link:

https://tria.ge/reports/231220-j3valabbgk/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd

MD5 hash:

0483a991fb043b8fddcf818ada08b3a1

SHA1 hash:

11f8037e019382be07f2c37210f388553b2a3760

Detections:

PureCrypter_Stage1

Link:

https://www.unpac.me/results/14f5ba38-ec80-4a28-afd5-73cdeef7dc27/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/85015ad6ba1d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureCrypter

exe 85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468605/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample