MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 866940bb59a32647c96466349066246b172adb7a5010678241be3e9663b1d637. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 866940bb59a32647c96466349066246b172adb7a5010678241be3e9663b1d637
SHA3-384 hash: 326ab56fe4f2e34a0d222f14c909ca5d8d2470c683538b82e043c2ce82057cf4e45d95201757853295f588ae2f0170b4
SHA1 hash: 252125d718e9a38fcfb6bed08623a2e04aff95de
MD5 hash: f6df6ab495cdabaa6015e73429ba1c9d
humanhash: mobile-fish-echo-indigo
File name:stage10.bin
Download: download sample
Signature PureCrypter
Create hunting rule
File size:2'748'928 bytes
First seen:2023-02-01 21:56:19 UTC
Last seen:2023-02-01 23:31:42 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 49152:CtZYtc76GfGeYW7QOWPnO6g402E2ItTbLz:CtZYC7zInOuEpdH
Threatray 14'309 similar samples on MalwareBazaar
TLSH T16DD53B03B7E2DE91D354773BE48B3D1107528A15A7D3F30F3ABA632158133A16A999CE
TrID 83.1% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
4.6% (.SCR) Windows screen saver (13097/50/3)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter martinbayard
Tags:dll purecrypter

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
BE BE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/359272/
Detection(s):
SecuriteInfo.com.HKTL_NET_NAME_DotNetInject.7511.5429.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
black lokibot
Link:
https://www.filescan.io/uploads/63dae02ffcc41339192f043e/reports/d9e1ab99-ac39-43e2-993e-b55d029530c2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c6e85ffc-79a1-41b4-9a1b-92b830f42514
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1163747
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 796514 Sample: stage10.bin.dll Startdate: 01/02/2023 Architecture: WINDOWS Score: 68 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 .NET source code contains method to dynamically call methods (often used by packers) 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/866940bb59a32647c96466349066246b172adb7a5010678241be3e9663b1d637/
Threat name:
ByteCode-MSIL.Packed.ReverseCrypter
Create hunting rule
Status:
Malicious
First seen:
2023-02-01 21:57:09 UTC
File Type:
PE (.Net Dll)
AV detection:
13 of 26 (50.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzuubo2zumtepslemy2jazrenmlsvw32kaigpasbxy7jmy5r2y3q._file
Verdict:
malicious
Similar samples:
03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
PureCrypter
0ddf7226ac77878f78a73875b0633229368d8e8c28acdd4469d65648d99adfc6
PureCrypter
2f7bd380536e16506e680cc1ad9dfd613a4bd05d365f542ecbdb1bd16562f11d
PureCrypter
64a050fdf78525e6d76e2349a1ccc58724bf77b6e3351e364c54f9235fa57d75
PureCrypter
cda5ced44ec0c2e58d0f38f9fa63a87364cf9cebcd2d0e1a11626a8bb694703a
PureCrypter
cfc9e35e650fccb171caa30fd7db3f6b99a8a16e824fb3f6276526ff10e063cf
PureCrypter
d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944
PureCrypter
d9e7d9699b28022d1fd6b5ced9f32e3dd3210475d6a2b2ec770d331d6a910a53
PureCrypter
edc3a7a85b4c116fe3b5806dd71c08fa907ea41cd57c43abf0494135eac0595f
PureCrypter
+ 14'299 additional samples on MalwareBazaar
Result
Malware family:
purecrypter
Create hunting rule
Score:
  10/10
Tags:
family:purecrypter loader
Link:
https://tria.ge/reports/230201-1tw69scf35/
Unpacked files
SH256 hash:
866940bb59a32647c96466349066246b172adb7a5010678241be3e9663b1d637
MD5 hash:
f6df6ab495cdabaa6015e73429ba1c9d
SHA1 hash:
252125d718e9a38fcfb6bed08623a2e04aff95de
Link:
https://www.unpac.me/results/7ed99e51-0aba-4311-b2d9-80b4d21da741/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/866940bb59a32647c96466349066246b172adb7a5010678241be3e9663b1d637

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/359272/

Comments


Avatar
PrFalken commented on 2023-02-01 22:23:28 UTC

Extracted from sample 3d9599c4660790e2a9ec335ff9384efb10443eae67d22925697fd30d48f87414