MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95c6b52f54ed4ea06dbcc36db68d8a8ccf3b21ad6fb7170cb4ab8c042790581a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95c6b52f54ed4ea06dbcc36db68d8a8ccf3b21ad6fb7170cb4ab8c042790581a
SHA3-384 hash: 344349eea19f99890947e4d345e16f58ec4312af3b13918256369e62577526ae891cf0195f6b0c0d302aa75ae23d8a19
SHA1 hash: 715d8df46654a3f3df7b2fb3e9dc2105bdf90327
MD5 hash: af6076d591c10a94d5f25ef3f81b5ab7
humanhash: north-fanta-robin-illinois
File name:af6076d591c10a94d5f25ef3f81b5ab7.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:2'945'024 bytes
First seen:2024-08-07 06:40:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:bebGw40aQ8/ALBwo6WLLMd+CEe7Dbx3W4Dyem3BNM6hCSaADNOiRgDXwqquOaaJb:bBLswoprg7D9m4yfCbGNOAgcqUvM
Threatray 946 similar samples on MalwareBazaar
TLSH T181D50103157C06FBF959C930D00D1328549AC7F79A76F19A9EB1BEE1AB90CA19432CBD
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon ccb292b2e2dcf4d8 (1 x PureCrypter)
Reporter abuse_ch
Tags:exe purecrypter

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
af6076d591c10a94d5f25ef3f81b5ab7.exe
Verdict:
Malicious activity
Analysis date:
2024-08-07 06:41:36 UTC
Tags:
rat asyncrat remote purehvnc netreactor stealer
Link:
https://app.any.run/tasks/7059a5e5-b73f-4208-9e24-a887b93d9c53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b3170caa5b40be0a9fb929
Tags:
Network Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/66b31705e7dbbbdfcd0a3607/reports/a8af0e14-da6a-44ef-a491-758b7d4b5ee9/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/95c6b52f54ed4ea06dbcc36db68d8a8ccf3b21ad6fb7170cb4ab8c042790581a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71e1f710-3551-40ec-a0a4-b7993052eaa8
Result
Threat name:
PureCrypter
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1489260
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/95c6b52f54ed4ea06dbcc36db68d8a8ccf3b21ad6fb7170cb4ab8c042790581a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95c6b52f54ed4ea06dbcc36db68d8a8ccf3b21ad6fb7170cb4ab8c042790581a/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-08-06 18:22:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxdlkl2u5vhka3n4ynw3ndmkrthtwinnn63rodfuvogaij4qlana._file
Verdict:
malicious
Similar samples:
6ae6030e6222a1400ce938e2ad2086253f1ff6d9d07b0be35fee6853e87bedc6
PureCrypter
7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
PureCrypter
7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62
PureCrypter
cac0b5218693311e4bd40e0dfa76a0f080876640a4c992324c6926d70f228db2
PureCrypter
ed04d8ebbc30c39278f1e22d2442853ff704f97f0e494d069034dee2239bc43a
PureCrypter
+ 936 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence upx
Link:
https://tria.ge/reports/240807-hfsb2sxanh/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2feba97b-1942-4785-b382-71d7ea2daa8d
Unpacked files
SH256 hash:
c1fa37c4016a4ed5524a71a267da04f868a2b14ae0632dc9141eb6b8c7d59b03
MD5 hash:
97b3d40ea50e3e2b33672e9f9f7bc143
SHA1 hash:
8edfd8b1380c5f6aa5c7f57020354c36388f1a9a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e283455a-20a8-4f63-b737-aa444302ae5c/
SH256 hash:
f4e64a5bd7c9f23bcc66093ea6f9f6d65f624d0a41ab13a592aa30c32aff61e7
MD5 hash:
baa968b4b3da28e95c9909411192a41e
SHA1 hash:
37f4a1f6b28995a3bdf72791700700fb05ca6bbf
Link:
https://www.unpac.me/results/e283455a-20a8-4f63-b737-aa444302ae5c/
SH256 hash:
95c6b52f54ed4ea06dbcc36db68d8a8ccf3b21ad6fb7170cb4ab8c042790581a
MD5 hash:
af6076d591c10a94d5f25ef3f81b5ab7
SHA1 hash:
715d8df46654a3f3df7b2fb3e9dc2105bdf90327
Link:
https://www.unpac.me/results/e283455a-20a8-4f63-b737-aa444302ae5c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95c6b52f54ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95c6b52f54ed4ea06dbcc36db68d8a8ccf3b21ad6fb7170cb4ab8c042790581a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

Executable exe 95c6b52f54ed4ea06dbcc36db68d8a8ccf3b21ad6fb7170cb4ab8c042790581a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3092690/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3092691/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments