MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureHVNC

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a
SHA3-384 hash:	045efb57e186ff1ea95de318579cc6bca93114613d7f515ebf68771f5aa968a50eb0396b6ac1eb08ffaf163c7ede21ac
SHA1 hash:	a3f345ce3070786c47612ff9be25d7d6972a5a72
MD5 hash:	925f48309ba1667f10a38de23c133241
humanhash:	tango-alpha-gee-stream
File name:	9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a
Download:	download sample
Signature	PureHVNC Create hunting rule
File size:	1'419'264 bytes
First seen:	2026-06-08 08:31:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'068 x AgentTesla, 20'020 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	24576:QhwZtdYulU+44U0W37kUSAEWHSKBeNnP0HdvmFRqi1g0Iqh69+n/1:QwXU+44UdrkURE66NPquyi1P96y
TLSH	T11A6512586358CA16E0974FF45821E1F42BB05ED8EC21D3038FEA3EEF747A7256916293
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe PureHVNC

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/6fbc3974-69da-434e-aa5f-28ba8db11400/

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69532/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a267eacae2f98c00a68bab4

Tags:

micro virus shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Connection attempt

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed similar-threat vbnet

Link:

https://www.filescan.io/uploads/6a267e3d3d2a0c6df8e95da3/reports/d03a963f-754e-4e59-bae2-c0cb98fd1137/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-21T17:32:00Z UTC

Last seen:

2026-05-28T06:51:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/976162e7-f892-418e-a928-ac73a762343f

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a/

Threat name:

ByteCode-MSIL.Trojan.Xworm

Status:

Malicious

First seen:

2026-05-21 23:30:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 36 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t3k2b7bdik6rfqwkutvbbjmip73xjr4gnqwbbqh7xnjcfafclgna._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery execution persistence

Link:

https://tria.ge/reports/260608-kfqvbsaz41/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Unpacked files

SH256 hash:

9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a

MD5 hash:

925f48309ba1667f10a38de23c133241

SHA1 hash:

a3f345ce3070786c47612ff9be25d7d6972a5a72

Link:

https://www.unpac.me/results/de765575-17e5-4ac4-abb8-0617166dc014/

SH256 hash:

30b8da6a6c14adb7188e67f556e4e4abdc4e0a47db4008b7a2930c21dbdf59c2

MD5 hash:

c25420b73d0fe1dd63cf91b94c810225

SHA1 hash:

8d54643580d5d5952e74ec53ebf93b91e398e9de

Link:

https://www.unpac.me/results/de765575-17e5-4ac4-abb8-0617166dc014/

SH256 hash:

e0bbc139e4adfb53a80f2faea38de35926f3383d2d805da9b590b3b30f56ebc7

MD5 hash:

afe221b94d0203468f934b73d00d6ad4

SHA1 hash:

ca8708a48224a16a277c387a360bb4bb2b2a782a

Link:

https://www.unpac.me/results/de765575-17e5-4ac4-abb8-0617166dc014/

SH256 hash:

4449ac5b333864df5317743e4a79ace690c7b18b7aff587fb133eafafafde4ea

MD5 hash:

13c5a936088843b1aa5c7379b4b6ca39

SHA1 hash:

ed7b623cedc3f3bcee3d6669353ea766bc79df62

Link:

https://www.unpac.me/results/de765575-17e5-4ac4-abb8-0617166dc014/

SH256 hash:

1e11304db4a86dd3c4070b77d7512b6ceaec022a3931046c6691ba4c3cd24013

MD5 hash:

5abf4bcd1d184e9a9e26b6060d9e9127

SHA1 hash:

f9c148b7c89804016bcfde47bc9316163e078bf6

Link:

https://www.unpac.me/results/de765575-17e5-4ac4-abb8-0617166dc014/

Malware family:

PureHVNC

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9ed5a0fc2342/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ed5a0fc2342bd12c2caa4ea10a5887ff774c7866c2c10c0ffbb522280a2599a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69532/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample