MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a05759a606f754ea7315225ccd542774734962fc343d43cc9607db110e7956ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureCrypter

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	a05759a606f754ea7315225ccd542774734962fc343d43cc9607db110e7956ee
SHA3-384 hash:	6429177b29de025741fe6f5b081c97293c51921d0b5408d9934612e0bd71286f99879628a3b1bc08047d33b329df9860
SHA1 hash:	e6e190703f53787efe3b8ec5c5435cde5b9c21bc
MD5 hash:	b0f795a3e55c48f038e4a5d31cd77171
humanhash:	five-spring-carpet-mountain
File name:	3b17cd66110ad93010d8d1b837cf5bb9.dll
Download:	download sample
Signature	PureCrypter Create hunting rule
File size:	2'606'592 bytes
First seen:	2023-02-03 20:02:03 UTC
Last seen:	2023-02-03 21:41:42 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	49152:SPiC/ffGsM/z5aWQeDq+NtWLoXxrc8cqC:SPiC/fffyzTq+NEWr
Threatray	14'164 similar samples on MalwareBazaar
TLSH	T1E0C54A02B1F28EB2D798273BE6D6A8210361D7113697F30B395513755C233F86A49AEF
TrID	82.5% (.DLL) Generic .NET DLL/Assembly (236632/4/32) 4.5% (.SCR) Windows screen saver (13097/50/3) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	dll purecrypter

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360080/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.63551.30200.8766.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Tags:

black

Link:

https://www.filescan.io/uploads/63dd687796add6d1cf49977d/reports/1aa9a5ff-741a-42dc-9161-6eebc29ba901/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/a05759a606f754ea7315225ccd542774734962fc343d43cc9607db110e7956ee

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bc120d06-5e63-49ed-aa9f-c908e0240cee

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1165457

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a05759a606f754ea7315225ccd542774734962fc343d43cc9607db110e7956ee/

Threat name:

ByteCode-MSIL.Packed.ReverseCrypter

Status:

Malicious

First seen:

2023-02-03 16:41:25 UTC

File Type:

PE (.Net Dll)

AV detection:

12 of 38 (31.58%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ublvtjqg65kou4yvejom2vbhorzusyx4gq6uhtewa7nrcdtzk3xa._file

Verdict:

malicious

PureCrypter

0ddf7226ac77878f78a73875b0633229368d8e8c28acdd4469d65648d99adfc6

PureCrypter

2ca156b0edea7b919b4c5e87ea24609b57c730b16a4303baf8946ebc02f7edaa

PureCrypter

46962910101f24cea5430b64f9ff9830585a94824b8835c452c36e2db74ed033

PureCrypter

7aa87e5a183c7aee29c378225f7ea9d8ace5ff461badde840a963cb2f4c9c929

PureCrypter

866940bb59a32647c96466349066246b172adb7a5010678241be3e9663b1d637

PureCrypter

d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944

PureCrypter

d17c68f6ddd3737493404e4b89ca8782d11c2178f85fef8b8e123f546b684fbf

PureCrypter

ebb2dcf0d743e210a391d665b4589e3a0e41189ed1b21fcacc8c14caf13b1ce6

PureCrypter

+ 14'154 additional samples on MalwareBazaar

Result

Malware family:

purecrypter

Score:

10/10

Tags:

family:purecrypter loader

Link:

https://tria.ge/reports/230203-ysnsdsba35/

Unpacked files

SH256 hash:

a05759a606f754ea7315225ccd542774734962fc343d43cc9607db110e7956ee

MD5 hash:

b0f795a3e55c48f038e4a5d31cd77171

SHA1 hash:

e6e190703f53787efe3b8ec5c5435cde5b9c21bc

Link:

https://www.unpac.me/results/bd9102df-b55b-4c99-98f4-3219d2c68eca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a05759a606f754ea7315225ccd542774734962fc343d43cc9607db110e7956ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/360080/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample