MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a869ac3fa2ed34c5d13fc7ac4f8753f68cc2921959f8fe087cae9a1a7b646d39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a869ac3fa2ed34c5d13fc7ac4f8753f68cc2921959f8fe087cae9a1a7b646d39
SHA3-384 hash: f59a70207b8cc1f36e8607d7ed8497a07d86d20d52a0346118a2c01f4ee8ffeec8614a8465a31eb97c5975956dd7963b
SHA1 hash: cb631f4d87c31d90f78403870aa1371866399a5e
MD5 hash: 21b049f1f9e91c6436a70b9d44796858
humanhash: vermont-uranus-montana-bluebird
File name:21b049f1f9e91c6436a70b9d44796858.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:73'728 bytes
First seen:2022-12-29 19:38:19 UTC
Last seen:2022-12-29 21:33:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:IiK/Z6YSjZdLvOJ/dLg+BdvyZfR7t3PE851:Ib/QLvJ+fvURth
Threatray 5'953 similar samples on MalwareBazaar
TLSH T1E7735E362780E58EC83E7C35DE099DF5016EAD23C0F1564362D8BEEBB8764324D2D966
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 4f1d733b2b2f0b03 (33 x PureCrypter)
Reporter abuse_ch
Tags:exe purecrypter

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
21b049f1f9e91c6436a70b9d44796858.exe
Verdict:
Malicious activity
Analysis date:
2022-12-29 19:42:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9dd0a6a1-5862-48dd-924d-e8b68907bbb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Tedy.256638.24297.22163.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63adecd90e926711fd759a8f/reports/2295614c-1958-4811-8c85-129c956ca216/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/aaa0ca45-cc39-47ac-817d-03218a6b01c3
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1142874
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a869ac3fa2ed34c5d13fc7ac4f8753f68cc2921959f8fe087cae9a1a7b646d39/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-12-29 16:13:53 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
13 of 38 (34.21%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbu2yp5c5u2mluj7y6we7b2t62gmfeqzlh4p4cd4v2nbu63enu4q._file
Verdict:
malicious
Similar samples:
0f4929da9001eab23942eab268ece5da252c8b654273cc6ddaad9f87dcfbb1fa
PureCrypter
33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0
PureCrypter
40e33edbe3cc188d6a3c4e535344b8d2cc94ca910dcd7cf57f79958010338dcf
PureCrypter
5795e1e656eef516e884bcf0b57dfdccd24863893a5804532125242df09dc07b
PureCrypter
68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603
PureCrypter
8c85bc3ecc8b4aac2d61677da26f2846eb883a0137d28fcb8a59becd689f54ce
PureCrypter
8dc1691f86f99af947d8056784c28458396821c4b1ce288e8e2a882b0585304e
PureCrypter
a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e
PureCrypter
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73
PureCrypter
c180f58783642d9688ad20f32ce72e504accf1d101f1591b39b0d4e0f429fe3f
PureCrypter
+ 5'943 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/221229-ydj6naea47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
XMRig Miner payload
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/abb88c10-a5a2-48c9-8033-a2df8ee78200
Unpacked files
SH256 hash:
a869ac3fa2ed34c5d13fc7ac4f8753f68cc2921959f8fe087cae9a1a7b646d39
MD5 hash:
21b049f1f9e91c6436a70b9d44796858
SHA1 hash:
cb631f4d87c31d90f78403870aa1371866399a5e
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/4e3b0544-09f4-483a-8182-e3e0fe10f6cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/a869ac3fa2ed34c5d13fc7ac4f8753f68cc2921959f8fe087cae9a1a7b646d39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

Executable exe a869ac3fa2ed34c5d13fc7ac4f8753f68cc2921959f8fe087cae9a1a7b646d39

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2444763/
  
Delivery method
Distributed via web download

Comments