MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137
SHA3-384 hash: a13cfc5ddd1887060c41a6b9882fd70629e6ca94beabb92e0d1efd3dc223e4354cd590fbb906f13cf4b45409ce62379f
SHA1 hash: 5ffccc2c798a2b567819a7db5a588e9d169fe3a3
MD5 hash: 491afe09d9b0ffccf3d3471fcac150b4
humanhash: missouri-robert-five-uncle
File name:NOV_RFQs#456372_SOFW_600SB_Rr_TIANJIN_INTERNATIONAL_CO_MATERIALSs.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:168'448 bytes
First seen:2023-11-03 07:37:54 UTC
Last seen:2023-11-03 09:20:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:vEZygkwUTCJfzopj40dgF8fRq2GX1RGIxF:cffUTmfzoF3dgF8ceIx
Threatray 2'850 similar samples on MalwareBazaar
TLSH T1A0F3D70777AA89B1E29917BFC6D704044372E583B6A3EB0D754E1BE90F07BB69D21603
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 74f4d4d4d498b4d4 (6 x AgentTesla, 2 x RemcosRAT, 1 x PureCrypter)
Reporter abuse_ch
Tags:exe purecrypter

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
NOV_RFQs#456372_SOFW_600SB_Rr_TIANJIN_INTERNATIONAL_CO_MATERIALSs.exe
Verdict:
Malicious activity
Analysis date:
2023-11-03 09:35:02 UTC
Tags:
rat remcos remote
Link:
https://app.any.run/tasks/460a1458-01a4-419a-aac2-12ecd15df9fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457946/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.16572.8173.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin packed replace
Link:
https://www.filescan.io/uploads/6544a35fbc703e36b098eedf/reports/db44983a-9e61-42b4-b55e-e9064d69ff78/overview
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent_AGen
Link:
https://www.hybrid-analysis.com/sample/acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9376b4d8-ba8d-4f03-ae27-3b8ccc37541c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336467
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Delayed program exit found
Deletes itself after installation
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336467 Sample: NOV_RFQs#456372_SOFW_600SB_... Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 67 qu.ax 2->67 69 geoplugin.net 2->69 91 Multi AV Scanner detection for domain / URL 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 11 other signatures 2->97 12 NOV_RFQs#456372_SOFW_600SB_Rr_TIANJIN_INTERNATIONAL_CO_MATERIALSs.exe 16 5 2->12         started        17 Wfnwwrupvo.exe 14 5 2->17         started        19 Videos.exe 2->19         started        21 Videos.exe 2->21         started        signatures3 process4 dnsIp5 81 qu.ax 92.118.112.4, 443, 49737, 49739 GUDAEV-ASRU Russian Federation 12->81 61 C:\Users\user\AppData\...\Wfnwwrupvo.exe, PE32 12->61 dropped 115 Contains functionality to bypass UAC (CMSTPLUA) 12->115 117 Contains functionalty to change the wallpaper 12->117 119 Creates multiple autostart registry keys 12->119 127 6 other signatures 12->127 23 NOV_RFQs#456372_SOFW_600SB_Rr_TIANJIN_INTERNATIONAL_CO_MATERIALSs.exe 3 4 12->23         started        121 Multi AV Scanner detection for dropped file 17->121 123 Machine Learning detection for dropped file 17->123 125 Injects a PE file into a foreign processes 17->125 27 Wfnwwrupvo.exe 17->27         started        29 Videos.exe 19->29         started        31 Videos.exe 21->31         started        file6 signatures7 process8 file9 59 C:\ProgramData\Videos\Videos.exe, PE32 23->59 dropped 105 Creates autostart registry keys with suspicious names 23->105 107 Creates multiple autostart registry keys 23->107 33 Videos.exe 14 5 23->33         started        signatures10 process11 signatures12 83 Multi AV Scanner detection for dropped file 33->83 85 Tries to steal Mail credentials (via file registry) 33->85 87 Machine Learning detection for dropped file 33->87 89 2 other signatures 33->89 36 Videos.exe 33->36         started        process13 dnsIp14 71 107.150.18.101, 2404, 49746, 49747 ASN-QUADRANET-GLOBALUS United States 36->71 73 geoplugin.net 178.237.33.50, 49748, 80 ATOM86-ASATOM86NL Netherlands 36->73 99 Deletes itself after installation 36->99 101 Writes to foreign memory regions 36->101 103 Maps a DLL or memory area into another process 36->103 40 Videos.exe 36->40         started        43 Videos.exe 36->43         started        45 Videos.exe 36->45         started        47 3 other processes 36->47 signatures15 process16 signatures17 109 Tries to steal Instant Messenger accounts or passwords 40->109 111 Tries to steal Mail credentials (via file / registry access) 40->111 113 Tries to harvest and steal browser information (history, passwords, etc) 43->113 49 chrome.exe 47->49         started        52 chrome.exe 47->52         started        process18 dnsIp19 63 192.168.2.4, 138, 2404, 443 unknown unknown 49->63 65 239.255.255.250 unknown Reserved 49->65 54 chrome.exe 49->54         started        57 chrome.exe 52->57         started        process20 dnsIp21 75 microsoftmscompoc.tt.omtrdc.net 54->75 77 mdec.nelreports.net 54->77 79 20 other IPs or domains 54->79
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137/
Threat name:
ByteCode-MSIL.Ransomware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-11-03 06:23:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtefntk3x72wavgcmmseqz5y7tv4t2aytg5h5sb2eqzwj5y5oe3q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
54481a325fd753ad4d2217ffdb95058c1a7220d305600340c3ced465b1e0b265
PureCrypter
5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9
PureCrypter
81e133f9aae32be3ff7a818fe7fa37eea017740c139e825641cf50dfaaa2a0a9
PureCrypter
be8ccfb19dab5c8d7b4273dc77b34c7ca0afea516e6bf85f607904345a3ad54f
PureCrypter
d31044022de445b61ba735083a47c5fd1f4d5c8dfcf544da489572ce3fafdc79
PureCrypter
d6fbf2f15cfb25c5d7b256955aec6d940799d33f008a76919b0592caa677ba48
PureCrypter
f7a9768d3a5a59e38316dc5f4f7c1fa32454630fbf11322af88592970be4be6c
PureCrypter
+ 2'840 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231103-jgja7sga57/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137
MD5 hash:
491afe09d9b0ffccf3d3471fcac150b4
SHA1 hash:
5ffccc2c798a2b567819a7db5a588e9d169fe3a3
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/8964fb73-3a70-49f2-a785-1d777a652e78/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/acc856cd5bbf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureCrypter

Executable exe acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457946/

Comments