MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureHVNC

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289
SHA3-384 hash:	b8ebddd23fb479f068e634c79e34cc9544884fcef0cacebc9247f36399b297eecd1efe5e4dcf7dac2f67a6848b4b051b
SHA1 hash:	0cd91f5ee7a9bcd5331919ae89f09e5fa4a9b2ed
MD5 hash:	d178082428504ee9d1800811cc18ce89
humanhash:	shade-princess-lemon-mississippi
File name:	PO 4501054441 Luan Pharm.js
Download:	download sample
Signature	PureHVNC Create hunting rule
File size:	45'955 bytes
First seen:	2025-09-08 09:23:53 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	768:+PNwORmtViq8v3AnPExGzE4xk9ED3AEnJbEaDE8YnEt7E9OXEHsEbqEQaaHK9H7C:+PNwORmtViq8v3AnPExGzE4xk9ED3AEt
TLSH	T17523121ABBCDB9293C194731558DA05DEDCC66198E6B74AC4F835AC7088FD07CFA2227
Magika	javascript
Reporter	0xb0mb3r
Tags:	js purecrypter PureHVNC ReverseLoader

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Script.SNH-gen.57964184.UNOFFICIAL

Sanesecurity.Malware.32320.UNOFFICIAL

SecuriteInfo.com.Heur.11036.22623.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68bea0d36e66ba602d792207

Tags:

obfuscate xtreme virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 evasive fingerprint obfuscated obfuscated powershell

Link:

https://www.filescan.io/uploads/68bea0d3a64010de766fa1c1/reports/ee4859dc-ad1d-4dd1-9742-9e8fbf4b8ee1/overview

Verdict:

Malicious

Labled as:

Trojan.Script.Dropper

Link:

https://www.hybrid-analysis.com/sample/c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289

Verdict:

Malicious

File Type:

First seen:

2025-09-07T22:03:00Z UTC

Last seen:

2025-09-07T22:03:00Z UTC

Hits:

~1000

Detections:

Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289/results?tab=lookup

Score:

91%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289/

Verdict:

Malicious

Threat:

Trojan.JS.SAgent

Link:

https://tip.neiki.dev/file/c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-09-08 01:01:54 UTC

File Type:

Binary

AV detection:

9 of 38 (23.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yocxucdl3lciljpgl7eiqkglbrgigg7huh3d4lnlgksh7f5tmkeq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

collection discovery execution

Link:

https://tria.ge/reports/250908-lda7jahr8y/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Process spawned unexpected child process

Malware Config

Dropper Extraction:

https://archive.org/download/optimized_msi_20250904/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PureHVNC

js c3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289

(this sample)

any.run

https://app.any.run/tasks/ac5c770d-e81e-4e28-af7a-8ac0445229aa

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample