MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf496576e970c84e62e2e66d2c7d27339914d32087e9877aa4fe2cd2bf21255e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf496576e970c84e62e2e66d2c7d27339914d32087e9877aa4fe2cd2bf21255e
SHA3-384 hash: 7871369ea3ade5eedae76aba4cf9562f8b71487688879ef87ab62fcdda7a07890780e9e862b80e1ad34117060bc8a17e
SHA1 hash: 34c74d4ee9850a36e746747022756834fdaa518a
MD5 hash: 4385abb8f1ffbb6ad3953295892730b8
humanhash: mike-foxtrot-victor-failed
File name:4385abb8f1ffbb6ad3953295892730b8.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:1'042'944 bytes
First seen:2023-01-25 20:31:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:ik+b1V8TTyGainaKNH+TH3tPIhcvz+HQei8RtDUr:qfK2inbp+BPG4KweLjDU
Threatray 1'774 similar samples on MalwareBazaar
TLSH T1F22533941298A3FCC286407A78E3EFEB7756ADF74590CC2A3587D001EEC8D54A153DAA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe purecrypter

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4385abb8f1ffbb6ad3953295892730b8.exe
Verdict:
Malicious activity
Analysis date:
2023-01-25 20:35:36 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/d67c5a88-9a52-41db-b071-498c95437301

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356857/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63d191cc89bd67c10fda34cb/reports/d77dc16c-4432-4b96-aaea-7221b1f63847/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2044f1d6-b3dd-4680-b038-dfea06d365c8
Result
Threat name:
Vector Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159155
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Vector Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 791893 Sample: 3bRSL6ViWV.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 52 api.telegram.org 2->52 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected Vector Stealer 2->62 64 5 other signatures 2->64 8 3bRSL6ViWV.exe 1 5 2->8         started        12 Lmyfmq.exe 2 2->12         started        14 Lmyfmq.exe 1 2->14         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\...\Lmyfmq.exe, PE32 8->38 dropped 40 C:\Users\user\...\Lmyfmq.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\...\3bRSL6ViWV.exe.log, ASCII 8->42 dropped 66 May check the online IP address of the machine 8->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->68 70 Encrypted powershell cmdline option found 8->70 72 Injects a PE file into a foreign processes 8->72 16 3bRSL6ViWV.exe 15 35 8->16         started        20 powershell.exe 16 8->20         started        74 Antivirus detection for dropped file 12->74 76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 22 Lmyfmq.exe 12->22         started        24 powershell.exe 12->24         started        26 Lmyfmq.exe 14->26         started        28 powershell.exe 14->28         started        30 Lmyfmq.exe 14->30         started        signatures6 process7 dnsIp8 44 api.telegram.org 149.154.167.220, 443, 49720, 49721 TELEGRAMRU United Kingdom 16->44 46 ipinfo.io 34.117.59.81, 443, 49714, 49726 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->46 50 2 other IPs or domains 16->50 54 Tries to steal Mail credentials (via file / registry access) 16->54 56 Tries to harvest and steal browser information (history, passwords, etc) 16->56 32 conhost.exe 20->32         started        48 162.159.128.233, 443, 49727 CLOUDFLARENETUS United States 22->48 34 conhost.exe 24->34         started        36 conhost.exe 28->36         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf496576e970c84e62e2e66d2c7d27339914d32087e9877aa4fe2cd2bf21255e/
Threat name:
ByteCode-MSIL.Trojan.StealerLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 20:32:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5ewk5xjodee4yxc4zwsy7jhgomrjuzaq7uyo6ve7ywnfpzbevpa._file
Verdict:
malicious
Similar samples:
0f4929da9001eab23942eab268ece5da252c8b654273cc6ddaad9f87dcfbb1fa
PureCrypter
53ab8d99f27bef0bdbc4a0d0a02de34254fde15d202708e379bf2ff84d2ecfef
PureCrypter
5795e1e656eef516e884bcf0b57dfdccd24863893a5804532125242df09dc07b
PureCrypter
76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d
PureCrypter
92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de
PureCrypter
9dcb2a2b604e475d5cfbb2c3e3a87a74ff91336173e9ef5edfa14a26402709c6
PureCrypter
a869ac3fa2ed34c5d13fc7ac4f8753f68cc2921959f8fe087cae9a1a7b646d39
PureCrypter
c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322
PureCrypter
d0d03da3e2d11c18da8588b4061ea885005160f3bfb0f30f62aa582285ed2e9f
PureCrypter
f0ba1150b808e391fd34e60538f46e4b2ee56c919a7fd4e2ec26e6ca27d2195d
PureCrypter
+ 1'764 additional samples on MalwareBazaar
Result
Malware family:
purecrypter
Create hunting rule
Score:
  10/10
Tags:
family:purecrypter collection downloader loader persistence spyware stealer
Link:
https://tria.ge/reports/230125-zba1msaf79/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Detect PureCrypter injector
PureCrypter
Unpacked files
SH256 hash:
c34104369ab20b60d0e1fdeb21dd8d7797e997c15fa174a5cd4188743c8b61c9
MD5 hash:
fe331c079c0d4d799c798d550bfdaa8e
SHA1 hash:
5b5200fd21accacbb7dbf037b904805799fdb2f4
Link:
https://www.unpac.me/results/8967d3c1-98af-4d14-a4f2-2de6397005ac/
SH256 hash:
75baf93c5a1ac7ada43983c48ea19ad8c8e881ac1505fd597109fc5352b01ed4
MD5 hash:
74850ec1108355735e574ad6549d67f2
SHA1 hash:
249bc7907f7a865299618db71e4b12d2faab5a02
Link:
https://www.unpac.me/results/8967d3c1-98af-4d14-a4f2-2de6397005ac/
SH256 hash:
cf496576e970c84e62e2e66d2c7d27339914d32087e9877aa4fe2cd2bf21255e
MD5 hash:
4385abb8f1ffbb6ad3953295892730b8
SHA1 hash:
34c74d4ee9850a36e746747022756834fdaa518a
Link:
https://www.unpac.me/results/8967d3c1-98af-4d14-a4f2-2de6397005ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf496576e970c84e62e2e66d2c7d27339914d32087e9877aa4fe2cd2bf21255e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356857/

Comments