MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944
SHA3-384 hash: b11288ee2e80768a4131918aa5ea483543c9fe965a17a4d98ad97421a2d73302c6c64312e35d2b63b7ec95b2ff6d1aa1
SHA1 hash: 8b801c2d83b7602d350734bc3de5de7b9df73436
MD5 hash: 49884eec4a8dcafe6d2993865154cdf4
humanhash: berlin-helium-bulldog-louisiana
File name:Setup.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:2'654'496 bytes
First seen:2023-01-26 00:54:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'240 x SnakeKeylogger)
ssdeep 49152:V2+9WCvHTdprm74MntR2XTw5lKX0Zu04iXgIHuxCt8DccbasI:V2p2Td9mVtR2XTol80Zu04iXgHI8DM
Threatray 1'244 similar samples on MalwareBazaar
TLSH T12AC5335CFA8AFD12FE5904348550412863A2DD279AC3EE169982B7BD2C733C3C91977B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e9e2eae6b696c6ec (11 x LummaStealer, 4 x Vidar, 2 x FickerStealer)
Reporter malware_traffic
Tags:exe purecrypter

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-01-26 00:49:34 UTC
Tags:
loader
Link:
https://app.any.run/tasks/a2f5c26e-7a47-4750-875d-49133c6ad22d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356932/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated overlay packed
Link:
https://www.filescan.io/uploads/63d1cf6896add6d1cf489d3c/reports/fa76c260-422b-4156-999a-4b44a1282029/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4630c8d-deca-48cc-a11e-f8ed39a2df27
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1159215
Signature
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 00:55:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bqo4mbjufkkn65g5vtg5zp27mwi5yaz3t66bam7rkrehevw5fca._file
Verdict:
malicious
Similar samples:
0d6f77529ee406ef7d5e980a35d58553026e35548bd45e7dfb2d0d10b02c8f79
PureCrypter
2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11
PureCrypter
3cdf268a506536698b15da0e4592751178563f1f2b8e7d4eb1757756761918f5
PureCrypter
3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
PureCrypter
8e40883be758476f4a6b2e246bfbb3e306e5509c3772bf26f602f3a75aa27687
PureCrypter
ca325db87d417d1b142fc76c5f8e6c093dab172458e89c456b7f4bb374c02d82
PureCrypter
d84d6a662eeff76d1073ce759eb199088d0ed5dd11ee252691c244764649b60b
PureCrypter
+ 1'234 additional samples on MalwareBazaar
Result
Malware family:
purecrypter
Create hunting rule
Score:
  10/10
Tags:
family:purecrypter discovery downloader loader spyware
Link:
https://tria.ge/reports/230126-a9skxabf25/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Downloads MZ/PE file
Detect PureCrypter injector
PureCrypter
Unpacked files
SH256 hash:
055c86cbc9468f071be17ce1d7ced18af86eb476e03ec81256af82c6c75228f3
MD5 hash:
41fd07d9881432c39046c606a4067c52
SHA1 hash:
c0b14d125ea5f94ed60587c72e48337f8e2043a2
Link:
https://www.unpac.me/results/d4834b9e-d73c-4d60-9f8c-a7bdec14fedd/
SH256 hash:
230af5c1f43fc1bc4b150bcae07dc00e6995ba769cd7c2748c670b4d22383402
MD5 hash:
65a491f3372db7accd1a14734f87bfdf
SHA1 hash:
4a2e4e830bdf9724bd4b0824a3169c3844ded966
Link:
https://www.unpac.me/results/d4834b9e-d73c-4d60-9f8c-a7bdec14fedd/
SH256 hash:
701fe4377f85c0cd3d14f44d51e54b8e877f3acb4bd5c465fe23ae78f705952d
MD5 hash:
a35a72f5291085823d2b0eb3e0b5b20d
SHA1 hash:
3d0d5e65185849ad7abee8a96b5fc03839744c18
Link:
https://www.unpac.me/results/d4834b9e-d73c-4d60-9f8c-a7bdec14fedd/
SH256 hash:
d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944
MD5 hash:
49884eec4a8dcafe6d2993865154cdf4
SHA1 hash:
8b801c2d83b7602d350734bc3de5de7b9df73436
Link:
https://www.unpac.me/results/d4834b9e-d73c-4d60-9f8c-a7bdec14fedd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d060ee3029a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356932/

Comments