MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e30c4e9e950ee26b0480a07c5a5128167a76b64dfac40ae06a0bb070a80838a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



PureRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 21 File information Comments

SHA256 hash: e30c4e9e950ee26b0480a07c5a5128167a76b64dfac40ae06a0bb070a80838a9
SHA3-384 hash: f5190940203472ded98b29886951eb7d066bbb1fc7f3a421ad551fe02c2b62d15fcf8b6439aebbcc40bb9b04fc1a8d24
SHA1 hash: cf918f6f67e2f0eaf5aa329280199a0c4adc9f37
MD5 hash: 12be7a6c060a27bbed222ab8181ba592
humanhash: crazy-july-cat-mockingbird
File name:12be7a6c060a27bbed222ab8181ba592.exe
Download: download sample
Signature PureRAT
File size:53'753'856 bytes
First seen:2026-07-14 07:03:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2c39c51a01eb6c331bece639d372272 (1 x PureRAT)
ssdeep 786432:XzPvUHPaEou1qbUIXt947aVqZthmDoHBT8jgvtr4:XzPcHPaEou1YJO8UT87
TLSH T1C6C78E517602C67EDAB191B1CD389A2EC619DE550B9045C7B1BC2F3D2F368D22B32EC6
TrID 65.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
10.2% (.EXE) Win64 Executable (generic) (6522/11/2)
7.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4504/4/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon d02f2b330fcc8ccc (1 x PureRAT)
Reporter abuse_ch
Tags:exe PureRAT RAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
150
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto hacktool installer-heuristic microsoft_visual_cc packed reconnaissance
Result
Threat name:
PureCrypter
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Behaviour
Behavior Graph:
Gathering data
Threat name:
Win32.Packed.Generic
Status:
Suspicious
First seen:
2026-07-11 00:40:05 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
10 of 36 (27.78%)
Threat level:
  1/5
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Bolonyokte
Author:Jean-Philippe Teissier / @Jipe_
Description:UnknownDotNet RAT - Bolonyokte
Rule name:Check_OutputDebugStringA_iat
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaaga
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:FormhookB
Author:kevoreilly
Description:Formbook Anti-hook Bypass
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Author:Willi Ballenthin
Rule name:NET
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:WHIRLPOOL_Constants
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments