MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 6


Intelligence 6 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2
SHA3-384 hash: 030b93527ce7b05e667c91aea223eed8da2308b368ed91bd8f59cb7ebde4118812e52cfa5408bd0e88345d1df0fa83c0
SHA1 hash: dd8c7e43d023c7ec0eb46e09a0e21c06a8448f46
MD5 hash: cbf43170a90365375acdf35dc8035a19
humanhash: jig-football-texas-four
File name:Installer.iso
Download: download sample
Signature PureCrypter
Create hunting rule
File size:5'097'472 bytes
First seen:2025-11-08 13:00:53 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 98304:2C0qREb95MSLUtRaDIN5gBC00SCc09ujXmBiA7i3yuWUxLh:8qRaPcNBZK09uj2gxyuWUxL
TLSH T1793633B0FDC98806DF88D1F96790CA9D05D3767ECB6342B87A4E504FA7BA183D125B60
TrID 88.7% (.NULL) null bytes (2048000/1)
11.0% (.HTP) HomeLab/BraiLab Tape image (256000/1)
0.1% (.ISO) ISO 9660 CD image (2545/36/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
0.0% (.SMT) Memo File Apollo Database Engine (88/84)
Magika iso
Reporter aachum
Tags:iso purecrypter PureHVNC winautordr-hopto-org


Avatar
iamaachum
https://dl777filesbase.top/0nj84gjs2ma0gjemfwdc4i-installer00731578ghsvbetischgh3dlpabwj3vn5rusjcb50swcg00

PureHVNC C2: winautordr.hopto.org

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
ES ES
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Installer_v49107_x64.exe
File size:5'046'272 bytes
SHA256 hash: 2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3
MD5 hash: 2a6eb1fef1f754e0217d78047219553e
MIME type:application/x-dosexec
Signature PureCrypter
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690f3f423afb53888cc9ba06
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
context-iso obfuscated packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/690f3f3f8938e2fe221640eb/reports/396c585a-8722-4d8b-8fc9-f45d28716ae1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2
Verdict:
Malicious
File Type:
iso
First seen:
2025-11-08T10:08:00Z UTC
Last seen:
2025-11-08T10:30:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Agent.pef
Link:
https://opentip.kaspersky.com/e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2/results?tab=lookup
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2
Threat name:
Win32.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-08 13:01:50 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=455nw3aso4zboktn2wxrvaae5bhaahwhezexux4n2kjdqoroj7ra._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution persistence themida trojan
Link:
https://tria.ge/reports/251108-s3rn5s1jgq/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Themida packer
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win32_dotnet_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET obfuscated malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

iso e77adb6c127732172a6dd5af1a8004e84e001ec726497a5f8dd292383a2e4fe2

(this sample)

PureCrypter

Executable exe 2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3

  
Link
https://tria.ge/251108-ppqm5sypck/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3
  
Dropping
MD5 2a6eb1fef1f754e0217d78047219553e

Comments