MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98
SHA3-384 hash: 381f56cb294710a5bb5b93eface8800230addb2763653844c2277703086486c16daba7fa92b35b6b7ebf9f9b7967f548
SHA1 hash: 1b7a8d8302afa6f27f27d3d313865c2a4af61bdd
MD5 hash: 7b7bab781f4b30aee1289f36a01606a0
humanhash: charlie-georgia-lake-cold
File name:92.255.57.112.ps1
Download: download sample
Signature PureCrypter
Create hunting rule
File size:526'214 bytes
First seen:2025-01-15 07:22:59 UTC
Last seen:2025-01-15 15:27:18 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:eFwowo0VN2VOhllXKS2Utye+jF2RZQcqNStpIOe0Ti0dBmEv7:2S37hloSTtKF2RZQHGuvo
TLSH T1D3B401731617FC8F67AF1F89E9003B952C7C943B6B1C4058F9C90BA990EA520DE6AD74
Magika powershell
Reporter JAMESWT_WT
Tags:92-255-57-112 booking ps1 purecrypter Spam-ITA

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell.Obfus-9.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6787625aaa9c8e7858ded77b
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex net obfuscated
Link:
https://www.filescan.io/uploads/6787626200fbe0ad29ead989/reports/61f75bb2-7deb-4f9e-9c8f-f8f7cef5a38f/overview
Verdict:
Suspicious
Labled as:
Trojan[Dropper]/Agent.a
Link:
https://www.hybrid-analysis.com/sample/e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98
Result
Verdict:
UNKNOWN
Result
Threat name:
PureCrypter
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1591628
Signature
AI detected suspicious sample
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5aw6nm3ixkv4zaoogmlkggpsofz6qk44f2kkaq57ik3ciwg4lkma._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250115-h7srwsvnex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

PowerShell (PS) ps1 e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3399029/
  
Delivery method
Distributed via web download

Comments