MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac
SHA3-384 hash: 5882c504c2ae4023c610932e723963ba94fd49473de4c66437c913e2fdb5e68efe1e7712ef90befc913e434239f51729
SHA1 hash: 02e9d3c3f2c31538eae874eed1bd8b49cd35fb43
MD5 hash: 0d484816fd43280c0c72d56453fcedb5
humanhash: social-ack-kentucky-salami
File name:Installer_v3726_x64.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:10'334'720 bytes
First seen:2025-11-19 14:56:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (57 x Stealc, 57 x PureHVNC, 35 x CoinMiner)
ssdeep 196608:yIvrnND00rt/EmLrNtSc16yqrLNuTC1d6MQj+A/yOB+DGSbU6G6b1ASL8KbA:yIvB7rt/EmLxtSFyqHNpCXjtKVxbXb1e
Threatray 708 similar samples on MalwareBazaar
TLSH T172A63378FDF3B48AEC2DACB10966E18BD3456EE694789301744A6B7C0771EC7E35A180
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 3c64ccfcecfce8ec (1 x PureCrypter)
Reporter aachum
Tags:exe purecrypter PureHVNC winautordr-hopto-org


Avatar
iamaachum
https://dl777filesbase.top/0nj84gjs2ma0gjemfwdc4i-installer00731578ghsvbetischgh3dlpabwj3vn5rusjcb50swcg00

PureHVNC C2: winautordr.hopto.org

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer_v3726_x64.exe
Verdict:
Malicious activity
Analysis date:
2025-11-19 14:56:39 UTC
Tags:
themida netreactor auto-sch purecrypter loader purehvnc
Link:
https://app.any.run/tasks/510ad0b1-ab8a-44fa-96bb-59a6c3031a17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38670/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691ddaa427c5936d7d0dbe91
Tags:
autorun packed shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file
Sending a custom TCP request
Launching a process
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/691dda9a976e7cbac23aca07/reports/24441ae9-91ae-4517-8585-4b1171954478/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-19T09:52:00Z UTC
Last seen:
2025-11-21T02:01:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Agent.pef
Link:
https://opentip.kaspersky.com/f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd98e86d-bf5c-4c70-875e-0e5e724d72b1
Result
Threat name:
Purecrypter
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1816955
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Purecrypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1816955 Sample: Installer_v3726_x64.exe Startdate: 19/11/2025 Architecture: WINDOWS Score: 100 42 winautordr.hopto.org 2->42 50 Antivirus detection for dropped file 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Detected unpacking (changes PE section rights) 2->54 56 10 other signatures 2->56 8 Installer_v3726_x64.exe 4 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 38 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 8->38 dropped 40 C:\Users\user\...\Installer_v3726_x64.exe.log, CSV 8->40 dropped 58 Detected unpacking (changes PE section rights) 8->58 60 Suspicious powershell command line found 8->60 62 Query firmware table information (likely to detect VMs) 8->62 64 7 other signatures 8->64 15 powershell.exe 12 8->15         started        17 powershell.exe 23 8->17         started        20 MpCmdRun.exe 2 8->20         started        22 schtasks.exe 1 8->22         started        46 127.0.0.1 unknown unknown 12->46 file6 signatures7 process8 signatures9 24 svchost.exe 2 15->24         started        28 conhost.exe 15->28         started        48 Loading BitLocker PowerShell Module 17->48 30 WmiPrvSE.exe 17->30         started        32 conhost.exe 17->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        process10 dnsIp11 44 winautordr.hopto.org 45.153.34.13, 49689, 49690, 49691 SKYLINKNL Germany 24->44 66 System process connects to network (likely due to code injection or exploit) 24->66 68 Query firmware table information (likely to detect VMs) 24->68 70 Hides threads from debuggers 24->70 72 3 other signatures 24->72 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/0d484816fd43280c0c72d56453fcedb5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gtpumil2eq2hqdwjmk4b7iuyehk55rxuransleapbeq4jgulswa._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af
PureCrypter
8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55
PureCrypter
e86b4b9ba03a1b69e9ac7fd9efa7c4b1cef7757ebfac5724fea1849a523e6423
PureCrypter
error
PureCrypter
f78e8b2f05c248d3e808b5fa373cb31f9e1334a0ece019e1e051b0d10e2ab1c6
PureCrypter
feb9d5e9402bd4b4108a5cb53196d5b5511509cf4dbf68c9a1194d63475c4633
PureCrypter
+ 698 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution persistence themida trojan
Link:
https://tria.ge/reports/251119-sa7jwsbt8c/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Themida packer
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/268bcc81-8153-49e9-8d5a-e05aeea2cb93
Unpacked files
SH256 hash:
f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac
MD5 hash:
0d484816fd43280c0c72d56453fcedb5
SHA1 hash:
02e9d3c3f2c31538eae874eed1bd8b49cd35fb43
Link:
https://www.unpac.me/results/97413722-2561-4d92-ad11-2406e37d8188/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PureCrypter

iso 65a950601d22b7afae7c41f34b03f6032125b399f4586edd0552e851c256d7c6

PureCrypter

Executable exe f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac

(this sample)

  
Link
https://tria.ge/251119-rwb5fabs3g/behavioral2
  
Dropped by
SHA256 65a950601d22b7afae7c41f34b03f6032125b399f4586edd0552e851c256d7c6
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38670/
  
Dropped by
MD5 72adced5904db37f18743600a0c10f2c

Comments