File name:	Value.exe
Full analysis:	https://app.any.run/tasks/84dcee0a-6df1-4185-ab1c-381a944b82b4
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 12:38:45
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	purecrypter pureminer netreactor loader phishing lumma stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:	417BF30B5ED2A1D679A93028F13A1CA3
SHA1:	06F1DB8F79AB5AB289188108763FA774A49ADA77
SHA256:	A7A42D99330E45B4D7560B145137A191FEC68C09173E6BEC6120761142129478
SSDEEP:	24576:6bVJjwKEojvgvdLbEm8ZzPkMKPfoeaXw78lzkB38VrGDp2bxn9TZnzDCGNsd/BL:6PjwKEojvgvdLbEm8ZzPAPfoeaXw78ly

.exe	\|	Win16/32 Executable Delphi generic (34.1)
.exe	\|	Generic Win/DOS Executable (32.9)
.exe	\|	DOS Executable Generic (32.9)

MachineType:	AMD AMD64
TimeStamp:	2042:06:01 06:22:44+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware
PEType:	PE32+
LinkerVersion:	48
CodeSize:	677888
InitializedDataSize:	1536
UninitializedDataSize:	-
EntryPoint:	0x0000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	-
FileVersion:	1.0.0.0
InternalName:	Oclzxdkj.exe
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	Oclzxdkj.exe
ProductName:	-
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(1096) AddInUtil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AddInUtil_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
5800	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:59012A1197CA9557BDC1F21A2B43CCE0	SHA256:26612276A38AFC8A9E623C87D93DA6C8CA1BFDE17E1C9AAD3F7E2618DB497A3A
5800	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oiyvl532.g3g.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5744	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rsvxk5dv.f1q.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1096	AddInUtil.exe	C:\Users\admin\AppData\Local\Temp\rhhoxrbqy.exe		executable
		MD5:F31717EAAA7DF978792A8A9344568FDD	SHA256:E4F6682204CE8CA3A7C7D5B26FA08A367DEA4F33969013F3B840F8AAF3E3ED34
6964	Value.exe	C:\Users\admin\AppData\Roaming\SafeWaitHandle\Value.exe		executable
		MD5:417BF30B5ED2A1D679A93028F13A1CA3	SHA256:A7A42D99330E45B4D7560B145137A191FEC68C09173E6BEC6120761142129478
5008	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4k1vz33s.v1w.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
644	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\xdtcj\Default\History-journal		—
		MD5:—	SHA256:—
976	rhhoxrbqy.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe		executable
		MD5:417BF30B5ED2A1D679A93028F13A1CA3	SHA256:A7A42D99330E45B4D7560B145137A191FEC68C09173E6BEC6120761142129478
976	rhhoxrbqy.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\dotNetFx46_Full_setup.exe		executable
		MD5:5563FD5EF0892C459D7F2EB3244664A9	SHA256:57E591BBF0E70A8E8BAAB10F640261247D0C50451EE9CE8818C5B1A118BC8869
5304	dotNetFx46_Full_setup.exe	C:\Users\admin\AppData\Local\Position\ilcsbz\CanReuseTransform.exe		executable
		MD5:5563FD5EF0892C459D7F2EB3244664A9	SHA256:57E591BBF0E70A8E8BAAB10F640261247D0C50451EE9CE8818C5B1A118BC8869

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4628	RUXIMICS.exe	GET	200	23.48.23.132:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
4628	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6712	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6712	SIHClient.exe	GET	200	23.48.23.183:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6712	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6712	SIHClient.exe	GET	200	23.48.23.183:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
6712	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6712	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	52.165.164.15:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4628	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
4628	RUXIMICS.exe	23.48.23.132:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4628	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6712	SIHClient.exe	4.175.87.197:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6712	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6712	SIHClient.exe	23.48.23.183:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.186.110	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
crl.microsoft.com	23.48.23.132 23.48.23.156 23.48.23.190 23.48.23.191 23.48.23.175 23.48.23.141 23.48.23.169 23.48.23.189 23.48.23.135 23.48.23.183 23.48.23.173 23.48.23.143 23.48.23.162 23.48.23.194 23.48.23.158	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
loadingfreedlophr.com.de	213.209.150.69	unknown
lofhr.com	20.190.159.128 20.190.159.73 40.126.31.67 20.190.159.68 20.190.159.23 20.190.159.2 40.126.31.130 20.190.159.131	unknown
loadingfreelofhr.net	185.208.156.66	unknown

PID	Process	Class	Message
1096	AddInUtil.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 56
1096	AddInUtil.exe	Malware Command and Control Activity Detected	LOADER [ANY.RUN] PureLoader Download Attempt (LOAD)
1096	AddInUtil.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a *.crabdance .com Domain
2196	svchost.exe	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Domain ( .crabdance .com)
900	info.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 8
900	info.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.crabdance .com Domain
900	info.exe	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound

General Info

Value.exe

417BF30B5ED2A1D679A93028F13A1CA3

06F1DB8F79AB5AB289188108763FA774A49ADA77

A7A42D99330E45B4D7560B145137A191FEC68C09173E6BEC6120761142129478

24576:6bVJjwKEojvgvdLbEm8ZzPkMKPfoeaXw78lzkB38VrGDp2bxn9TZnzDCGNsd/BL:6PjwKEojvgvdLbEm8ZzPAPfoeaXw78ly

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Bypass execution policy to execute commands

PUREMINER has been detected (YARA)

PURECRYPTER has been detected (SURICATA)

PHISHING has been detected (SURICATA)

LUMMA has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Reads the date of Windows installation

Executable content was dropped or overwritten

Connects to unusual port

Contacting a server suspected of hosting an CnC

There is functionality for taking screenshot (YARA)

The process executes via Task Scheduler

INFO

Checks supported languages

Reads the machine GUID from the registry

Process checks computer location settings

Reads the computer name

Script raised an exception (POWERSHELL)

Reads Environment values

Disables trace logs

Checks proxy server information

Reads the software policy settings

.NET Reactor protector has been detected

Create files in a temporary directory

Creates files or folders in the user directory

Checks if a key exists in the options dictionary (POWERSHELL)

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections