purecrypter

General

Target

1851a8dd1eb684515d31bb1b3a2f162eab634af839c9ef1002a8fc40bed8e361
Size

1.4MB
Sample

220722-ydmxjshedn
MD5

c5cb27cb09bdc222aeffaf0cccb96bad
SHA1

d3d9681b8ee4730dca84d8cde608f12348bfe8e8
SHA256

1851a8dd1eb684515d31bb1b3a2f162eab634af839c9ef1002a8fc40bed8e361
SHA512

a05bc118eff3c215debbd9909dd3d34cb3d0f2adcb47ea29e626416275e7793096d6e8ba8448ebfff4fff93cb6b142d2fcae414a403de57ddce9029b019d6f8a

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

45.162.228.171:26112

Targets

- Target
  
  1851a8dd1eb684515d31bb1b3a2f162eab634af839c9ef1002a8fc40bed8e361
- Size
  
  1.4MB
- MD5
  
  c5cb27cb09bdc222aeffaf0cccb96bad
- SHA1
  
  d3d9681b8ee4730dca84d8cde608f12348bfe8e8
- SHA256
  
  1851a8dd1eb684515d31bb1b3a2f162eab634af839c9ef1002a8fc40bed8e361
- SHA512
  
  a05bc118eff3c215debbd9909dd3d34cb3d0f2adcb47ea29e626416275e7793096d6e8ba8448ebfff4fff93cb6b142d2fcae414a403de57ddce9029b019d6f8a
Score

10^/10

purecrypter warzonerat infostealer loader persistence rat trojan
- Detect PureCrypter loader
  loader
- PureCrypter
  PureCrypter is a loader which is intended for downloading and executing additional payloads.
  trojan loader purecrypter
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect PureCrypter loader

WarzoneRat, AveMaria

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2