purecrypter | e159f861102f4da97e02be9ffefd72254bb9b2a92bf7d16ea6ef8c53800b17de

General

Target

740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
Size

3.9MB
MD5

ecb41ffa4f12fbe99b2a53141ec9f240
SHA1

68c7c9a49c519319aba55bf686f2388ee782208d
SHA256

740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2
SHA512

1b4f1b2225663e986be31d3aabe1491d443eb192e9b34e0aec6c7146a01bd0d350b3f417fa68a41ee3645a367175de59ebf66165cd718e4f1529f7fa3c6b6e89
SSDEEP

98304:x8vnvI2bIjGMWwAQ1cdLr3AG3cLMgs7T9/7AwCYyLb+P:Ung2QGMIxLEGMLMlx/7Zcv+P

Score

10^/10

purecrypter vidar 811 discovery downloader loader persistence spyware stealer

Malware Config

Extracted

Family

purecrypter

C2

https://atomm.com.br/.well-known/acme-challenge/bo/Xmwlki.dll

Extracted

Family

vidar

Version

1.9

Botnet

811

C2

https://t.me/travelticketshop

https://steamcommunity.com/profiles/76561199469016299

Attributes

profile_id
811

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 4 IoCs

Processes:

bebra.exesisterservice.exeaheaddecov.exeaheaddecov.exe

pid process

4240 bebra.exe
5088 sisterservice.exe
3152 aheaddecov.exe
4372 aheaddecov.exe

pid	process
4240	bebra.exe
5088	sisterservice.exe
3152	aheaddecov.exe
4372	aheaddecov.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exeaheaddecov.exeaheaddecov.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	aheaddecov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	aheaddecov.exe

Loads dropped DLL 2 IoCs

Processes:

aheaddecov.exe

pid process

4372 aheaddecov.exe
4372 aheaddecov.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4372	aheaddecov.exe
4372	aheaddecov.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sisterservice.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	sisterservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	sisterservice.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

aheaddecov.exe

description pid process target process

PID 3152 set thread context of 4372 3152 aheaddecov.exe aheaddecov.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3152 set thread context of 4372	3152	aheaddecov.exe	aheaddecov.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aheaddecov.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aheaddecov.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aheaddecov.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4952 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeaheaddecov.exe

pid process

3208 powershell.exe
3208 powershell.exe
4372 aheaddecov.exe
4372 aheaddecov.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

aheaddecov.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3152 aheaddecov.exe
Token: SeDebugPrivilege 3208 powershell.exe

pid	process
4952	timeout.exe

pid	process
3208	powershell.exe
3208	powershell.exe
4372	aheaddecov.exe
4372	aheaddecov.exe

description	pid	process
Token: SeDebugPrivilege	3152	aheaddecov.exe
Token: SeDebugPrivilege	3208	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exebebra.execmd.exesisterservice.exeaheaddecov.exeaheaddecov.execmd.exe

description	pid	process	target process
PID 5048 wrote to memory of 4240	5048	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	bebra.exe
PID 5048 wrote to memory of 4240	5048	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	bebra.exe
PID 4240 wrote to memory of 5004	4240	bebra.exe	cmd.exe
PID 4240 wrote to memory of 5004	4240	bebra.exe	cmd.exe
PID 5004 wrote to memory of 4968	5004	cmd.exe	choice.exe
PID 5004 wrote to memory of 4968	5004	cmd.exe	choice.exe
PID 5048 wrote to memory of 5088	5048	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	sisterservice.exe
PID 5048 wrote to memory of 5088	5048	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	sisterservice.exe
PID 5088 wrote to memory of 3152	5088	sisterservice.exe	aheaddecov.exe
PID 5088 wrote to memory of 3152	5088	sisterservice.exe	aheaddecov.exe
PID 5088 wrote to memory of 3152	5088	sisterservice.exe	aheaddecov.exe
PID 3152 wrote to memory of 3208	3152	aheaddecov.exe	powershell.exe
PID 3152 wrote to memory of 3208	3152	aheaddecov.exe	powershell.exe
PID 3152 wrote to memory of 3208	3152	aheaddecov.exe	powershell.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 3152 wrote to memory of 4372	3152	aheaddecov.exe	aheaddecov.exe
PID 4372 wrote to memory of 3312	4372	aheaddecov.exe	cmd.exe
PID 4372 wrote to memory of 3312	4372	aheaddecov.exe	cmd.exe
PID 4372 wrote to memory of 3312	4372	aheaddecov.exe	cmd.exe
PID 3312 wrote to memory of 4952	3312	cmd.exe	timeout.exe
PID 3312 wrote to memory of 4952	3312	cmd.exe	timeout.exe
PID 3312 wrote to memory of 4952	3312	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
"C:\Users\Admin\AppData\Local\Temp\740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
Filesize
429.2MB

MD5
360cf1b802c90daa515330c1a9e89518

SHA1
183a21881ce1618f77862dff05240d19d604bbdc

SHA256
8db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5

SHA512
bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
Filesize
429.2MB

MD5
360cf1b802c90daa515330c1a9e89518

SHA1
183a21881ce1618f77862dff05240d19d604bbdc

SHA256
8db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5

SHA512
bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
Filesize
429.2MB

MD5
360cf1b802c90daa515330c1a9e89518

SHA1
183a21881ce1618f77862dff05240d19d604bbdc

SHA256
8db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5

SHA512
bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe
Filesize
3.4MB

MD5
9db7f8ba57214489f97c8c785b4c727c

SHA1
968df2ab397063fcf6eb7720fa5ca24744230bc7

SHA256
c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149

SHA512
0fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe
Filesize
3.4MB

MD5
9db7f8ba57214489f97c8c785b4c727c

SHA1
968df2ab397063fcf6eb7720fa5ca24744230bc7

SHA256
c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149

SHA512
0fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe
Filesize
695KB

MD5
3c2aa77bd20b3ffb687f11e7c5bbea79

SHA1
6a9570c0c4b5e0fd6c5dd851f65cebc703bc580d

SHA256
7b477658201bcd770c3a07b1854c8d7fbb2c5535bb238954bda931f599455c31

SHA512
afc5ed38a82fee7fc72d4b6c1b87fac348d9409b7ca94b9cc0ad197b7fd55ed491a912377352fd5e0416344116d316cc123f7a043c52c7d6d98bd3917c1b6422

Download Submit
memory/3152-153-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/3152-152-0x00000000053E0000-0x0000000005984000-memory.dmp

Filesize
5.6MB

Download
memory/3152-156-0x0000000008040000-0x0000000008062000-memory.dmp

Filesize
136KB

Download
memory/3152-148-0x0000000000000000-mapping.dmp

Download
memory/3152-154-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/3152-151-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/3208-158-0x0000000002F70000-0x0000000002FA6000-memory.dmp

Filesize
216KB

Download
memory/3208-162-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/3208-164-0x0000000006D80000-0x0000000006D9A000-memory.dmp

Filesize
104KB

Download
memory/3208-163-0x00000000080E0000-0x000000000875A000-memory.dmp

Filesize
6.5MB

Download
memory/3208-159-0x0000000005BB0000-0x00000000061D8000-memory.dmp

Filesize
6.2MB

Download
memory/3208-157-0x0000000000000000-mapping.dmp

Download
memory/3208-160-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/3208-161-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/3312-193-0x0000000000000000-mapping.dmp

Download
memory/4240-143-0x0000027EC3110000-0x0000027EC316C000-memory.dmp

Filesize
368KB

Download
memory/4240-144-0x00000000003A0000-0x0000000000BA3000-memory.dmp

Filesize
8.0MB

Download
memory/4240-155-0x00000000003A0000-0x0000000000BA3000-memory.dmp

Filesize
8.0MB

Download
memory/4240-141-0x00007FF9EB090000-0x00007FF9EB12E000-memory.dmp

Filesize
632KB

Download
memory/4240-132-0x0000000000000000-mapping.dmp

Download
memory/4372-168-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4372-166-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4372-165-0x0000000000000000-mapping.dmp

Download
memory/4372-169-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4372-170-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4372-171-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4372-172-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4372-194-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4952-195-0x0000000000000000-mapping.dmp

Download
memory/4968-145-0x0000000000000000-mapping.dmp

Download
memory/5004-142-0x0000000000000000-mapping.dmp

Download
memory/5088-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads