purecrypter | 1060b71f9fd78f5d283b8295def74b2b1457fb4949815fa8442904cd75329d4a | Triage

Sharing

General

Target

tmp
Size

19KB
Sample

230129-2wewfahf5s
MD5

17abf0697eea43427b7e0ea295a09c2f
SHA1

9665076d470f2c614f58f36839591347f4236668
SHA256

1060b71f9fd78f5d283b8295def74b2b1457fb4949815fa8442904cd75329d4a
SHA512

dbf7a7bbf3488300ad688260cc2aa33e0fe4ef82b2ac430b2b4d0661e20f5e7259bf456e478ab1c3cc0120a7b33acf97bbffcc6e8c74e694f1785395635a25d4
SSDEEP

192:FPLL2GSnvjtt6BtFIEZtltPtptUtCttttZ6fWdZAphAtttWnTC/F:9fSvW+hhnG/

Score

10^/10

purecrypter remcos mstox downloader loader rat

Malware Config

Extracted

Family

purecrypter

C2

http://121.4.69.26:53712/Sjewbm.dat

Extracted

Family

remcos

Botnet

MStox

C2

80.66.75.126:53813

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
17
connect_interval
8
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6QBZSN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  tmp
- Size
  
  19KB
- MD5
  
  17abf0697eea43427b7e0ea295a09c2f
- SHA1
  
  9665076d470f2c614f58f36839591347f4236668
- SHA256
  
  1060b71f9fd78f5d283b8295def74b2b1457fb4949815fa8442904cd75329d4a
- SHA512
  
  dbf7a7bbf3488300ad688260cc2aa33e0fe4ef82b2ac430b2b4d0661e20f5e7259bf456e478ab1c3cc0120a7b33acf97bbffcc6e8c74e694f1785395635a25d4
- SSDEEP
  
  192:FPLL2GSnvjtt6BtFIEZtltPtptUtCttttZ6fWdZAphAtttWnTC/F:9fSvW+hhnG/
Score

10^/10

purecrypter remcos mstox downloader loader rat
- Detect PureCrypter injector
  loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

purecrypterremcosmstoxdownloaderloaderrat

behavioral2

purecrypterremcosmstoxdownloaderloaderrat