purecrypter | 48a2f6dab127b5f79ca8293a19f14ffafabd0491e4a570b94b8a52807af5bcb2

Analysis

max time kernel
39s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-01-2023 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Os_Editorx64_win7-8-10-11.exe
Size

319.0MB
MD5

cfc67715228aeff0bb92357d11bc3ce7
SHA1

f8b664c669dcf720a33630462c6eaad31c415fd4
SHA256

48a2f6dab127b5f79ca8293a19f14ffafabd0491e4a570b94b8a52807af5bcb2
SHA512

cc21566a400002c6746c4519bae1a54def69bfbbf290bacee783b8c28687ba09973bd5c0063694b02df152a392b6273d243760397796a74b6ce33c8b4593f796
SSDEEP

49152:QHuWBLVl5J4EUknv4QjU/5f5gB0dDKoXQo5xbhsJ8klAKjJWWnwn87fHhTjUNjHZ:QOUggv4QjsLzVKop85doKS87K5

Score

10^/10

purecrypter vidar 837 downloader loader stealer

Malware Config

Extracted

Family

vidar

Version

2.2

Botnet

837

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815

Attributes

profile_id
837

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1080-56-0x0000000004EC0000-0x0000000005146000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	Os_Editorx64_win7-8-10-11.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26
PID 1080 wrote to memory of 1288	1080	Os_Editorx64_win7-8-10-11.exe	26

C:\Users\Admin\AppData\Local\Temp\Os_Editorx64_win7-8-10-11.exe
"C:\Users\Admin\AppData\Local\Temp\Os_Editorx64_win7-8-10-11.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\Os_Editorx64_win7-8-10-11.exe
  C:\Users\Admin\AppData\Local\Temp\Os_Editorx64_win7-8-10-11.exe
  2⤵
  PID:1288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-54-0x0000000000C70000-0x0000000000F10000-memory.dmp

Filesize
2.6MB

Download
memory/1080-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1080-56-0x0000000004EC0000-0x0000000005146000-memory.dmp

Filesize
2.5MB

Download
memory/1080-57-0x0000000004B00000-0x0000000004B6A000-memory.dmp

Filesize
424KB

Download
memory/1288-58-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1288-59-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1288-61-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1288-63-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1288-65-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1288-67-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1288-70-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1288-71-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download