purecrypter | ec24a8f92b77c77c267c785d00a9bab58a37331d1b1a20986b5c9266ff745f93

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vbc.exe
Size

7KB
MD5

7d7dd8874b96e698387e8929c53b85d2
SHA1

4afcddebd884a0bb9885b62d05f728ec3c1e4825
SHA256

ec24a8f92b77c77c267c785d00a9bab58a37331d1b1a20986b5c9266ff745f93
SHA512

fe3977420e2179981c4155044ec044eb760d7e577ac53811d2c32166a573d2373c31ff57e969d522df80f512499d8752627067932cdea13372cd7873058129dd
SSDEEP

96:OUY5awuf2gTYJau5huDntYBeTt1Ji6kd/7xVRbFnU:OUiYoYmuDntY8nUHFDI

Score

10^/10

purecrypter remcos remotehost collection downloader loader persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

top.thekillforabuse1.xyz:1068

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-R762FE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

purecrypter

https://onedrive.live.com/download?cid=A113DD34A0D77810&resid=A113DD34A0D77810%21124&authkey=AK1A3Rk0CMrac7g

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3064-156-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3460-157-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3460-159-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral2/memory/3460-157-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2396-158-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3064-156-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3460-159-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
1344	dwn.exe
1828	dwn.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	vbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	vbc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fqzlegccz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gjnkxx\\Fqzlegccz.exe\""	vbc.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3720 set thread context of 2100	3720	vbc.exe	90
PID 2100 set thread context of 3460	2100	vbc.exe	92
PID 2100 set thread context of 3064	2100	vbc.exe	95
PID 2100 set thread context of 2396	2100	vbc.exe	96
PID 1344 set thread context of 1828	1344	dwn.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1444	powershell.exe
1444	powershell.exe
3460	vbc.exe
3460	vbc.exe
2396	vbc.exe
2396	vbc.exe
3460	vbc.exe
3460	vbc.exe
3240	powershell.exe
3240	powershell.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2100	vbc.exe
2100	vbc.exe
2100	vbc.exe
2100	vbc.exe
2100	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	vbc.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2396	vbc.exe
Token: SeDebugPrivilege	1344	dwn.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	1828	dwn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	dwn.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1444	3720	vbc.exe	81
PID 3720 wrote to memory of 1444	3720	vbc.exe	81
PID 3720 wrote to memory of 1444	3720	vbc.exe	81
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 3720 wrote to memory of 2100	3720	vbc.exe	90
PID 2100 wrote to memory of 3460	2100	vbc.exe	92
PID 2100 wrote to memory of 3460	2100	vbc.exe	92
PID 2100 wrote to memory of 3460	2100	vbc.exe	92
PID 2100 wrote to memory of 1344	2100	vbc.exe	91
PID 2100 wrote to memory of 1344	2100	vbc.exe	91
PID 2100 wrote to memory of 1344	2100	vbc.exe	91
PID 2100 wrote to memory of 3460	2100	vbc.exe	92
PID 2100 wrote to memory of 1700	2100	vbc.exe	93
PID 2100 wrote to memory of 1700	2100	vbc.exe	93
PID 2100 wrote to memory of 1700	2100	vbc.exe	93
PID 2100 wrote to memory of 4440	2100	vbc.exe	94
PID 2100 wrote to memory of 4440	2100	vbc.exe	94
PID 2100 wrote to memory of 4440	2100	vbc.exe	94
PID 2100 wrote to memory of 3064	2100	vbc.exe	95
PID 2100 wrote to memory of 3064	2100	vbc.exe	95
PID 2100 wrote to memory of 3064	2100	vbc.exe	95
PID 2100 wrote to memory of 3064	2100	vbc.exe	95
PID 2100 wrote to memory of 2396	2100	vbc.exe	96
PID 2100 wrote to memory of 2396	2100	vbc.exe	96
PID 2100 wrote to memory of 2396	2100	vbc.exe	96
PID 2100 wrote to memory of 2396	2100	vbc.exe	96
PID 1344 wrote to memory of 3240	1344	dwn.exe	98
PID 1344 wrote to memory of 3240	1344	dwn.exe	98
PID 1344 wrote to memory of 3240	1344	dwn.exe	98
PID 1344 wrote to memory of 1828	1344	dwn.exe	100
PID 1344 wrote to memory of 1828	1344	dwn.exe	100
PID 1344 wrote to memory of 1828	1344	dwn.exe	100
PID 1344 wrote to memory of 1828	1344	dwn.exe	100
PID 1344 wrote to memory of 1828	1344	dwn.exe	100
PID 1344 wrote to memory of 1828	1344	dwn.exe	100
PID 1344 wrote to memory of 1828	1344	dwn.exe	100
PID 1344 wrote to memory of 1828	1344	dwn.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\dwn.exe
    "C:\Users\Admin\AppData\Local\Temp\dwn.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\dwn.exe
      C:\Users\Admin\AppData\Local\Temp\dwn.exe
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:1828
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    C:\Users\Admin\AppData\Local\Temp\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\dbgvebwusyczfv"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    C:\Users\Admin\AppData\Local\Temp\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nvmgflooggumpbumyy"
    3⤵
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    C:\Users\Admin\AppData\Local\Temp\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nvmgflooggumpbumyy"
    3⤵
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    C:\Users\Admin\AppData\Local\Temp\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\nvmgflooggumpbumyy"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    C:\Users\Admin\AppData\Local\Temp\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\qxrygdzpuomrrqiqqbqyz"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dwn.exe.log

Filesize
1KB

MD5
3a9188331a78f1dbce606db64b841fcb

SHA1
8e2c99b7c477d06591a856a4ea3e1e214719eee8

SHA256
db4137e258a0f6159fda559a5f6dd2704be0582c3f0586f65040c7ad1eb68451

SHA512
d1a994610a045d89d5d306866c24ae56bf16555414b8f63f632552568e67b5586f26d5a17a1f0a55ada376730298e6d856e9161828d4eae9decfa4e015e0e90a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
af56103df1bd81ff37d60206b59a9c9c

SHA1
9c133e68708056f9f2d67a584e0121d2bceeae6e

SHA256
2dc01a60a159e5a300545944d686bbd73da718678177bc17ff4c222383319cfb

SHA512
64b0728bb954964769676a3f1877697870d88eaa768df0b67d0e6840bcc3e253a3e0e5fd51eb18418ca112364714275d11dd6c1e07a8aac2f3795dd7cffb5827

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbgvebwusyczfv

Filesize
4KB

MD5
952a930b9fe70f809a67cb4e765c9448

SHA1
7e6c235246cc1be14d8a01ee7688a2a2471d44c9

SHA256
bd8156713974af3003c418302d3647fa84f62836fe83613c05e8bc40cb06a867

SHA512
10d12f2412fd2cb9ecf47cccd0261b17d9a3323957602c06795c4b2244306837d0a979ec6e552dc023ee81719ebcb9455bdb6f9d44f07788664994d1498452fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
6KB

MD5
4d3fb96fc012cd2043de73345f140c7a

SHA1
a8c512c96302974e4d296e39dbf485539fbd4ddb

SHA256
cc53ea5b29b637e48a4e35521fe5d2b638c588e400876c87059a9e582884e3bc

SHA512
c58d9c7aa2487bc54add4fb696c44f517d0b8beaaee4810db28e1a46bbad3d1295f6a7c6301bf16abcb8917886c4bf2a4b16c96f27eb96e1fa5256556cc55a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
6KB

MD5
4d3fb96fc012cd2043de73345f140c7a

SHA1
a8c512c96302974e4d296e39dbf485539fbd4ddb

SHA256
cc53ea5b29b637e48a4e35521fe5d2b638c588e400876c87059a9e582884e3bc

SHA512
c58d9c7aa2487bc54add4fb696c44f517d0b8beaaee4810db28e1a46bbad3d1295f6a7c6301bf16abcb8917886c4bf2a4b16c96f27eb96e1fa5256556cc55a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
6KB

MD5
4d3fb96fc012cd2043de73345f140c7a

SHA1
a8c512c96302974e4d296e39dbf485539fbd4ddb

SHA256
cc53ea5b29b637e48a4e35521fe5d2b638c588e400876c87059a9e582884e3bc

SHA512
c58d9c7aa2487bc54add4fb696c44f517d0b8beaaee4810db28e1a46bbad3d1295f6a7c6301bf16abcb8917886c4bf2a4b16c96f27eb96e1fa5256556cc55a2b

Download Submit
memory/1344-151-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1444-138-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/1444-139-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/1444-135-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/1444-136-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/1444-141-0x00000000066C0000-0x00000000066DA000-memory.dmp

Filesize
104KB

Download
memory/1444-140-0x0000000007A30000-0x00000000080AA000-memory.dmp

Filesize
6.5MB

Download
memory/1444-137-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/1828-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1828-179-0x0000000006660000-0x000000000666A000-memory.dmp

Filesize
40KB

Download
memory/1828-180-0x0000000006A00000-0x0000000006A50000-memory.dmp

Filesize
320KB

Download
memory/1828-177-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/1828-178-0x0000000006670000-0x0000000006702000-memory.dmp

Filesize
584KB

Download
memory/1828-181-0x0000000006D50000-0x0000000006F12000-memory.dmp

Filesize
1.8MB

Download
memory/2100-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-171-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-165-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2100-164-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2100-166-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2100-161-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2100-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-172-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2396-158-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3064-156-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3460-157-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3460-159-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3720-132-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/3720-133-0x00000000081C0000-0x00000000081E2000-memory.dmp

Filesize
136KB

Download