purecrypter | c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97 | Triage

Submit
Reports

Overview

overview

Static

static

1

Quotation ...DF.scr

windows7-x64

Quotation ...DF.scr

windows10-2004-x64

Sharing

General

Target

Quotation 202311025_PDF.scr
Size

24KB
Sample

230202-svwywsca83
MD5

f1ed9f09ea489162b2a5ef0c4d285503
SHA1

5e1b5599aef58f90e4ad3efa43661a1d7cc4ed6c
SHA256

c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97
SHA512

4dfa6ad16b68bcc15362a93ef970bde290a654f67df507d8a3e8976ae45d38a4603184ad79fb7099de5fdaed637b8291022c3af3a374435428cc99512403252a
SSDEEP

384:iJg3aSz4PT02opvtOvt6Y4BwEapWNJR+:iW3Dl2oZU1ZdWNJR

Score

10^/10

purecrypter warzonerat downloader infostealer loader persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

Quotation 202311025_PDF.scr

Resource

win7-20221111-en

purecrypter warzonerat downloader infostealer loader persistence rat

windows7-x64

10 signatures

600 seconds

Behavioral task

behavioral2

Sample

Quotation 202311025_PDF.scr

Resource

win10v2004-20221111-en

warzonerat infostealer persistence rat

windows10-2004-x64

9 signatures

600 seconds

Malware Config

Extracted

Family

warzonerat

C2

37.120.155.179:52920

Targets

- Target
  
  Quotation 202311025_PDF.scr
- Size
  
  24KB
- MD5
  
  f1ed9f09ea489162b2a5ef0c4d285503
- SHA1
  
  5e1b5599aef58f90e4ad3efa43661a1d7cc4ed6c
- SHA256
  
  c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97
- SHA512
  
  4dfa6ad16b68bcc15362a93ef970bde290a654f67df507d8a3e8976ae45d38a4603184ad79fb7099de5fdaed637b8291022c3af3a374435428cc99512403252a
- SSDEEP
  
  384:iJg3aSz4PT02opvtOvt6Y4BwEapWNJR+:iW3Dl2oZU1ZdWNJR
Score

10^/10

purecrypter warzonerat downloader infostealer loader persistence rat
- Detect PureCrypter injector
  loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

purecrypterwarzoneratdownloaderinfostealerloaderpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2024

Terms | Privacy