purecrypter | 650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e

Analysis

max time kernel
54s
max time network
65s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03-02-2023 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe
Size

1.3MB
MD5

88472c005bdfa43a03ef843ab75ec661
SHA1

0e536c0e1f5de122ca22de0c7b164f9fb6368c3b
SHA256

650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e
SHA512

6e5211efbe14925550bf71b78741c2643c5b1a022bbdb6e0ea80a6961678d1b64984304b2d0ae35e7b949fed9d80f749a74ec409dc46af6299366b8f12a03825
SSDEEP

24576:Zlf4Qknt/xAfoqRBkXlSlj3mk4a9YUEBg+KWHxLA34penxHQOl+z92HoBqtUu0/k:ZlfpOyf/Q1+j3mkJStQ4GwOlQ2HySUr

Score

10^/10

purecrypter redline hexo-clients downloader infostealer loader spyware

Malware Config

Extracted

Family

redline

Botnet

HEXO-CLIENTS

amrican-sport-live-stream.cc:4581

Attributes

auth_value
c89aa436caaa4074b5f219890c543d38

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2696-160-0x00000000058B0000-0x0000000005B2C000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe

description	pid	process	target process
PID 2696 set thread context of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

InstallUtil.exe

pid process

3668 InstallUtil.exe
3668 InstallUtil.exe

pid	process
3668	InstallUtil.exe
3668	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe
Token: SeDebugPrivilege	3668	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe

description	pid	process	target process
PID 2696 wrote to memory of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe
PID 2696 wrote to memory of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe
PID 2696 wrote to memory of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe
PID 2696 wrote to memory of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe
PID 2696 wrote to memory of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe
PID 2696 wrote to memory of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe
PID 2696 wrote to memory of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe
PID 2696 wrote to memory of 3668	2696	650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe
"C:\Users\Admin\AppData\Local\Temp\650ada27b894204248d0af32365b2f400e4a19244293ef54c439d2c54345449e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-119-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-134-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-152-0x0000000000FB0000-0x00000000010F8000-memory.dmp

Filesize
1.3MB

Download
memory/2696-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-157-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-158-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-160-0x00000000058B0000-0x0000000005B2C000-memory.dmp

Filesize
2.5MB

Download
memory/2696-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-164-0x0000000005D20000-0x0000000005D42000-memory.dmp

Filesize
136KB

Download
memory/2696-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-166-0x0000000006110000-0x0000000006460000-memory.dmp

Filesize
3.3MB

Download
memory/2696-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-169-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/2696-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-175-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-178-0x0000000038910000-0x00000000389A2000-memory.dmp

Filesize
584KB

Download
memory/2696-179-0x0000000038EB0000-0x00000000393AE000-memory.dmp

Filesize
5.0MB

Download
memory/2696-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2696-181-0x0000000006460000-0x00000000064C0000-memory.dmp

Filesize
384KB

Download
memory/2696-184-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-182-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3668-183-0x0000000000444C0E-mapping.dmp

Download
memory/3668-185-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-186-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-187-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-188-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-189-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-190-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-191-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-222-0x0000000000E20000-0x0000000000E26000-memory.dmp

Filesize
24KB

Download
memory/3668-241-0x000000000AAE0000-0x000000000B0E6000-memory.dmp

Filesize
6.0MB

Download
memory/3668-242-0x000000000A650000-0x000000000A75A000-memory.dmp

Filesize
1.0MB

Download
memory/3668-244-0x000000000A580000-0x000000000A592000-memory.dmp

Filesize
72KB

Download
memory/3668-246-0x000000000A5E0000-0x000000000A61E000-memory.dmp

Filesize
248KB

Download
memory/3668-248-0x000000000A760000-0x000000000A7AB000-memory.dmp

Filesize
300KB

Download
memory/3668-269-0x000000000C920000-0x000000000C996000-memory.dmp

Filesize
472KB

Download
memory/3668-270-0x000000000C8A0000-0x000000000C8F0000-memory.dmp

Filesize
320KB

Download
memory/3668-271-0x000000000CB70000-0x000000000CD32000-memory.dmp

Filesize
1.8MB

Download
memory/3668-272-0x000000000D270000-0x000000000D79C000-memory.dmp

Filesize
5.2MB

Download