purecrypter | 305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6 | Triage

Submit
Reports

Overview

overview

Static

static

1

BLToolsMod.exe

windows7-x64

BLToolsMod.exe

windows10-2004-x64

Sharing

General

Target

BLToolsMod.exe
Size

763KB
Sample

230205-tq2h9aaa94
MD5

869037e716218fb7551d84b8ce7d0ae7
SHA1

12cb776519eeb2d5e6a7ab1ddce3a09f143d5f18
SHA256

305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6
SHA512

6840e10d1daeacd169dba4a0049bc3b9087726dd45551b9a9587d57ec45d926356ce1656a39fdf35c1acb4020c564ec1f6a910fd83cde99e3ff75195728c72d2
SSDEEP

12288:SAZdPU5ttcsREhy5IYU8OaNISOvsk0gnT467zpmw7OfimWm/YfdFxfJ:S2UVc+EhyuAOaNIBXnT46fpmiOfimWy4

Score

10^/10

purecrypter quasar revengerat office04 downloader loader persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

BLToolsMod.exe

Resource

win7-20221111-en

purecrypter quasar revengerat office04 downloader loader persistence spyware trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

BLToolsMod.exe

Resource

win10v2004-20220901-en

quasar office04 persistence spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

youhackernetpaingodxd.duckdns.org:5557

blablashitspreading.ddns.net:5557

Mutex

xEoEv3HHdyEIYwJRFM

Attributes

encryption_key
w3WfcmWh1iXT9cxeKFEX
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  BLToolsMod.exe
- Size
  
  763KB
- MD5
  
  869037e716218fb7551d84b8ce7d0ae7
- SHA1
  
  12cb776519eeb2d5e6a7ab1ddce3a09f143d5f18
- SHA256
  
  305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6
- SHA512
  
  6840e10d1daeacd169dba4a0049bc3b9087726dd45551b9a9587d57ec45d926356ce1656a39fdf35c1acb4020c564ec1f6a910fd83cde99e3ff75195728c72d2
- SSDEEP
  
  12288:SAZdPU5ttcsREhy5IYU8OaNISOvsk0gnT467zpmw7OfimWm/YfdFxfJ:S2UVc+EhyuAOaNIBXnT46fpmiOfimWy4
Score

10^/10

purecrypter quasar revengerat office04 downloader loader persistence spyware trojan
- Detect PureCrypter injector
  loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

purecrypterquasarrevengeratoffice04downloaderloaderpersistencespywaretrojan

behavioral2

quasaroffice04persistencespywaretrojan

© 2018-2024

Terms | Privacy