purecrypter

General

Target

305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6.exe
Size

763KB
Sample

230205-vdcvssab65
MD5

869037e716218fb7551d84b8ce7d0ae7
SHA1

12cb776519eeb2d5e6a7ab1ddce3a09f143d5f18
SHA256

305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6
SHA512

6840e10d1daeacd169dba4a0049bc3b9087726dd45551b9a9587d57ec45d926356ce1656a39fdf35c1acb4020c564ec1f6a910fd83cde99e3ff75195728c72d2
SSDEEP

12288:SAZdPU5ttcsREhy5IYU8OaNISOvsk0gnT467zpmw7OfimWm/YfdFxfJ:S2UVc+EhyuAOaNIBXnT46fpmiOfimWy4

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

youhackernetpaingodxd.duckdns.org:5557

blablashitspreading.ddns.net:5557

Mutex

xEoEv3HHdyEIYwJRFM

Attributes

encryption_key
w3WfcmWh1iXT9cxeKFEX
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6.exe
- Size
  
  763KB
- MD5
  
  869037e716218fb7551d84b8ce7d0ae7
- SHA1
  
  12cb776519eeb2d5e6a7ab1ddce3a09f143d5f18
- SHA256
  
  305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6
- SHA512
  
  6840e10d1daeacd169dba4a0049bc3b9087726dd45551b9a9587d57ec45d926356ce1656a39fdf35c1acb4020c564ec1f6a910fd83cde99e3ff75195728c72d2
- SSDEEP
  
  12288:SAZdPU5ttcsREhy5IYU8OaNISOvsk0gnT467zpmw7OfimWm/YfdFxfJ:S2UVc+EhyuAOaNIBXnT46fpmiOfimWy4
Score

10^/10

purecrypter quasar revengerat office04 downloader loader persistence spyware trojan
- Detect PureCrypter injector
  loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect PureCrypter injector

Quasar RAT

Quasar payload

RevengeRAT

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2