purecrypter | e566072b5e8377bbb7697223a6a43161505955bed00c84ec3371df1782f8b28a

General

Target

8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe
Size

2.8MB
MD5

094506dab589aa3933fe28379d607e4e
SHA1

78b35e6e1c254f31079ea22a35fe5e0dde83848b
SHA256

8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d
SHA512

5464a20e13a087fc56e441543d1182e2c7c80abd0156084d162a5b35cf0a357838b607f7956e07da6436ddc75abb22d7485c724b5770a6859f34d556ae0caa0e
SSDEEP

49152:ex04mKYkbtgQ/MwW/qvf7RZoVZZOHTjqFfK5r9oQSP1vh4CTRCC2OFj2OFS3:8juTq9zzWk99o11vhbTRCH3

Score

10^/10

purecrypter vidar 886 downloader loader persistence stealer

Malware Config

Extracted

Family

vidar

Version

2.3

Botnet

886

C2

https://t.me/mantarlars

https://steamcommunity.com/profiles/76561199474840123

Attributes

profile_id
886

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/852-55-0x00000000049C0000-0x0000000004C4A000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkfexvjrq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ngueozpsjs\\Mkfexvjrq.exe\""	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
700	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe
Token: SeDebugPrivilege	700	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 700	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	28
PID 852 wrote to memory of 700	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	28
PID 852 wrote to memory of 700	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	28
PID 852 wrote to memory of 700	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	28
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30
PID 852 wrote to memory of 588	852	8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe	30

C:\Users\Admin\AppData\Local\Temp\8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe
"C:\Users\Admin\AppData\Local\Temp\8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Users\Admin\AppData\Local\Temp\8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe
  C:\Users\Admin\AppData\Local\Temp\8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d.exe
  2⤵
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-70-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/588-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/588-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/588-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/588-63-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/588-76-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/588-75-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/588-78-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/588-72-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/700-60-0x000000006FEE0000-0x000000007048B000-memory.dmp

Filesize
5.7MB

Download
memory/700-61-0x000000006FEE0000-0x000000007048B000-memory.dmp

Filesize
5.7MB

Download
memory/700-59-0x000000006FEE0000-0x000000007048B000-memory.dmp

Filesize
5.7MB

Download
memory/852-54-0x0000000000A00000-0x0000000000C8C000-memory.dmp

Filesize
2.5MB

Download
memory/852-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/852-62-0x0000000004580000-0x00000000045EE000-memory.dmp

Filesize
440KB

Download
memory/852-55-0x00000000049C0000-0x0000000004C4A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing