purecrypter

General

Target

c4869d1471e76a3efa87816ad5ebfec3.zip
Size

433KB
Sample

230207-k4lwaaaf97
MD5

8bed4c2f2f5dd8ed4fb773826b41b8cc
SHA1

76feab30fa3741496cbcbc468f8824e384aa48bc
SHA256

0492e86e9f32847a07e11519c5833035b85a85473777de0c1c558e53a019e3c0
SHA512

6efcd3f8d9a303c9f4408cacc2d31569e7da7c19a02c6685ceb81d2c207887ac8345e53e1929a65b021ced92efb81a3303e0bfd5d77de7aee5d3847095cbb5e5
SSDEEP

12288:Dq6osVDDMiGhXfSYLlMw6lDGIbwI0PD8IUb:j5XARfLlMwcD3jAUb

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

MIMIBOY

C2

91.231.84.41:52651

127.0.0.1:52651

10.5.175.21:52651

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-SURYWD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  Mhiwfmlub.exe
- Size
  
  446KB
- MD5
  
  c4869d1471e76a3efa87816ad5ebfec3
- SHA1
  
  dd0cc24265371721bd1eb383ce3f460081074763
- SHA256
  
  92767f44cc14eeed6919d8b3c214d63d1e9fb72439d9f6a662a4a595d8512b3b
- SHA512
  
  1b664fd1eca97d224d64d4d050cdba3a8cebc8fa51c2bc59640ea5eb46e1352cc65cc51c8aab7ee5ea2e9e70f803325fb87f2188e55caf84f227252396542fc0
- SSDEEP
  
  12288:BBJooIJUl95lJVfWkAy2KcwsDInlhm3tur8KgQUg:HyVgXlJ9WkAf5Ibm9u4oUg
Score

10^/10

purecrypter remcos mimiboy downloader loader persistence rat
- Detect PureCrypter injector
  loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect PureCrypter injector

Remcos

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2